none
Disable SSL Verification RRS feed

  • Question

  • Hi

     I am trying to use Azure CLI behind a corporate firewall.

     I am using a tool proxifier so that the Azure CLI would connect through proxy server.

    But the it is still getting an SSL verification error.

    PS C:\Windows\system32> set AZURE_CLI_DISABLE_CONNECTION_VERIFICATION=1

    PS C:\Windows\system32> az login
    Note, we have launched a browser for you to login. For old experience with device code, use "az login --use-device-code"
    You have logged in. Now let us find all the subscriptions to which you have access...
    request failed: Error occurred in request., SSLError: HTTPSConnectionPool(host='management.azure.com', port=443): Max retries exceeded with url: /tenants?api-version=2016-06-01 (Caused by SSLError(SSLError("bad handshake: Error([('SSL routines', 'tls_process_server_certificate', 'certificate verify failed')],)",),))

    My question is how can I either

    1) turn off the SSL verification

    or 2) register the corporate certificate

    Thanks



    Wednesday, July 31, 2019 2:16 AM

Answers

  • Hello Jay,

    Yes. Please check out this link I shared above for the file specifications and guidance on adding a client certificate to Azure CLI files.

    • Marked as answer by jay565 Monday, August 12, 2019 8:55 AM
    Thursday, August 1, 2019 12:13 AM
    Moderator
  • Hello Jay,

    Just following up to check if the above resources were of help. Please let us know if not and we can explore further.

    Thanks!

    • Marked as answer by jay565 Monday, August 12, 2019 8:55 AM
    Tuesday, August 6, 2019 9:11 AM
    Moderator

All replies

  • Hello Jay,

    You could set the HTTP_PROXY and HTTPS_PROXY variables before running az login. This blog explains how one can use Azure CLI 2.0 behind a proxy server. Here are some additional resources that might be of help:

    Hope this helps!

    Wednesday, July 31, 2019 5:14 AM
    Moderator
  • Hi

    I didn't execute the tool proxifier and ran the following code that returned an error.

    PS C:\Users\SDS> set  HTTP_PROXY="*12.1.35.14:8181"
    PS C:\Users\SDS> set  HTTPS_PROXY="12.1.35.14:8181"
    PS C:\Users\SDS> set AZURE_CLI_DISABLE_CONNECTION_VERIFICATION=1
    PS C:\Users\SDS> az login
    Note, we have launched a browser for you to login. For old experience with device code, use "az login --use-device-code"
    You have logged in. Now let us find all the subscriptions to which you have access...
    request failed: Error occurred in request., ConnectionError: HTTPSConnectionPool(host='management.azure.com', port=443): Max retries exceeded with url: /tenants?api-version=2016-06-01 (Caused by NewConnectionError('<urllib3.connection.VerifiedHTTPSConnection object at 0x05FF15D0>: Failed to establish a new connection: [WinError 10060] 연결된 구성원으로부터  응답이 없어 연결하지 못했거나, 호스트로부터 응답이 없어 연결이 끊어졌습니다',))

    Thanks


    • Edited by jay565 Wednesday, July 31, 2019 10:51 PM
    Wednesday, July 31, 2019 10:50 PM
  • I turned on Proxifier and got the following results

    PS C:\Users\SDS> az login
    Note, we have launched a browser for you to login. For old experience with device code, use "az login --use-device-code"
    You have logged in. Now let us find all the subscriptions to which you have access...
    request failed: Error occurred in request., SSLError: HTTPSConnectionPool(host='management.azure.com', port=443): Max retries exceeded with url: /tenants?api-version=2016-06-01 (Caused by SSLError(SSLError("bad handshake: Error([('SSL routines', 'tls_process_server_certificate', 'certificate verify failed')],)",),))

    In the Proxifier log, I can see that a python app is being executed. 

    Is there a way to register the corporate SSL certificate with that Python.exe, which is part of the Azure CLI?

    [08.01 08:00:57] python.exe - login.microsoftonline.com:443 open through proxy 70.10.15.10:8080 HTTPS
    [08.01 08:00:58] python.exe - login.microsoftonline.com:443 close, 2290 bytes (2.23 KB) sent, 8976 bytes (8.76 KB) received, lifetime 00:01
    [08.01 08:00:58] python.exe - management.azure.com:443 open through proxy 70.10.15.10:8080 HTTPS
    [08.01 08:00:58] python.exe - management.azure.com:443 close, 365 bytes sent, 1053 bytes (1.02 KB) received, lifetime <1 sec
    [08.01 08:00:58] python.exe - management.azure.com:443 open through proxy 70.10.15.10:8080 HTTPS
    [08.01 08:00:58] python.exe - management.azure.com:443 close, 365 bytes sent, 1053 bytes (1.02 KB) received, lifetime <1 sec
    [08.01 08:01:00] python.exe - management.azure.com:443 open through proxy 70.10.15.10:8080 HTTPS
    [08.01 08:01:00] python.exe - management.azure.com:443 close, 365 bytes sent, 1053 bytes (1.02 KB) received, lifetime <1 sec
    [08.01 08:01:03] python.exe - management.azure.com:443 open through proxy 70.10.15.10:8080 HTTPS
    [08.01 08:01:03] python.exe - management.azure.com:443 close, 365 bytes sent, 1053 bytes (1.02 KB) received, lifetime <1 sec


    • Edited by jay565 Wednesday, July 31, 2019 11:39 PM
    Wednesday, July 31, 2019 11:07 PM
  • Hi

    I noticed the following file

    C:\Program Files (x86)\Microsoft SDKs\Azure\CLI2\Lib\site-packages\certifi\cacert.pem

    Should I add the certificate to this file?

    Thanks

    Jae Kim

    Wednesday, July 31, 2019 11:47 PM
  • Hello Jay,

    Yes. Please check out this link I shared above for the file specifications and guidance on adding a client certificate to Azure CLI files.

    • Marked as answer by jay565 Monday, August 12, 2019 8:55 AM
    Thursday, August 1, 2019 12:13 AM
    Moderator
  • Hello Jay,

    Just following up to check if the above resources were of help. Please let us know if not and we can explore further.

    Thanks!

    • Marked as answer by jay565 Monday, August 12, 2019 8:55 AM
    Tuesday, August 6, 2019 9:11 AM
    Moderator