Use the system certificate store instead of certifi

[elygre]

I'm trying to run "az upgrade", which fails beautifully presumably due to the corporate proxy we have. #17938 (comment) gives some information on how to solve it, including a link to https://docs.microsoft.com/en-us/cli/azure/use-cli-effectively#work-behind-a-proxy.

The outlined mechanism seems ... convoluted. It suggests that I should edit C:\Program Files (x86)\Microsoft SDKs\Azure\CLI2\Lib\site-packages\certifi\cacert.pem. This requires that I acquire the corporate MITM certificate (it's probably easy, but I don't know how), and that I'm comfortable with the file format. Also, every user would have to do this on every computer.

• Would it be possible to bypass all of this, using the system certificate store instead?

> az upgrade
This command is in preview and under development. Reference and support levels: https://aka.ms/CLI_refstatus
You already have the latest azure-cli version: 2.27.1
Upgrading extensions
Checking update for azure-devops
An error occurred whilst updating.
Please ensure you have network connection. Error detail: HTTPSConnectionPool(host='github.com', port=443): Max retries exceeded with url: /Azure/azure-devops-cli-extension/releases/download/20210805.1/azure_devops-0.20.0-py2.py3-none-any.whl (Caused by SSLError(SSLCertVerificationError(1, '[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: unable to get local issuer certificate (_ssl.c:1125)')))
Failed to update. Rolled azure-devops back to 0.18.0.
Checking update for resource-graph
No updates available for 'resource-graph'. Use --debug for more information.
Upgrade finished.

Environment Summary

Windows-10-10.0.18362-SP0
Python 3.8.9
Installer: MSI

azure-cli 2.27.1

Extensions:
azure-devops 0.18.0
resource-graph 2.1.0

[yonzhan]

@jiasli for awareness

[elygre]

This problem is resurfacing in 2.33; I believe it was gone in 2.32:

PS > az upgrade
This command is in preview and under development. Reference and support levels: https://aka.ms/CLI_refstatus
You already have the latest azure-cli version: 2.33.0
Upgrading extensions
Checking update for account
No updates available for 'account'. Use --debug for more information.
Checking update for azure-devops
An error occurred whilst updating.
Please ensure you have network connection. Error detail: HTTPSConnectionPool(host='github.com', port=443): Max retries exceeded with url: /Azure/azure-devops-cli-extension/releases/download/20220131.1/azure_devops-0.23.0-py2.py3-none-any.whl (Caused by SSLError(SSLCertVerificationError(1, '[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: unable to get local issuer certificate (_ssl.c:1125)')))
Failed to update. Rolled azure-devops back to 0.22.0.
Checking update for resource-graph
No updates available for 'resource-graph'. Use --debug for more information.
Upgrade finished.```

See also #20842 and probably others mentioning CERTIFICATE_VERIFY_FAILED.

[jiasli]

@elygre, this problem is not related to different Azure CLI versions, but your proxy's configuration which intercepts traffic to github.com.

Would it be possible to bypass all of this, using the system certificate store instead?

This is definitely a good idea. There are already lots of discussions regarding this topic in the Python community:

• Consider using system trust stores by default in 3.0.0. psf/requests#2966
• Use Windows System SSL Certificates if Available pypa/pip#2510

I found some projects which do this:

• https://pypi.org/project/pip-system-certs/
• (Deprecated) https://pypi.org/project/python-certifi-win32/

However, pypa/pip#2510 (comment) says doing this is difficult on Windows. I am not sure if pip-system-certs works as expected.

Additional information:

• https://bugs.python.org/issue28547

[hkelley]

This worked for me,

PUSHD "C:\Program Files\Microsoft SDKs\Azure\CLI2"
python -m pip install pip_system_certs --trusted-host pypi.org  --trusted-host files.pythonhosted.org

I had been getting the Python error when adding extensions.