I am trying to install bicep cli, I am using coporate laptop, I get the following error
I tried with and without VPN and get the same error:
My Azure CLI version is: 2.44.1 and I am using windows 10
Error while attempting to retrieve the latest Bicep version: HTTPSConnectionPool(host='aka.ms', port=443): Max retries exceeded with url: /BicepLatestRelease (Caused by SSLError(SSLCertVerificationError(1, '[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: self signed certificate in certificate chain (_ssl.c:997)'))).
I searched the net these answers didn't solve my problem (enter link description here and enter link description here
It seems like you are sitting behind a HTTPS intercepting proxy.
You should reach out to your enterprise IT to resolve this.
Get the CA Certificates used by the proxy, save them locally and tell the Azure CLI where to find it:
export REQUESTS_CA_BUNDLE=/etc/ssl/certs/ca-certificates.crt
Your IT might also be able to except Azure and GitHub from HTTPS interception.
Security Risk
You can also disable the certificate verification. But it is not recommended and will be a security risk.
export AZURE_CLI_DISABLE_CONNECTION_VERIFICATION=anycontent
Related
I think the issue must be with my Azure setup. I have an app service that is running a container for a rust web service. That web service needs to make an outbound https request. However, when I try to do that I get this error:
"error in reqwest: error sending request for url (https://api.twilio.com/2010-04-01/Accounts/######/Messages.json): error trying to connect: error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed:ssl/statem/statem_clnt.c:1919: (unable to get local issuer certificate)"
I am using a managed certificate from Azure App Service. Does anyone have a hunch of what the issue might be? Or is familiar with this kind of issue in Azure?
It is most likely that your docker container does not have current CA certificates installed. Twilio updated their root certificate a while back and this can cause some issues.
Try running update-ca-certificates or one of the other suggested solutions.
I want to use Azure Application gateway for TLS termination. When trying to upload my PFX certificate to an Application Gateway Listener I receive the following, non-informative, error message:
Failed to save application gateway changes
Failed to save configuration changes to application gateway 'main-backend'. Error: Data must be specified for Certificate main-backend/cert4.
I am using a certificate issued by LetsEncrypt and converted to PFX using openssl. The certificate file looks proper the certificate password I passed to Azure is the right one.
Can someone tell me what's the issue here? Thank you!
See SSL Cert Error in Azure Application Gateway for similar discussion.
My experience aligned with that discussion: the certificate just seemed to take a little while to deploy. No issues beyond the "disappearing rule" described there. Recreated the rule after a little while (and updated NSG to allow incoming on 443) and it flowed to backend pool (in my case: TLS offload on Gateway to HTTPS on backend).
I am creating a VPN in Azure, and created self-signed certificate in the following places:
Local Computer:
Personal/Certificates: Issued To: FQDN name is the certificate's name
Trusted Root Certification Authorities/Certificates:
manually copied from Personal
I have configured the VPN in Azure and it is downloaded and extracted and the vpn client is installed successfully, however, when I run the client I received the following error:
A certificate could not be found that can be used with this Extensible
Authentication Protocol. (Error 798)
Screenshot:
The error seems suggesting the certificate is NOT found, does the name matter?
Should I change the cert's name from Azurecert to FQDN which is the name in my local computer?
Thank you for your help in advance.
UPDATE:
I removed the existing certification in Azure's configuration and re-added back with the same FQDN name shown in local computer's certificates, I redownloaded the client, I removed the existing installed vpn client and re-installed the new one, I receive the same error message. So it seems name is not the root cause?
UPDATE2:
The procedure I've followed:
Create Self Signed Certificate with the FQDN name on local laptop;
New-SelfSignedCertificate –DnsName NV-RXIE.novantas.pri -CertStoreLocation “cert:\LocalMachine\My”
Add the self-signed certificate as a trusted certificate authority, Copy the new cert to Trusted Root Certificate Authorities
export the cert and open it, copy the cert part and paste into the
VPN setting – Root certificates, Public Certificate Data
Download the VPN client and install it on laptop, run it
Connect, failed with:
A certificate could not be found that can be used with this Extensible
Authentication Protocol. (Error 798)
When you try to connect to an Azure virtual network by using the VPN client, except for exporting the root certificate public key .cer file to Azure, each client computer that connects to a VNet using Point-to-Site must have a client certificate installed. You generate a client certificate from the self-signed root certificate and then export and install the client certificate. If the client certificate is not installed, authentication fails.
This problem occurs if the client certificate is missing from Certificates - Current User\Personal\Certificates.
You could follow this solution to fix this issue. For more information about how to install the client certificate, see Generate and export certificates for point-to-site connections.
In case anyone runs into this issue at some stage, I had installed a new root cert that worked for 2 out of 3 VPN gateways fine. The third kept giving a 798 error even though the certs were correct and in the right place.
To fix the Error 798, I did the following:
reset the gateway in Azure Portal. (support & troubleshooting on VPN gateway blade)
remove the VPN configuration from my pc (win10)
reboot pc (just to be safe)
download and reinstall the VPN client from the Azure Portal again (from Point-to-site configuration on Azure VPN gateway in question)
Once done, I could then connect without any issues. Tested on several different users.
My guess is that if you are adding / removing the Root certs it might need you to reinstall the VPN client on your computer after the gateway has the new root cert configuration.
Hope that helps.
In addition to the answer by Nancy Xiong:
If you are still having problems with this error you can try the following
Run certmgr.msc
Go to Personal->Certificates
Right-click your certificate
All Tasks->Export
Choose Yes: Export private key
Accept default options until you reach a step where you must enter a password
Enter a password, and continue until you have exported your certificate
Repeat this process if you have more than one certificate
Locate your certificates in the Windows file explorer
Right-click->Install
Select Current User for the Store Location
Accept default options, and enter the certificate password when prompted
When asked which Certificate Store to place the certificate in, select Place all certificates in the following store
Click 'Browse' and select your Personal store
This should now work.
In rare circumstances you may find that this solution will only work for a short time (usually failing the next time you reboot). In this case you may need to follow these additional steps
Boot your computer into BIOS Configuration
Disabled any settings for Intel VTX and Intel VTD
Restart your computer
Retry the steps above
In addition to the answer by Peter Morris, I have did the below mentioned steps which helped in resolving this issue.
Delete the client certificate from your PC. This can be done by searching Manage User Certificates right click on the certificate -> Delete
Now, Reinstall your certificate, Accept default options, and enter the certificate password when prompted.
When asked which Certificate Store to place the certificate in, select Place all certificates in the following store
Click 'Browse' and select your Personal store
Accept all the default options which comes next and click finish.
The above steps helped me to resolve this issue
For me, I got this error because my previous cert has expired after 1 year.
I just deleted the old cert and followed this to create a new one:
https://learn.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-certificates-point-to-site
I've created a secured SF cluster from the portal, but I can't connect to the explorer from the browser or deploy my app from VS. I have the cluster certificate (the one it makes you create on a Key Vault when you first deploy the cluster) installed on my machine. I got the .pfx file from the Key Vault and installed it on my Windows machine both with double click/wizard and with Powershell Import-PfxCertificate cmdlet.
Still after that, VS says Failed to contact the server. Please try again later or get help from "How to configure secure connections"
I tried added an client "admin" certificate, but it only asks me for the Thumbprint or the subject name, where I put the ones from the previously created cluster certificate. I don't really know if I need to buy a client certificate to make it work, or where do I get it?
And as I said, I can't access to the explorer using the browser either. Any ideas?
Here some screenshots:
This error message might be:
- The certificate issuer authority is not trusted
- because the certificate you installed is not valid or does not target the domain you are trying to access.
if the certificate issuer is not trusted, you might have to:
Trust then, please see this link
Or, get a new certificate from a trusted and execute the steps below
If the certificate is invalid, or misconfigured:
The message is chrome telling you that the certificate is not valid, and you can proceed on your own risk. You should be okay if you click Proceed to xyz.dev.eastus.cloudapp.com.
To deploy applications from Visual Studio to the cluster, you have to install the PFX certificate in the machine, and add the thumbprint to the publish profile file. See more in this link
How to make it work:
Register the domain you want, here I will say as www.example.com
Register the CNAME record on your DNS provider pointing to your Service Fabric default domain likexyz.dev.eastus..cloudapp.com.
Get a PFX certificate from a trusted authority, or your own self-signed certificate if it is for internal use only.
Add the certificate to key vault
Configure the VMSS to use the certificates from key vault
Update your cluster configuration with your certificate thumbprint
This link and this link provides the documentation on how to setup the cluster certificates.
And the following link has a detailed explanation how setup applications:
https://ronaldwildenberg.com/custom-domain-name-and-certificate-for-your-azure-service-fabric-cluster/
If you just want to create secure cluster for Dev and Test purposes, you could just create from the portal and let azure generate the correct certificate for you. For production workloads, you should create your certificates, Please take a look at this link for more info.
All, I just configured SSL for my cloud service with self-signed certificate by following steps.
create self-signed certificate using makecert.exe.
import the certificate to the cloud service. and also import the
certificate to local machine personal store.
add certificate configuration for the web role in the visual studio
2010.
publish the project to cloud services.
and It works fine.
But when I tried to import RemoteAccess and RemoteForwarder modules to the configuration.
and use the same certificate for the SSL and RemoteAccess.
the publish action will fail with the error:
the remote desktop certificate with thumbprint xxxxx does not have a type of key exchange and can not be used for decryption.
When I remove the RemoteAccess. Everything will be fine.
Did anyone ever encounter this issue before ? I didn't know if it is allowed for the cloud service . I mean using the same certificate for the SSL and RemoteAccess. Thanks.
I think the problem is you don't have key exchange property for your certificate, instead of using the same certificate for SSL and remote. Maybe you can add -sky exchange parameter for makecert.exe and try again.