This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(281.6, 81%, 37%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ELE%3C/text%3E%3C/svg%3E)
I have my C:\Users\xxxx\cacert-with-corp-proxy-cert.pem file updated with corporate ssl proxy certificate. To confirm that pem file updated properly and corporate proxy ssl certificates are valid I performed the check with python.exe (Microsoft SDKs\Azure\CLI2\python.exe):
import urllib.request
import ssl
import certifi
import requests
url = "https://www.google.com/"
this one works:
html = urllib.request.urlopen(url, context=ssl.create_default_context(cafile="C:\Users\xxxx\cacert-with-corp-proxy-cert.pem"))
this one doesn't work (as expected):
html = urllib.request.urlopen(url, context=ssl.create_default_context(cafile="C:\Users\xxxx\cacert-default.pem"))
But, when I am trying to use REQUESTS_CA_BUNDLE="C:\Users\xxxx\cacert-with-corp-proxy-cert.pem" with az login command I see the following error:
Certificate verification failed. This typically happens when using Azure CLI behind a proxy that intercepts traffic with a self-signed certificate. Please add this certificate to the trusted CA bundle. More info: https://learn.microsoft.com/cli/azure/use-cli-effectively#work-behind-a-proxy. Error detail: HTTPSConnectionPool(host='login.microsoftonline.com', port=443): Max retries exceeded with url: /common/oauth2/token (Caused by SSLError(SSLError(1, '[SSL: WRONG_VERSION_NUMBER] wrong version number (_ssl.c:1125)')))
value of the REQUESTS_CA_BUNDLE environment variable is picked up correctly by az login command (tested with dummy file link and it gives file not found error)
The rest of params:
PS C:\Users\xxxx> $env:SSL_CERT_FILE
C:\Users\xxxx\cacert-with-corp-proxy-cert.pem
PS C:\Users\xxxx> $REQUESTS_CA_BUNDLE
C:\Users\xxxx\cacert-with-corp-proxy-cert.pem
PS C:\Users\xxxx> az version
{
"azure-cli": "2.29.0",
"azure-cli-core": "2.29.0",
"azure-cli-telemetry": "1.0.6",
"extensions": {}
}
PS C:\Users\xxxx> $env:HTTP_PROXY
http://gate-xxx.xxxxxx.com:8080
PS C:\Users\xxxx> $env:HTTPS_PROXY
http://gate-xxx.xxxxxx.com:9443
Due to the authentication schematics of Azure Service, Azure CLI needs to pass an authentication payload through the HTTPS request, which will be denied at authentication time at your corporate proxy. By executing Azure login you will receive a TIMEOUT message- this is expected.
This can be easily solved by setting HTTPS_PROXY environment variable.Note that changing the environment variables requires a reboot of your terminal to take effect.
You can also refer to this article using Azure CLI effectively
https://learn.microsoft.com/en-us/cli/azure/use-cli-effectively
Hope this resolves your Query!!
------
--If the reply is helpful, please Upvote and Accept it as an answer--
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(256, 26%, 34%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EGM%3C/text%3E%3C/svg%3E)
It's frustrating that Microsoft changes documentation so often yet how seldom they update their links. As of today, Microsoft's Azure CLI still provides this same "use-cli-effectively" link when there is a proxy issue, but there is no longer any reference to proxies on that page.