The Azure CLI is a useful tool for managing various aspects of Azure. If your company uses a proxy service, it might replace the root and intermediate certificates for HTTPS web traffic. When this happens, the Azure CLI might give an error similar to this one:
Please ensure you have network connection. Error detail: HTTPSConnectionPool(host=’login.microsoftonline.com’, port=443): Max retries exceeded with url: /common/oauth2/devicecode?api-version=1.0 (Caused by SSLError(SSLError(“bad handshake: Error([(‘SSL routines’, ‘tls_process_server_certificate’, ‘certificate verify failed’)],)”,),))
Obtain the Root and Intermediate Certificates
First you need to get a base-64 copy of the root and intermediate certificates. Depending on the certificates, you might need one or both.
- Open Chrome Dev Tools
- Click Security tab
- Click View Certificate button
- On the Certification Path tab, click the highest node in the tree
- Click View Certificate
- On the Details tab, click the Copy to File button
- Make sure to select Base-64 encoded X.509 (.CER)
- Save the file somewhere on your drive (ex. C:\certs\my_root.cer)
- If there’s an intermediate certificate (the second highest node in the tree), do the same steps above and save it with a name like my_intermediate.cer
Option 1: Fix Azure CLI Error Self-Signed Certificate
Some people have had success by running these commands:
- Run the command set REQUESTS_CA_BUNDLE=C:\certs\my_root.cer from a command prompt
- Run the command set REQUESTS_CA_BUNDLE=C:\certs\my_intermediate.cer from a command prompt if necessary
- Run the command echo %REQUESTS_CA_BUNDLE% to verify it set correctly
Option 2: Fix Azure CLI Error Self-Signed Certificate
If option 1 doesn’t work, then you’ll need local admin permissions on your workstation to perform the following steps.
- Open Notepad with Administrative Rights
- File > Open and navigate to: C:\Program Files (x86)\Microsoft SDKs\Azure\CLI2\Lib\site-packages\certifi\cacert.pem
- Open your my_root.cer file in another Notepad and copy the entire contents
- Paste the certificate to the bottom of the cacert.pem file
- Open your my_intermediate.cer file in another Notepad and copy the entire contents if necessary
- Paste the certificate to the bottom of the cacert.pem file