SSL handshake error with some Azure CLI commands

Question

I am using Azure CLI in bash within PowerShell in Windows 10. I sit behind a corporate proxy. My goal is to automate the deployment and setup of Azure resources.

Some of

Answer 1

Due to you were using Windows not Linux or MacOS, please try to use set instead of export to set the environment variables in PowerShell, as below, then to run the azure cli command for Key Vault again.

set ADAL_PYTHON_SSL_NO_VERIFY=1
set AZURE_CLI_DISABLE_CONNECTION_VERIFICATION=1

And for the command export REQUESTS_CA_BUNDLE=/etc/ssl/certs/ca-certificates.crt on Linux, I think you can refer to the SuperUser thread https://superuser.com/questions/217719/what-are-the-windows-system-certificate-stores to run a powershell window as administrator (right click on the PowerShell shortcut and select Run as administrator to run).

However, as you said about in bash with PowerShell, it sounds like you open a bash shell session of Windows Subsystem for Linux or like Git Bash from PS: prompt, which described fuzzily that I can not understand for your operations, please post more details about it, and I don't think it's a good practice to use PowerShell with bash nested.

Answer 2

I've updated this with my comment from https://github.com/Azure/azure-cli/issues/5099

@rzand 's process was the only one that worked for me, I'll expand on his solution though as there were extra steps required. All from elevated Shells

1. "C:\Program Files (x86)\Microsoft SDKs\Azure\CLI2\python" -m pip install --upgrade pip
2. "C:\Program Files (x86)\Microsoft Visual Studio\Shared\Python36_64\Scripts\pip" install python-certifi-win32
3. Add the Cloud services root CA to cacert.pem exported from the downloaded certificate. I specifically needed Microsoft IT TLS CA 5 and the "Baltimore CyberTrust Root" from that cert. Simply open the certs in text editor and append the contents to the bottom of C:\Program Files (x86)\Microsoft SDKs\Azure\CLI2\Lib\site-packages\certifi\cacert.pem
4. Add the Self-signed certificate given to you by the network team. Simply open the cert in text editor and append the contents to the bottom of C:\Program Files (x86)\Microsoft SDKs\Azure\CLI2\Lib\site-packages\certifi\cacert.pem
5. Set the system/environment variable in Command prompt setx /m REQUESTS_CA_BUNDLE "C:\Program Files (x86)\Microsoft SDKs\Azure\CLI2\Lib\site-packages\certifi\cacert.pem"
6. Set the system/environment variable in Powershell $env:REQUESTS_CA_BUNDLE="C:\Program Files (x86)\Microsoft SDKs\Azure\CLI2\Lib\site-packages\certifi\cacert.pem"
7. Close and open Bash / Command Prompt

FINALLY no errors. I can even retrieve Key Vault secrets

Answer 3

Running just the below two commands, fixed the issue for me

"C:\Program Files (x86)\Microsoft SDKs\Azure\CLI2\python" -m pip install --upgrade pip "C:\Program Files (x86)\Microsoft SDKs\Azure\CLI2\Scripts\pip" install python-certifi-win32

In my case the issue was seen due to invoking a Azure CLI command behind a company proxy.

Answer 4

Having contacted the azure cli team, it appears there is a bug that affects keyvault commands that are run behind a proxy.

Refer to the following github issue that I created with an in-depth explanation of the issue (and a potential workaround):

AZURE_CLI_DISABLE_CONNECTION_VERIFICATION does not have any effect for SSL verification

The above issue is also linked to the following, which appears to be a duplicate:

Az keyvault secret list --vault_name thru proxy is getting Proxy Authentication Required

It is also worth mentioning that this issue happens regardless of the platform the azure cli is running on so it is not an environmental issue or a problem when setting environment variables.