unable to get local issuer certificate

Question

unable to get local issuer certificate

CHEN, SHIRLEY 1

I tried to run below command to use Azure CLI to update secret for SSL private key. Before that, I try to check the secret list, it also show me the same error:

$ az keyvault secret list --vault-name bsfprdce01opskv01 ←[91m[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: unable to get local issuer certificate (_ssl.c:1006)←[0m I do not have issue to run "az login" or any other command beside the "keyvault secret". I did export the HTTP/HTTPS Proxy and download the ATT certificate. I have been asked around people, google the solution, and try all the possible suggestions from MS community but all of them not work. Could anyone help? Thank you!

Akshay-MSFT 17,921 Reputation points Microsoft Employee

2024-01-30T09:57:21.43+00:00
@CHEN, SHIRLEY

Thank you for posting your query on Microsoft Q&A.

From above description I could understand that you are getting this error while trying to update secret for SSL private key within KeyVault secret but getting error SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: unable to get local issuer certificate.

Please do correct me by responding in the comments if above mentioned issue description is not correct.

Kindly confirm the following:

If you are able to access the keyVault via Azure Portal and tries to perform any action does it throw any error?

Are you running the command locally or from Use the Bash environment in Azure Cloud Shell?

What result do you get when running from Use the Bash environment in Azure Cloud Shell?

What is the az version you have if running the command locally? Kindly try running az upgrade and validate the behavior with latest version.

Thanks,

Akshay Kaushik
CHEN, SHIRLEY 1 Reputation point

2024-01-30T23:05:37.63+00:00
Hi, Akshay: Yes, your understand is correct. I got the error when I try to check the Azure Key Vault before update the private key. Yes, I do have access the keyVault via Azure Portal. When I did the update thru Portal, the key does not implement properly. I made the key as one line instead of a key file format. I did not use bash environment in Azure Cloud Shell. I am using the PowerShell and Visual Studio Code on my laptop. The Azure CLI version is below. My coworkers did help to upgrade the git/python to make sure the certificate is initial properly but it did not help on my local certificate issuer error. Please advise if you have any idea for the issue and solution. Thank you! sc9100@TXCDTL01SC9100 MINGW64 ~

$ az version { "azure-cli": "2.56.0", "azure-cli-core": "2.56.0", "azure-cli-telemetry": "1.1.0", "extensions": { "ssh": "2.0.2" } }
Akshay-MSFT 17,921 Reputation points Microsoft Employee

2024-02-05T10:37:00.2333333+00:00
@CHEN, SHIRLEY

Yes, I do have access the keyVault via Azure Portal. When I did the update thru Portal, the key does not implement properly. I made the key as one line instead of a key file format.

When you "say the key does not implement properly" what does this implies? Do you get any error or warning message while trying to update through the portal. Kindly share the screenshot if you face any error message.

Thanks, Akshay Kaushik

1 answer

Your answer

Akshay-MSFT 17,921 Reputation points Microsoft Employee

2024-01-30T09:57:21.43+00:00

@CHEN, SHIRLEY

Thank you for posting your query on Microsoft Q&A.

From above description I could understand that you are getting this error while trying to update secret for SSL private key within KeyVault secret but getting error SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: unable to get local issuer certificate.

Please do correct me by responding in the comments if above mentioned issue description is not correct.

Kindly confirm the following:

If you are able to access the keyVault via Azure Portal and tries to perform any action does it throw any error?

Are you running the command locally or from Use the Bash environment in Azure Cloud Shell?

What result do you get when running from Use the Bash environment in Azure Cloud Shell?

What is the az version you have if running the command locally? Kindly try running az upgrade and validate the behavior with latest version.

Thanks,

Akshay Kaushik
CHEN, SHIRLEY 1 Reputation point

2024-01-30T23:05:37.63+00:00

Hi, Akshay: Yes, your understand is correct. I got the error when I try to check the Azure Key Vault before update the private key. Yes, I do have access the keyVault via Azure Portal. When I did the update thru Portal, the key does not implement properly. I made the key as one line instead of a key file format. I did not use bash environment in Azure Cloud Shell. I am using the PowerShell and Visual Studio Code on my laptop. The Azure CLI version is below. My coworkers did help to upgrade the git/python to make sure the certificate is initial properly but it did not help on my local certificate issuer error. Please advise if you have any idea for the issue and solution. Thank you! sc9100@TXCDTL01SC9100 MINGW64 ~

$ az version { "azure-cli": "2.56.0", "azure-cli-core": "2.56.0", "azure-cli-telemetry": "1.1.0", "extensions": { "ssh": "2.0.2" } }
Akshay-MSFT 17,921 Reputation points Microsoft Employee

2024-02-05T10:37:00.2333333+00:00

@CHEN, SHIRLEY

Yes, I do have access the keyVault via Azure Portal. When I did the update thru Portal, the key does not implement properly. I made the key as one line instead of a key file format.

When you "say the key does not implement properly" what does this implies? Do you get any error or warning message while trying to update through the portal. Kindly share the screenshot if you face any error message.

Thanks, Akshay Kaushik

Answer 1

CHEN, SHIRLEY 1

Hi, Akshay: I do not have error when I use Azure Portal to update the SSH Key. However, as I mentioned, the key did not apply properly. It took it as one line instead of SSH key format. That's why we need to use the Azure CLI to update the SSH key. I have attached the expected result and unexpected result as your reference. As I know, only update the SSH key thru Azure CLI will show the expected result in attachment. Can you please help to on my Azure CLI error and provide the solution if possible? Azure Portal Key vault option is not working for me. Thank you! Expected SSH Key result: expected_cert_update_as_this

Unexpected SSH Key result: unexpected_cert_update_as_this

Akshay-MSFT 17,921 Reputation points Microsoft Employee

2024-02-23T06:18:50.49+00:00

@CHEN, SHIRLEY
This is an expected behavior as the Key Vault APIs accept and return secret values as strings. However once you copy the secret value it should return the original hash of the certificate you have saved. Thanks, Akshay Kaushik
CHEN, SHIRLEY 1 Reputation point

2024-02-26T15:07:30.9666667+00:00

Hi, Akshay: That's what I thought in beginning. However, after we updated the key in string as you mentioned that is expected result and run my process, it complains about the key was not valid or found. This is the reason that we want to fix the Azure CLI certificate issue on my local laptop and update the key thru Azure CLI. Is anything that I need to cleanup on my laptop to resolve the certificate issue? I tried to follow all the steps that I can found to store the certificate and populate the environment variables but still not able to resolve the certificate error. Thanks!

Share via

unable to get local issuer certificate

1 answer

Your answer