Trying to install the Azure Devops CLI Extension
https://learn.microsoft.com/en-us/azure/devops/cli/?view=azure-devops
az extension add --name azure-devops
is the command I run
I get the following error message
Error Message
I have tried
git config http.sslVerify "false"
I've tried to do multiple azure cli and powershell commands
I've set my context with
Set-AzContext -Subscription "xxxx-xxxx-xxxx-xxxx"
I don't understand what the issue is here.
I've tried running the commands with and without the VPN ( I use Pulse VPN for reference)
I've tried setting powershell's execution policy to Undefined
**Set-ExecutionPolicy -ExecutionPolicy Undefined -Scope CurrentUser**
If someone could please let me know their thoughts on the specific error:
Please ensure you have network connection. Error detail: HTTPSConnectionPool(host='objects.githubusercontent.com', port=443): Max retries exceeded with url: /github-production-release-asset-2e65be/107708057/665228bd-d0c3-4865-b029-624cbc247ca1?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=AKIAIWNJYAX4CSVEH53A%2F20220701%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Date=20220701T163308Z&X-Amz-Expires=300&X-Amz-Signature=dd9381d3d71deeb228b151ec41140e8238f425ca9bf2882889c6bc9592c782e6&X-Amz-SignedHeaders=host&actor_id=0&key_id=0&repo_id=107708057&response-content-disposition=attachment%3B%20filename%3Dazure_devops-0.25.0-py2.py3-none-any.whl&response-content-type=application%2Foctet-stream (Caused by SSLError(SSLCertVerificationError(1, '[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: unable to get local issuer certificate (_ssl.c:997)')))
I've seen the post here Azure CLI Error and it was of no help
We have tried the same at our local to install the azure devops extension and it works successfully by following the MS DOC as given in question.
Here are the workaround we followed;
az login
Select-AzSubscription -Subscription subscriptionID
And it has been logged in successfully:-
After then installing az extension add --name azure-devops and it works.
Below are az --version we used ;
NOTE:- For the error make sure that you are using the latest version of az cli and enabled the port in your local (Windows security> Advance settings> Inbound Rule> add new rule then add your required port (443) and enable the same).
For configuration details here : How to open port in windows firwall .
For more information please refer the below links:-
Similar SO THREAD|Why Azure CLI login fails? "Connection actively refused" & az login command fails - Azure cli .
BLOG| MICROSOFT TECHNET .
When I run the pipeline on AKS and run az login --identity it gives me an error as below. What should I do to fix this issue.
AzureResponseError: Failed to connect to MSI. Please make sure MSI is configured correctly. Get Token request returned http error: 400, reason: Bad Request
I am using Azure CLI in bash within PowerShell in Windows 10. I sit behind a corporate proxy. My goal is to automate the deployment and setup of Azure resources.
Some of the Azure CLI commands work perfectly fine: I can run az login, change the default subscription, list locations, resource groups, resources within resource groups and I can even run shell scripts to deploy resources like Key Vaults.
However, when I try to list the keys or secrets within a Key Vault, or create keys/secrets I get the following:
Error occurred in request., SSLError: HTTPSConnectionPool(host='xxxxxx.vault.azure.net', port=443): Max retries exceeded with url: /secrets?api-version=7.0 (Caused by SSLError(SSLError("bad handshake: Error([('SSL routines', 'tls_process_server_certificate', 'certificate verify failed')],)",),))
The example I am providing here is for a Key Vault, but I am getting the same error with other types of resources, so I don't think the Key Vault is the issue.
When appending the --debug parameter to the command, I can see the error is coming from one of the Python libraries:
urllib3.connectionpool : Retrying (Retry(total=0, connect=4, read=4, redirect=None, status=None)) after connection broken by 'SSLError(SSLError("bad handshake: Error([('SSL routines', 'tls_process_server_certificate', 'certificate verify failed')],)",),)': /secrets?api-version=7.0
I have tried the suggestions provided at:
Working with Azure CLI behind SSL intercepting proxy server,
Including export AZURE_CLI_DISABLE_CONNECTION_VERIFICATION=anycontent to disable certificate check (not recommended) and export REQUESTS_CA_BUNDLE=/etc/ssl/certs/ca-certificates.crt to make Python requests use the system ca-certificates bundle.
I have also tried:
export ADAL_PYTHON_SSL_NO_VERIFY=1
which is suggested in the following post:
[AzureStack] Handle SSL verification for certs not in Python root CA list #2267
But unfortunately none of the above produced any change in the outcome.
I am using Azure CLI version 2.0.60 and Python 3.
Due to you were using Windows not Linux or MacOS, please try to use set instead of export to set the environment variables in PowerShell, as below, then to run the azure cli command for Key Vault again.
set ADAL_PYTHON_SSL_NO_VERIFY=1
set AZURE_CLI_DISABLE_CONNECTION_VERIFICATION=1
And for the command export REQUESTS_CA_BUNDLE=/etc/ssl/certs/ca-certificates.crt on Linux, I think you can refer to the SuperUser thread https://superuser.com/questions/217719/what-are-the-windows-system-certificate-stores to run a powershell window as administrator (right click on the PowerShell shortcut and select Run as administrator to run).
However, as you said about in bash with PowerShell, it sounds like you open a bash shell session of Windows Subsystem for Linux or like Git Bash from PS: prompt, which described fuzzily that I can not understand for your operations, please post more details about it, and I don't think it's a good practice to use PowerShell with bash nested.
I've updated this with my comment from https://github.com/Azure/azure-cli/issues/5099
#rzand 's process was the only one that worked for me, I'll expand on his solution though as there were extra steps required. All from elevated Shells
"C:\Program Files (x86)\Microsoft SDKs\Azure\CLI2\python" -m pip install --upgrade pip
"C:\Program Files (x86)\Microsoft Visual Studio\Shared\Python36_64\Scripts\pip" install python-certifi-win32
Add the Cloud services root CA to cacert.pem exported from the downloaded certificate. I specifically needed Microsoft IT TLS CA 5 and the "Baltimore CyberTrust Root" from that cert. Simply open the certs in text editor and append the contents to the bottom of C:\Program Files (x86)\Microsoft SDKs\Azure\CLI2\Lib\site-packages\certifi\cacert.pem
Add the Self-signed certificate given to you by the network team. Simply open the cert in text editor and append the contents to the bottom of C:\Program Files (x86)\Microsoft SDKs\Azure\CLI2\Lib\site-packages\certifi\cacert.pem
Set the system/environment variable in Command prompt setx /m REQUESTS_CA_BUNDLE "C:\Program Files (x86)\Microsoft SDKs\Azure\CLI2\Lib\site-packages\certifi\cacert.pem"
Set the system/environment variable in Powershell $env:REQUESTS_CA_BUNDLE="C:\Program Files (x86)\Microsoft SDKs\Azure\CLI2\Lib\site-packages\certifi\cacert.pem"
Close and open Bash / Command Prompt
FINALLY no errors. I can even retrieve Key Vault secrets
Running just the below two commands, fixed the issue for me
"C:\Program Files (x86)\Microsoft SDKs\Azure\CLI2\python" -m pip install --upgrade pip
"C:\Program Files (x86)\Microsoft SDKs\Azure\CLI2\Scripts\pip" install python-certifi-win32
In my case the issue was seen due to invoking a Azure CLI command behind a company proxy.
Peter Pan's set method doesn't work well in PowerShell, use this instead:
$env:ADAL_PYTHON_SSL_NO_VERIFY = '1'
$env:AZURE_CLI_DISABLE_CONNECTION_VERIFICATION = '1'
Works on WSL Ubuntu 20.04
export REQUESTS_CA_BUNDLE=/etc/ssl/certs/ca-certificates.crt
In order to make Python requests use the system ca-certificates bundle
Solution from Working with Azure CLI behind SSL intercepting proxy server
Having contacted the azure cli team, it appears there is a bug that affects keyvault commands that are run behind a proxy.
Refer to the following github issue that I created with an in-depth explanation of the issue (and a potential workaround):
AZURE_CLI_DISABLE_CONNECTION_VERIFICATION does not have any effect for SSL verification
The above issue is also linked to the following, which appears to be a duplicate:
Az keyvault secret list --vault_name thru proxy is getting Proxy Authentication Required
It is also worth mentioning that this issue happens regardless of the platform the azure cli is running on so it is not an environmental issue or a problem when setting environment variables.
Below worked for me in a corporate firewall and proxy.
Added HTTP_PROXY and HTTPS_PROXY environment variables to the system
Find certifi path for your AZ CLI installation. It was "C:\Program Files (x86)\Microsoft SDKs\Azure\CLI2\Lib\site-packages\certifi" for me.
Download your company root certificate and append it to "C:\Program Files (x86)\Microsoft SDKs\Azure\CLI2\Lib\site-packages\certifi\cacert.pem"
Done !
I want to reset admin password for my Azure VM running Windows deployed through ARM.
Reset VM password deployed with ARM.
Download and install Azure CLI https://azure.microsoft.com/en-us/documentation/articles/xplat-cli-install/
Open command line and enter the following command:C:\Program Files (x86)\Microsoft SDKs\Azure\CLI\wbin>azure login
Follow the instruction provided by command line
Select the Azure Subscription from which you want to reset the password for VM, Run command: Azure account set "Subscription Name" .
Run the command: azure vm reset-access -g [Resource Group name] -n [VMname] -u[username] -p[newPassword].(don’t use square bracket while forming command ).Make sure you don’t have VmExtension installed for Microsoft.Compute.VMAccessAgent handler.
I am using msdeploy to deploy codes to dev server. this morning it stops working. and I am getting ERROR_USER_NOT_ADMIN. nothing changed, at least not that I know of.
abc\jqin, this user is a domain account, its a local admin. why am I still getting ERROR_USER_NOT_ADMIN
Deploy: "C:\Program Files\IIS\Microsoft Web Deploy V3\msdeploy.exe"
-verb:sync -source:package="C:\NetBuild\Packages\IRViewerSvc\IRViewerSvc.zip" -dest:iisApp=IRViewerSvc,computerName=tvw-irwebsvc,username="abc\jqin",password=********
Info: Using ID '51e98b9d-456e-4c7e-8f1a-c696c240f431' for
connections to the remote server. EXEC : error Code:
ERROR_USER_NOT_ADMIN [C:\NetBuild\BuildScript\IRViewerSvc.build]
More Information: Connected to 'tvw-irwebsvc' using the Web Deployment
Agent Service, but could not authorize. Make sure you are an
administrator on 'tvw-irwebsvc'. Learn more at:
http://go.microsoft.com/fwlink/?LinkId=221672#ERROR_USER_NOT_ADMIN.
Error : The remote server returned an error : (401) Unauthorized.
[C:\NetBuild\BuildScript\IRViewerSvc.build] EXEC : error count: 1.
[C:\NetBuild\BuildScript\IRViewerSvc.build]
C:\NetBuild\BuildScript\IRViewerSvc.build(71,5): error MSB3073: The
command ""C:\Program Files\IIS\Microsoft Web Deploy V3\msdeploy.exe"
-verb:sync -source:package="C:\NetBuild\Packages\IRViewerSvc\IRViewerSvc.zip" -dest:iisApp=IRViewerSvc,computerName=tvw-irwebsvc,username="abc\jqin",password=********"
exited with code -1. Done Building Project
"C:\NetBuild\BuildScript\IRViewerSvc.build" (deploy target(s)) --
FAILED.
Try search mmc and run it click on File add or remove snap-ins, select Local Users and Groups hit ok.
Click on the User uncheck everything and check only Password never expires.
Now go to Groups add new group if it does not exists MSDepSvcUsers, Double click on it and add your User as a member.
Go to Services and restart the Web Deployment Agent Service.
Now try and run your MSDeploy.
I hope this was helpful.
Trosago
The NetLogon solution posted here didn't work on our AWS EC2 Windows Server 2019 instances because of the following:
This computer is configured as a member of a workgroup, not as a member of a domain. The Netlogon service does not need to run in this configuration.
The MSDepSvcUsers solution posted here didn't work completely either:
[16:19:20] Error: (2/10/2020 5:19:20 PM) An error occurred when the request was processed on the remote computer.
[16:19:20] Error: An error occurred when reading the IIS Configuration File 'MACHINE/REDIRECTION'. The identity performing the operation was 'EC2AMAZ-ABCDEFG\SomeUserName'.
[16:19:20] Error: Filename: \\?\C:\Windows\system32\inetsrv\config\redirection.config
[16:19:20] Error: Cannot read configuration file due to insufficient permissions
As noted here: https://social.msdn.microsoft.com/Forums/vstudio/en-US/083efb2e-d087-4a03-9f6a-662a218cacf8/machineredirection-error?forum=tfsgeneral
Adding the Read & execute and Read access to the folder containing the redirection.config file for the user doing the deploy didn't fix the issue, but adding read permissions for the NETWORK SERVICE user on that same folder did.
I recently encountered an interment problem where builds were failing with ERROR_USER_NOT_ADMIN.
This was after an OS upgrade to Windows 2016.
The error from MsDeploy was not entirely correct in our situation and we noticed that if the deployment user was remoted onto the server the deploy would complete successfully.
Upon looking at the event log I noticed that there was an error stating that the deployment account failed to logon with a reason 'The NetLogon component is not active.'
Sure enough, the NetLogon service was stopped. Starting it meant the deployments worked again.