Error when executing az aks install-cli on an out-of-the-box Windows Server 2022 VM in Azure

[evmimagina]

Describe the bug

When trying to install kubectl and kubelogin using the "az aks install-cli" command, I get an error.

Brand-new VM server installed using the following specs:

  vm_os_publisher = "MicrosoftWindowsServer"
  vm_os_offer = "WindowsServer"
  vm_os_sku = "2022-datacenter-azure-edition-hotpatch"
  vm_size = "Standard_B2s"

The install of "az cli" is done using an unattended manner with the following command:

powershell -c "$ProgressPreference = 'SilentlyContinue'; Invoke-WebRequest -Uri https://aka.ms/installazurecliwindows -OutFile .\AzureCLI.msi; Start-Process msiexec.exe -Wait -ArgumentList '/I AzureCLI.msi /quiet'; Remove-Item .\AzureCLI.msi"

I can do "az login" and "az aks get-credentials" without problems.

Related command

az aks install-cli

Errors

The command failed with an unexpected error. Here is the traceback:
<urlopen error [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: unable to get local issuer certificate (_ssl.c:1006)>
Traceback (most recent call last):
File "urllib\request.py", line 1348, in do_open
File "http\client.py", line 1286, in request
File "http\client.py", line 1332, in _send_request
File "http\client.py", line 1281, in endheaders
File "http\client.py", line 1041, in _send_output
File "http\client.py", line 979, in send
File "http\client.py", line 1458, in connect
File "ssl.py", line 517, in wrap_socket
File "ssl.py", line 1108, in _create
File "ssl.py", line 1379, in do_handshake
ssl.SSLCertVerificationError: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: unable to get local issuer certificate (_ssl.c:1006)

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
File "D:\a_work\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\knack/cli.py", line 233, in invoke
File "D:\a_work\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\azure/cli/core/commands/init.py", line 663, in execute
File "D:\a_work\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\azure/cli/core/commands/init.py", line 726, in _run_jobs_serially
File "D:\a_work\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\azure/cli/core/commands/init.py", line 697, in _run_job
File "D:\a_work\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\azure/cli/core/commands/init.py", line 333, in call
File "D:\a_work\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\azure/cli/core/commands/command_operation.py", line 121, in handler
File "D:\a_work\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\azure/cli/command_modules/acs/custom.py", line 1596, in k8s_install_cli
File "D:\a_work\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\azure/cli/command_modules/acs/custom.py", line 1740, in k8s_install_kubectl
File "urllib\request.py", line 216, in urlopen
File "urllib\request.py", line 519, in open
File "urllib\request.py", line 536, in _open
File "urllib\request.py", line 496, in _call_chain
File "urllib\request.py", line 1391, in https_open
File "urllib\request.py", line 1351, in do_open
urllib.error.URLError: <urlopen error [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: unable to get local issuer certificate (_ssl.c:1006)>
To check existing issues, please visit: https://github.com/Azure/azure-cli/issues

Issue script & Debug output

cli.knack.cli: Command arguments: ['aks', 'install-cli', '--debug']
cli.knack.cli: init debug log:
Enable color in terminal.
Enable VT mode.
cli.knack.cli: Event: Cli.PreExecute []
cli.knack.cli: Event: CommandParser.OnGlobalArgumentsCreate [<function CLILogging.on_global_arguments at 0x0176E7A8>, <function OutputProducer.on_global_arguments at 0x01A97898>, <function CLIQuery.on_global_arguments at 0x01AB9668>]
cli.knack.cli: Event: CommandInvoker.OnPreCommandTableCreate []
cli.azure.cli.core: Modules found from index for 'aks': ['azure.cli.command_modules.acs']
cli.azure.cli.core: Loading command modules:
cli.azure.cli.core: Name Load Time Groups Commands
cli.azure.cli.core: acs 0.120 7 54
cli.azure.cli.core: Total (1) 0.120 7 54
cli.azure.cli.core: Loaded 7 groups, 54 commands.
cli.azure.cli.core: Found a match in the command table.
cli.azure.cli.core: Raw command : aks install-cli
cli.azure.cli.core: Command table: aks install-cli
cli.knack.cli: Event: CommandInvoker.OnPreCommandTableTruncate [<function AzCliLogging.init_command_file_logging at 0x03B7BA78>]
cli.azure.cli.core.azlogging: metadata file logging enabled - writing logs to 'C:\Users\localadmin.azure\commands\2023-11-16.18-00-46.aks_install-cli.6236.log'.
az_command_data_logger: command args: aks install-cli --debug
cli.knack.cli: Event: CommandInvoker.OnPreArgumentLoad [<function register_global_subscription_argument..add_subscription_parameter at 0x03B8A6B8>]
cli.knack.cli: Event: CommandInvoker.OnPostArgumentLoad []
cli.knack.cli: Event: CommandInvoker.OnPostCommandTableCreate [<function register_ids_argument..add_ids_arguments at 0x03BA5B68>, <function register_cache_arguments..add_cache_arguments at 0x03BB4DE8>]
cli.knack.cli: Event: CommandInvoker.OnCommandTableLoaded []
cli.knack.cli: Event: CommandInvoker.OnPreParseArgs []
cli.knack.cli: Event: CommandInvoker.OnPostParseArgs [<function OutputProducer.handle_output_argument at 0x01A978E8>, <function CLIQuery.handle_query_parameter at 0x01AB96B8>, <function register_ids_argument..parse_ids_arguments at 0x03BB4D98>]
cli.azure.cli.command_modules.acs.custom: The detected architecture of current device is "amd64", and the binary for "amd64" will be downloaded. If the detection is wrong, please download and install the binary corresponding to the appropriate architecture.
cli.azure.cli.command_modules.acs.custom: No version specified, will get the latest version of kubectl from "https://storage.googleapis.com/kubernetes-release/release/stable.txt"
cli.azure.cli.core.azclierror: Traceback (most recent call last):
File "urllib\request.py", line 1348, in do_open
File "http\client.py", line 1286, in request
File "http\client.py", line 1332, in _send_request
File "http\client.py", line 1281, in endheaders
File "http\client.py", line 1041, in _send_output
File "http\client.py", line 979, in send
File "http\client.py", line 1458, in connect
File "ssl.py", line 517, in wrap_socket
File "ssl.py", line 1108, in _create
File "ssl.py", line 1379, in do_handshake
ssl.SSLCertVerificationError: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: unable to get local issuer certificate (_ssl.c:1006)

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
File "D:\a_work\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\knack/cli.py", line 233, in invoke
File "D:\a_work\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\azure/cli/core/commands/init.py", line 663, in execute
File "D:\a_work\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\azure/cli/core/commands/init.py", line 726, in _run_jobs_serially
File "D:\a_work\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\azure/cli/core/commands/init.py", line 697, in _run_job
File "D:\a_work\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\azure/cli/core/commands/init.py", line 333, in call
File "D:\a_work\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\azure/cli/core/commands/command_operation.py", line 121, in handler
File "D:\a_work\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\azure/cli/command_modules/acs/custom.py", line 1596, in k8s_install_cli
File "D:\a_work\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\azure/cli/command_modules/acs/custom.py", line 1740, in k8s_install_kubectl
File "urllib\request.py", line 216, in urlopen
File "urllib\request.py", line 519, in open
File "urllib\request.py", line 536, in _open
File "urllib\request.py", line 496, in _call_chain
File "urllib\request.py", line 1391, in https_open
File "urllib\request.py", line 1351, in do_open
urllib.error.URLError: <urlopen error [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: unable to get local issuer certificate (_ssl.c:1006)>

cli.azure.cli.core.azclierror: The command failed with an unexpected error. Here is the traceback:
az_command_data_logger: The command failed with an unexpected error. Here is the traceback:
cli.azure.cli.core.azclierror: <urlopen error [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: unable to get local issuer certificate (_ssl.c:1006)>
Traceback (most recent call last):
File "urllib\request.py", line 1348, in do_open
File "http\client.py", line 1286, in request
File "http\client.py", line 1332, in _send_request
File "http\client.py", line 1281, in endheaders
File "http\client.py", line 1041, in _send_output
File "http\client.py", line 979, in send
File "http\client.py", line 1458, in connect
File "ssl.py", line 517, in wrap_socket
File "ssl.py", line 1108, in _create
File "ssl.py", line 1379, in do_handshake
ssl.SSLCertVerificationError: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: unable to get local issuer certificate (_ssl.c:1006)

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
File "D:\a_work\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\knack/cli.py", line 233, in invoke
File "D:\a_work\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\azure/cli/core/commands/init.py", line 663, in execute
File "D:\a_work\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\azure/cli/core/commands/init.py", line 726, in _run_jobs_serially
File "D:\a_work\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\azure/cli/core/commands/init.py", line 697, in _run_job
File "D:\a_work\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\azure/cli/core/commands/init.py", line 333, in call
File "D:\a_work\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\azure/cli/core/commands/command_operation.py", line 121, in handler
File "D:\a_work\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\azure/cli/command_modules/acs/custom.py", line 1596, in k8s_install_cli
File "D:\a_work\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\azure/cli/command_modules/acs/custom.py", line 1740, in k8s_install_kubectl
File "urllib\request.py", line 216, in urlopen
File "urllib\request.py", line 519, in open
File "urllib\request.py", line 536, in _open
File "urllib\request.py", line 496, in _call_chain
File "urllib\request.py", line 1391, in https_open
File "urllib\request.py", line 1351, in do_open
urllib.error.URLError: <urlopen error [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: unable to get local issuer certificate (_ssl.c:1006)>
az_command_data_logger: <urlopen error [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: unable to get local issuer certificate (_ssl.c:1006)>
Traceback (most recent call last):
File "urllib\request.py", line 1348, in do_open
File "http\client.py", line 1286, in request
File "http\client.py", line 1332, in _send_request
File "http\client.py", line 1281, in endheaders
File "http\client.py", line 1041, in _send_output
File "http\client.py", line 979, in send
File "http\client.py", line 1458, in connect
File "ssl.py", line 517, in wrap_socket
File "ssl.py", line 1108, in _create
File "ssl.py", line 1379, in do_handshake
ssl.SSLCertVerificationError: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: unable to get local issuer certificate (_ssl.c:1006)

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
File "D:\a_work\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\knack/cli.py", line 233, in invoke
File "D:\a_work\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\azure/cli/core/commands/init.py", line 663, in execute
File "D:\a_work\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\azure/cli/core/commands/init.py", line 726, in _run_jobs_serially
File "D:\a_work\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\azure/cli/core/commands/init.py", line 697, in _run_job
File "D:\a_work\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\azure/cli/core/commands/init.py", line 333, in call
File "D:\a_work\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\azure/cli/core/commands/command_operation.py", line 121, in handler
File "D:\a_work\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\azure/cli/command_modules/acs/custom.py", line 1596, in k8s_install_cli
File "D:\a_work\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\azure/cli/command_modules/acs/custom.py", line 1740, in k8s_install_kubectl
File "urllib\request.py", line 216, in urlopen
File "urllib\request.py", line 519, in open
File "urllib\request.py", line 536, in _open
File "urllib\request.py", line 496, in _call_chain
File "urllib\request.py", line 1391, in https_open
File "urllib\request.py", line 1351, in do_open
urllib.error.URLError: <urlopen error [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: unable to get local issuer certificate (ssl.c:1006)>
To check existing issues, please visit: https://github.com/Azure/azure-cli/issues
cli.knack.cli: Event: Cli.PostExecute [<function AzCliLogging.deinit_cmd_metadata_logging at 0x03B7BBB8>]
az_command_data_logger: exit code: 1
cli.main: Command ran in 1.469 seconds (init: 0.634, invoke: 0.835)
telemetry.main: Begin splitting cli events and extra events, total events: 1
telemetry.client: Accumulated 0 events. Flush the clients.
telemetry.main: Finish splitting cli events and extra events, cli events: 1
telemetry.save: Save telemetry record of length 7055 in cache
telemetry.main: Begin creating telemetry upload process.
telemetry.process: Creating upload process: "C:\Program Files (x86)\Microsoft SDKs\Azure\CLI2\python.exe C:\Program Files (x86)\Microsoft SDKs\Azure\CLI2\Lib\site-packages\azure\cli\telemetry_init.pyc C:\Users\localadmin.azure"
telemetry.process: Return from creating process
telemetry.main: Finish creating telemetry upload process.

Expected behavior

Install kubernetes CLI without any problems and without any workarounds??

Environment Summary

azure-cli 2.54.0

core 2.54.0
telemetry 1.1.0

Dependencies:
msal 1.24.0b2
azure-mgmt-resource 23.1.0b2

Python location 'C:\Program Files (x86)\Microsoft SDKs\Azure\CLI2\python.exe'
Extensions directory 'C:\Users\localadmin.azure\cliextensions'

Python (Windows) 3.11.5 (tags/v3.11.5:cce6ba9, Aug 24 2023, 14:21:31) [MSC v.1936 32 bit (Intel)]

Legal docs and information: aka.ms/AzureCliLegal

Your CLI is up-to-date.

Additional context

In my opinion this is a bug but... could it be related to the server base image I'm using? I hope you can help me to fix this.

Many thanks,

[azure-client-tools-bot-prd]

Hi @evmimagina
Find similar issue #11555.

Issue title	AKS cli install - SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:841)
Create time	2019-12-11
Comment number	4

Possible solution:
I suggest you to upgrade your Azure CLI tool and retry the command. If the issue still persists, you can try to add the following environment variable to your system:

export SSL_CERT_FILE=/etc/ssl/certs/ca-certificates.crt

This should point to the location of the ca-certificates.crt file on your system. If you are using a Windows system, you can try setting the environment variable using the following command:

set SSL_CERT_FILE=C:\path\to\ca-certificates.crt

After setting the environment variable, retry the command and see if the issue is resolved.

---

Please confirm if this resolves your issue.

[yonzhan]

Thank you for opening this issue, we will look into it.

[microsoft-github-policy-service]

Thanks for the feedback! We are routing this to the appropriate team for follow-up. cc @dyu1208, @FumingZhang, @andyliuliming.

[evmimagina]

Hi @yonzhan , thank you for your response, regarding the automated response, the suggested steps doesn't make too much sense to me...

Could you provide what is the supposed path for the "C:\path\to\ca-certificates.crt" ? I don't know what certificate is expecting and where to find it.

On the other hand, this would be a workaround, in my humble opinion, those steps should work out-of-the-box...

Many thanks and best regards,

[evmimagina]

Hi @yonzhan,

FYI, The problem gets solved once downloaded and installed the following certificates on the Local Machine Store -> Trusted Publishers:

https://secure.globalsign.net/cacert/Root-R1.crt
https://secure.globalsign.net/cacert/Root-R3.crt

It seems a problem related to the azure cli installation latest package? That is the solving work-around, would be great if this can be fixed on future Azure CLI install package.

Let me know your thoughts please.

Best regards,

[Enache-Razvan]

For the issue I also got
PS C:\Users\Adm_razvan> az aks install-cli
The detected architecture of current device is "amd64", and the binary for "amd64" will be downloaded. If the detectiton is wrong, please download and install the binary corresponding to the appropriate architecture.
No version specified, will get the latest version of kubectl from "https://storage.googleapis.com/kubernetes-release/release/stable.txt"

In my case have an Azure Stack HCI 23H3 I ran from powershell :
Invoke-WebRequest -Uri https://storage.googleapis.com/kubernetes-release/release/stable.txt -UseBasicParsing

And this has solved my issue with getting the required certificate and allowed me to install the aks cli.

Hope it helps