Azure
az bicep install fails
Describe the bug
I'm still getting the error on this closed issue
https://github.com/jiasli/azure-notes/blob/master/cli/proxy-cert-win.md
I followed the directions from that bug
https://github.com/Azure/azure-cli/issues/25471#issuecomment-1432567050
But I still cannot get bicep to install locally and we are not using any proxy servers of any kind. My co-workers are able to execute
az bicep install
without issue. I am able to install using the same on my personal laptop but on my work laptop where I need it most, i continue to get the error
az bicep install Error while attempting to retrieve the latest Bicep version: HTTPSConnectionPool(host='aka.ms', port=443): Max retries exceeded with url: /BicepLatestRelease (Caused by SSLError(SSLCertVerificationError(1, '[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: self-signed certificate in certificate chain (_ssl.c:1006)'))).
Related command
az bicep install
Errors
Error while attempting to retrieve the latest Bicep version: HTTPSConnectionPool(host='aka.ms', port=443): Max retries exceeded with url: /BicepLatestRelease (Caused by SSLError(SSLCertVerificationError(1, '[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: self-signed certificate in certificate chain (_ssl.c:1006)'))).
Issue script & Debug output
Error while attempting to retrieve the latest Bicep version: HTTPSConnectionPool(host='aka.ms', port=443): Max retries exceeded with url: /BicepLatestRelease (Caused by SSLError(SSLCertVerificationError(1, '[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: self-signed certificate in certificate chain (_ssl.c:1006)'))).
Expected behavior
Install bicep
Environment Summary
azure-cli 2.55.0
core 2.55.0 telemetry 1.1.0
Dependencies: msal 1.24.0b2 azure-mgmt-resource 23.1.0b2
Python location 'C:\Program Files\Microsoft SDKs\Azure\CLI2\python.exe' Extensions directory 'C:\Users[OMITTED].azure\cliextensions'
Python (Windows) 3.11.5 (tags/v3.11.5:cce6ba9, Aug 24 2023, 14:38:34) [MSC v.1936 64 bit (AMD64)]
Additional context
No response
Hi @dean-azure Find similar issue https://github.com/Azure/azure-cli/issues/19571.
| Issue title | az login fails with "certificate verify failed: unable to get local issuer certificate" |
| Create time | 2021-09-15 |
| Comment number | 3 |
Please confirm if this resolves your issue.
![azure-client-tools-bot-prd[bot] avatar](https://avatars.githubusercontent.com/u/37600188?v=4 "Published by a pub.dev verified publisher"){kind=small}
Thanks for the feedback! We are routing this to the appropriate team for follow-up. cc @josephkwchan, @jennyhunter-msft.
![microsoft-github-policy-service[bot] avatar](https://avatars.githubusercontent.com/in/95686?v=4 "Published by a pub.dev verified publisher"){kind=small}
The link you attached https://github.com/Azure/azure-cli/issues/28044#issuecomment-1858643774
is a potential workaround for a proxy server. But there is no proxy in use.
I can run the same command on my personal laptop on the same network without issue.
My coworkers can run the same on their work machines which should be configured the same as mine.
Thanks for the feedback! We are routing this to the appropriate team for follow-up. cc @Azure/deployments-owners.
@dean-azure do you get any errors if you open https://aka.ms/BicepLatestRelease in a browser on the same machine?
@dean-azure do you get any errors if you open https://aka.ms/BicepLatestRelease in a browser on the same machine?
That file is called latest with no extension. I'm not sure what that is nor if I should trust it.
@dean-azure do you get any errors if you open https://aka.ms/BicepLatestRelease in a browser on the same machine?
That file is called latest with no extension. I'm not sure what that is nor if I should trust it.
The contents don't matter - you can delete it. I was trying to rule out a general problem accessing aka.ms on your machine. For example, if there was a DNS issue, I'd expect to have seen something like https://superuser.com/questions/1083766/how-do-i-deal-with-neterr-cert-authority-invalid-in-chrome.
@dean-azure do you get any errors if you open https://aka.ms/BicepLatestRelease in a browser on the same machine?
That file is called latest with no extension. I'm not sure what that is nor if I should trust it.
The contents don't matter - you can delete it. I was trying to rule out a general problem accessing aka.ms on your machine. For example, if there was a DNS issue, I'd expect to have seen something like https://superuser.com/questions/1083766/how-do-i-deal-with-neterr-cert-authority-invalid-in-chrome.
Just to clear. Other coworkers whether working in the office or remotely do not have this issue. My personal laptop sitting on the same at home network does not have this issue.
Is there any update. I tried again today and am still unable with the same error
Error while attempting to retrieve the latest Bicep version: HTTPSConnectionPool(host='aka.ms', port=443): Max retries exceeded with url: /BicepLatestRelease (Caused by SSLError(SSLCertVerificationError(1, '[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: self-signed certificate in certificate chain (_ssl.c:1006)'))).
@zhoxing-ms since you reviewed #20183 - any ideas on what the problem could be here, or how to troubleshoot further?
Seems like there are quite a few open issues that are possibly related: https://github.com/search?q=repo%3AAzure%2Fazure-cli+CERTIFICATE_VERIFY_FAILED&type=issues
@zhoxing-ms since you reviewed #20183 - any ideas on what the problem could be here, or how to troubleshoot further?
Seems like there are quite a few open issues that are possibly related: https://github.com/search?q=repo%3AAzure%2Fazure-cli+CERTIFICATE_VERIFY_FAILED&type=issues
Are there diagnostics I can provide to help diagnose? I'm at a loss at this point.
I have done quite a bit of troubleshooting to resolve this same error. I am on my personal windows 11 machine with no proxy at home.
which bicep C:\Users\sjhar\AppData\Local\Programs\Bicep CLI\bicep.EXE
which az C:\Program Files\Microsoft SDKs\Azure\CLI2\wbin\az
bicep -v Bicep CLI version 0.25.53 (c0ad57dff6)
az bicep version Bicep CLI not found. Install it now by running "az bicep install".
az bicep install --debug
File "ssl.py", line 775, in create_default_context # Used by http.client if no context is explicitly passed. ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ File "ssl.py", line 596, in load_default_certs conn
File "ssl.py", line 588, in _load_windows_store_certs Due to technical limitations, the callback can't be used to filter ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ ssl.SSLError: [X509V3: INVALID_CERTIFICATE] invalid certificate (_ssl.c:4035)
During handling of the above exception, another exception occurred:
Traceback (most recent call last): File "D:\a_work\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\knack/cli.py", line 233, in invoke File "D:\a_work\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\azure/cli/core/commands/init.py", line 664, in execute File "D:\a_work\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\azure/cli/core/commands/init.py", line 729, in _run_jobs_serially File "D:\a_work\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\azure/cli/core/commands/init.py", line 698, in _run_job File "D:\a_work\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\azure/cli/core/commands/init.py", line 334, in call File "D:\a_work\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\azure/cli/core/commands/command_operation.py", line 121, in handler File "D:\a_work\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\azure/cli/command_modules/resource/custom.py", line 4453, in install_bicep_cli File "D:\a_work\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\azure/cli/command_modules/resource/_bicep.py", line 154, in ensure_bicep_installation azure.cli.core.azclierror.ClientRequestError: Error while attempting to download Bicep CLI: [X509V3: INVALID_CERTIFICATE] invalid certificate (_ssl.c:4035)
cli.azure.cli.core.azclierror: Error while attempting to download Bicep CLI: [X509V3: INVALID_CERTIFICATE] invalid certificate (_ssl.c:4035) az_command_data_logger: Error while attempting to download Bicep CLI: [X509V3: INVALID_CERTIFICATE] invalid certificate (_ssl.c:4035) cli.knack.cli: Event: Cli.PostExecute [<function AzCliLogging.deinit_cmd_metadata_logging at 0x0000024EC3A8ACA0>] cli.main: Command ran in 1.550 seconds (init: 0.270, invoke: 1.280)
I don't know where all that D:\a_work stuff is coming from. I don't have an a directory in my D drive. Maybe it is created and deleted just as quickly.
Anyway, I have noticed that api.github.com uses a wildcard certificate *.github.com and was thinking that perhaps that has something to do with this. I get a very similar error when trying to run az aks install I have imported several certificates that are for URLs referenced in the "latest" file that gets downloaded from https://downloads.bicep.azure.com/releases/latest when the az bicep install command is run. If you open that file with Notepad++ you will see that it is an XML file. The following hosts listed in that file:
- api.github.com
- uploads.github.com
- github.com
- avatars.githubusercontent.com
I thought that perhaps the certificate chain for one of those might not be trusted, so I imported the intermediate and root certs for those sites into the computer certificate stores. I also thought that perhaps the certificate that signed the Azure.Bicep.CommandLine.Win-64.0.25.53.nupkg file wasn't trusted, so I looked into that. It turns out that file isn't signed, so that's not the issue.
I also had earlier installed python using choco and also using the python installer. I uninstalled all of those and also deleted the alias file in ~\AppData\Local\Microsoft\WindowsApps because of course that is just a link to the MS Store.
I have still not found a solution to this yet. I hope someone does soon though.
