SSLError (bad handshake) when using Azure CLI

I have been using Azure CLI ad hoc for more than a year without issues, but today I was going to add some secrets to Azure Vault using Azure CLI.

When running “az keyvault secret set …” to add the secrets I was getting the following error:

"Max retries exceeded with url: /<api-url> (Caused by SSLError(SSLError("bad handshake: Error([('SSL routines', 'tls_process_server_certificate', 'certificate verify failed')],)",),))"

Basically this can happen for at least 4 different reasons:

1. You are using a self signed certificate for the resource you are accessing.
2. The Certificate Authority used to provision the certificate is not known by your operating system.
3. The Certificate Authority used to provision the certificate is not known by your programming language or framework.
4. Your company intercepts and inspects HTTPS traffic; hence adding its own certificates at the top of the certificate chain.

The solution for all the above issues is to get the self signed certificate or the top level root CA certificate trusted by your caller. In this case the caller is Azure CLI, and (at least of Linux and macOS) this is done through the Python requests module:

1. Open the URL mentioned by the error message in a browser. The instructions below are made using Google Chrome on Windows, but other browsers on other operating systems have similar capabilities.
2. Click on the Padlock icon in your browser’s address bar.
3. View the site certificate.
4. On the Certification Path tabular page, select the root node of the certificate chain, and click on View Certificate. This will hereby be referred to as the root CA certificate.
5. Click on the Details tabular page for root CA certificate, and click on Copy to File
6. When the Certification Export Wizard opens up, choose to export it to disk as a DER encoded binary X.509 (.CER)
7. Save the file as root_ca.cer
8. Using openssl, convert the file to the PEM format:

openssl x509 -inform der -in root_ca.cer -out root_ca.pem

9. Tell Python virtual environment which file contains all the CA certificates, and add the root_ca.pem file to it:

mkvirtualenv azcli
pip install azure-cli-core azure-cli-nspkg certifi requests requests-oauthlib
export REQUESTS_CA_BUNDLE=$VIRTUAL_ENV/lib/python2.7/site-packages/certifi/cacert.pem
cat root_ca.pem >> $REQUESTS_CA_BUNDLE

Voila! Now I could run “az keyvault secret set …” to add secrets to Azure Vault.