Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Core] Add truststore library so System certificates are trusted automatically #30468

Open
wants to merge 1 commit into
base: dev
Choose a base branch
from
Open

[Core] Add truststore library so System certificates are trusted automatically #30468

wants to merge 1 commit into from

Conversation

timja
Copy link

@timja timja commented Dec 5, 2024
edited
Loading

Related command

core

Description

Fixes #28050
Fixes #26456
Fixes #29948

Testing Guide

Run az commands when behind a MitM proxy with the certificates in a trusted OS store and without setting the REQUESTS_CA_BUNDLE environment value

e.g. I've been using:

az rest --uri $STORAGE_ACCOUNT

Before:

HTTPSConnectionPool(host='***.web.core.windows.net', port=443): Max retries exceeded with url: / (Caused by SSLError(SSLCertVerificationError(1, '[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: unable to get issuer certificate (_ssl.c:1000)')))
Certificate verification failed. This typically happens when using Azure CLI behind a proxy that intercepts traffic with a self-signed certificate. Please add this certificate to the trusted CA bundle. More info: https://docs.microsoft.com/cli/azure/use-cli-effectively#work-behind-a-proxy.

After:

The requested content does not exist.(<!DOCTYPE html><html><head><title>WebContentNotFound</title></head><body><h1>The requested content does not exist.</h1><p><ul><li>HttpStatusCode: 404</li><li>ErrorCode: WebContentNotFound</li><li>RequestId : 8465eefc-801e-00b6-01fa-464419000000</li><li>TimeStamp : 2024-12-05T09:47:28.0584286Z</li></ul></p></body></html>)

History Notes

[Core] Add truststore library so System certificates are trusted automatically

This checklist is used to make sure that common guidelines for a pull request are followed.

@azure-client-tools-bot-prd azure-client-tools-bot-prd
Copy link

Validation for Azure CLI Full Test Starting...

Thanks for your contribution!

@azure-client-tools-bot-prd azure-client-tools-bot-prd
Copy link

Validation for Breaking Change Starting...

Thanks for your contribution!

@yonzhan
Copy link
Collaborator

yonzhan commented Dec 5, 2024

Thank you for your contribution! We will review the pull request and get back to you soon.

@github-actions GitHub Actions
Copy link

github-actions bot commented Dec 5, 2024

⚠️Your changes in this PR will be released on Jan 14, 2025 due to CCOA (extend to Jan 6, 2025)

@microsoft-github-policy-service Microsoft GitHub Policy Service
Copy link
Contributor

Thank you for your contribution timja! We will review the pull request and get back to you soon.

@microsoft-github-policy-service microsoft-github-policy-service bot added customer-reported Issues that are reported by GitHub users external to the Azure organization. Auto-Assign Auto assign by bot Core CLI core infrastructure labels Dec 5, 2024
@FumingZhang
Copy link
Member

This seems to be a proper way to handle CA cert verification failure, but the newly added lib truststore requires Python 3.10+, while azure-cli still supports Python 3.9, cc @jiasli

jiasli
jiasli reviewed Dec 19, 2024
View reviewed changes
src/azure-cli-core/azure/cli/core/util.py
@@ -1027,6 +1028,7 @@ def send_raw_request(cli_ctx, method, url, headers=None, uri_parameters=None, #

# https://requests.readthedocs.io/en/latest/user/advanced/#prepared-requests
s = Session()
s.mount(url, SSLContextAdapter())
Copy link
Member

@jiasli jiasli Dec 19, 2024
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Applying SSLContextAdapter in send_raw_request() will only affect az rest. All other commands that use Azure Python SDK will not benefit from this change. MSAL is not affected either.

There is a similar feature request AzureAD/microsoft-authentication-library-for-python#685 for supporting using certificates from system certificate store for service principal authentication.

@jiasli
Copy link
Member

jiasli commented Dec 19, 2024

Thanks for the contribution, but we currently don't have a plan to support system certificate store (#19305).

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@jiasli jiasli jiasli left review comments

@evelyn-ys evelyn-ys Awaiting requested review from evelyn-ys evelyn-ys is a code owner

@jsntcy jsntcy Awaiting requested review from jsntcy jsntcy is a code owner

@kairu-ms kairu-ms Awaiting requested review from kairu-ms kairu-ms is a code owner

@zhoxing-ms zhoxing-ms Awaiting requested review from zhoxing-ms zhoxing-ms is a code owner

@calvinhzy calvinhzy Awaiting requested review from calvinhzy calvinhzy is a code owner

@necusjz necusjz Awaiting requested review from necusjz necusjz is a code owner

@bebound bebound Awaiting requested review from bebound bebound is a code owner

@yonzhan yonzhan Awaiting requested review from yonzhan

At least 1 approving review is required to merge this pull request.

Assignees

@jiasli jiasli

Labels
Auto-Assign Auto assign by bot Core CLI core infrastructure customer-reported Issues that are reported by GitHub users external to the Azure organization.
Projects
None yet
Milestone
Backlog
4 participants
@timja @yonzhan @FumingZhang @jiasli