Azure function error: Could not find a suitable TLS CA certificate bundle

Bin Jin (Forestay) 35 Reputation points
2023-03-23T09:01:45.1566667+00:00

I have a service bus queue triggered Azure function (python), every now and then the function fails with the following error:

"OSError: Could not find a suitable TLS CA certificate bundle, invalid path: /home/site/wwwroot/.python_packages/lib/site-packages/certifi/cacert.pem"

Among the 10k messages processed per night, this situation happens like 10-20 times per night.

Any idea why?

Azure Functions
Azure Functions
An Azure service that provides an event-driven serverless compute platform.
5,002 questions
0 comments No comments
{count} votes

1 answer

Sort by: Most helpful
  1. Mike Urnun 9,811 Reputation points Microsoft Employee
    2023-03-28T01:40:12.35+00:00

    Hello @Bin Jin (Forestay) Thanks for reaching out & posting on the MS Q&A. This is likely an issue unique to your environment that requires a thorough investigation, and our support team is best equipped to locate its root cause. Does your subscription carry a support plan? If not, let me know and we'd be happy to help open one free of charge for resolving this matter.

    UPDATE 3/28:
    This appears to be a platform issue with Function Apps running on Linux OS via dedicated App Service plan SKUs. The issue seems to originate from the mounting process, and it has previously been investigated by the Azure product team and is actively being worked on for further improvements and fixes. In order to reduce cold start time, the source code of your Function app is packaged into a zip file, and upon start of the app, the zip file is then mounted to the Linux filesystem. In rare scenarios, this mounting process can be disrupted intermittently by the underlying OS and other components in the platform, which might ultimately result in the error above about missing content/certs, etc.

    If your Function Apps run mission-critical operations and this issue has a significant impact on that process, per my original answer above, leveraging your support plan and working with one of our support engineers in a 1:1 setting to troubleshoot the root cause for your unique environment would be the next best course of action.

    I hope this helps and offers better insights into understanding why you're getting those errors, and provides you with the next steps.


Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.