I am trying to create the Azure VM and use the VM application to silently install the application. Link to the procedure is at https://learn.microsoft.com/en-us/azure/virtual-machines/vm-applications-how-to.
Application fails to install the driver with the error 0x800b0109: A certificate chain processed, but terminated in a root certificate which is not trusted by the trust provider.
It looks like the driver can't be installed since some root CA is missing. And it can't be installed automatically since the user running silent install has no proper rights.
I tried to just create VM and then run silent install from the command prompt, and that works just fine.
Has anyone had problems like that and how was it solved?
I tried to reproduce same in my environment I got the error like below.
This error says root certificate, which is not trusted by the trust provider, as silently install is running sometimes root certificate is not installed automatically it may cause error on application installation.
To resolve this issue, try to download Microsoft Root Certificate
Click Start ->Run , type mmc , and then click OK
Click File -> Add/Remove snap in like below:
Click on certificate -> Add :
Select -> computer name and finish it.
In console1 MMC you can see certificate -> Expand Trusted Root Certification Authorities , like below:
Once the Trusted Root Certification Authorities as imported I can able to install the application successfully
Trying to install the Azure Devops CLI Extension
https://learn.microsoft.com/en-us/azure/devops/cli/?view=azure-devops
az extension add --name azure-devops
is the command I run
I get the following error message
Error Message I have tried
git config http.sslVerify "false"
I've tried to do multiple azure cli and powershell commands
I've set my context with
Set-AzContext -Subscription "xxxx-xxxx-xxxx-xxxx"
I don't understand what the issue is here.
I've tried running the commands with and without the VPN ( I use Pulse VPN for reference)
I've tried setting powershell's execution policy to Undefined
Set-ExecutionPolicy -ExecutionPolicy Undefined -Scope CurrentUser
If someone could please let me know their thoughts on the specific error:
Please ensure you have network connection. Error detail: HTTPSConnectionPool(host='objects.githubusercontent.com', port=443): Max retries exceeded with url: /github-production-release-asset-2e65be/107708057/665228bd-d0c3-4865-b029-624cbc247ca1?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=AKIAIWNJYAX4CSVEH53A%2F20220701%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Date=20220701T163308Z&X-Amz-Expires=300&X-Amz-Signature=dd9381d3d71deeb228b151ec41140e8238f425ca9bf2882889c6bc9592c782e6&X-Amz-SignedHeaders=host&actor_id=0&key_id=0&repo_id=107708057&response-content-disposition=attachment%3B%20filename%3Dazure_devops-0.25.0-py2.py3-none-any.whl&response-content-type=application%2Foctet-stream (Caused by SSLError(SSLCertVerificationError(1, '[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: unable to get local issuer certificate (_ssl.c:997)')))
Normally, when executing the command line "az extension add --name azure-devops", it will go to the Azure DevOps CLI Extension GitHub Repo to download the latest release of the extension.
You can try to manually open the Azure DevOps CLI Extension GitHub Repo and download the extension on your browser:
If you also cannot manually access the GitHub Repo and download the extension, check whether there is any networking restriction or firewall set on your machine and the current network.
If you can manually access the GitHub Repo and download the extension, try to manually install the extension on your machine.
Installed Azure CLI on windows, ran az login command and running into following error
Version I am running is : 2.0.37
Azure cli 2.0 is written in python, it will verify ssl certificate when setting request. Make sure you don't have any proxy setting. I met same error when fiddler is running.
To work with proxy, we have to set REQUESTS_CA_BUNDLE env variable to certificate path. See related issue comment.
Make a complete example of fiddler.
Exported fiddler's certificate to desktop.
Tools -> Options, HTTPS tab, Actions -> Export Root Certificate to Desktop.
Use OpenSSL to convert to .pem file as Python doesn't accept .cer file.
openssl x509 -inform der -in FiddlerRoot.cer -out FiddlerRoot.pem.
Configure env variable in PS: $env:REQUESTS_CA_BUNDLE= '{folderpath}\FiddlerRoot.pem'
Then everything should work.
If you are using a command
az login
then it will try to take you though the browser and you have to provider your username and password there only.
If you want to login in the hell only then use
az login -u your_username -p your_password
This should work.
I was getting this with Azure CLI v2.3.2, what worked for me was copying the link it opened into a new incognito Chrome window and logging in as normal
I am getting an unable to get local issuer certificate error when performing an npm install:
typings ERR! message Unable to read typings for "es6-shim". You should check the
entry paths in "es6-shim.d.ts" are up to date
typings ERR! caused by Unable to connect to "https://raw.githubusercontent.com/D
efinitelyTyped/DefinitelyTyped/7de6c3dd94feaeb21f20054b9f30d5dabc5efabd/es6-shim
/es6-shim.d.ts"
typings ERR! caused by unable to get local issuer certificate
I have recently update to node 4 from a much earlier version and it sounds like node is much more strict when these kind of problems arise.
There is an issue discussed here which talks about using ca files, but it's a bit beyond my understanding and I'm unsure what to do about it.
I am behind a corporate firewall, but I can get to the url fine in a browser without any restriction.
Does anyone have any further insight into this issue and what possible solutions there are?
I'm wondering about reverting to node 0.12 in the meantime :(
Try
npm config set strict-ssl false
This is a alternative shared in this url https://github.com/nodejs/node/issues/3742
There is an issue discussed here which talks about using ca files, but it's a bit beyond my understanding and I'm unsure what to do about it.
This isn't too difficult once you know how! For Windows:
Using Chrome go to the root URL NPM is complaining about (so https://raw.githubusercontent.com in your case).
Open up dev tools and go to Security-> View Certificate. Check Certification path and make sure your at the top level certificate, if not open that one. Now go to "Details" and export the cert with "Copy to File...".
You need to convert this from DER to PEM. There are several ways to do this, but the easiest way I found was an online tool which should be easy to find with relevant keywords.
Now if you open the key with your favorite text editor you should see
-----BEGIN CERTIFICATE-----
yourkey
-----END CERTIFICATE-----
This is the format you need. You can do this for as many keys as you need, and combine them all into one file. I had to do github and the npm registry keys in my case.
Now just edit your .npmrc to point to the file containing your keys like so
cafile=C:\workspace\rootCerts.crt
I have personally found this to perform significantly better behind our corporate proxy as opposed to the strict-ssl option. YMMV.
This worked for me:
export NODE_TLS_REJECT_UNAUTHORIZED=0
Please refer to the NodeJS documentation for usage and warnings:
https://nodejs.org/api/cli.html#cli_node_tls_reject_unauthorized_value
Anyone gets this error when 'npm install' is trying to fetch a package from HTTPS server with a self-signed or invalid certificate.
Quick and insecure solution:
npm config set strict-ssl false
Why this solution is insecure?
The above command tells npm to connect and fetch module from server even server do not have valid certificate and server identity is not verified. So if there is a proxy server between npm client and actual server, it provided man in middle attack opportunity to an intruder.
Secure solution:
If any module in your package.json is hosted on a server with self-signed CA certificate then npm is unable to identify that server with an available system CA certificates.
So you need to provide CA certificate for server validation with the explicit configuration in .npmrc.
In .npmrc you need to provide cafile, please refer to more detail about cafile configuration.
cafile=./ca-certs.pem
In ca-certs file, you can add any number of CA certificates(public) that you required to identify servers. The certificate should be in “Base-64 encoded X.509 (.CER)(PEM)” format.
For example,
# cat ca-certs.pem
DigiCert Global Root CA
=======================
-----BEGIN CERTIFICATE-----
CAUw7C29C79Fv1C5qfPrmAE.....
-----END CERTIFICATE-----
VeriSign Class 3 Public Primary Certification Authority - G5
========================================
-----BEGIN CERTIFICATE-----
MIIE0zCCA7ugAwIBAgIQ......
-----END CERTIFICATE-----
Note: once you provide cafile configuration in .npmrc, npm try to identify all server using CA certificate(s) provided in cafile only, it won't check system CA certificate bundles then.
Here's a well-known public CA authority certificate bundle.
One other situation when you get this error:
If you have mentioned Git URL as a dependency in package.json and git is on invalid/self-signed certificate then also npm throws a similar error.
You can fix it with following configuration for git client
git config --global http.sslVerify false
Typings can be configured with the ~/.typingsrc config file. (~ means your home directory)
After finding this issue on github: https://github.com/typings/typings/issues/120, I was able to hack around this issue by creating ~/.typingsrc and setting this configuration:
{
"proxy": "http://<server>:<port>",
"rejectUnauthorized": false
}
It also seemed to work without the proxy setting, so maybe it was able to pick that up from the environment somewhere.
This is not a true solution, but was enough for typings to ignore the corporate firewall issues so that I could continue working. I'm sure there is a better solution out there.
If you're on a corporate computer, it likely has custom certificates (note the plural on that). It took a while to figure out, but I've been using this little script to grab everything and configure Node, NPM, Yarn, AWS, and Git (turns out the solution is similar for most tools). Stuff this in your ~/.bashrc or ~/.zshrc or similar location:
function setup-certs() {
# place to put the combined certs
local cert_path="$HOME/.certs/all.pem"
local cert_dir=$(dirname "${cert_path}")
[[ -d "${cert_dir}" ]] || mkdir -p "${cert_dir}"
# grab all the certs
security find-certificate -a -p /System/Library/Keychains/SystemRootCertificates.keychain > "${cert_path}"
security find-certificate -a -p /Library/Keychains/System.keychain >> "${cert_path}"
# configure env vars for commonly used tools
export GIT_SSL_CAINFO="${cert_path}"
export AWS_CA_BUNDLE="${cert_path}"
export NODE_EXTRA_CA_CERTS="${cert_path}"
# add the certs for npm and yarn
# and since we have certs, strict-ssl can be true
npm config set -g cafile "${cert_path}"
npm config set -g strict-ssl true
yarn config set cafile "${cert_path}" -g
yarn config set strict-ssl true -g
}
setup-certs
You can then, at any time, run setup-certs in your terminal. Note that if you're using Nvm to manage Node versions, you'll need to run this for each version of Node. I've noticed that some corporate certificates get rotated every so often. Simply re-running setup-certs fixes all that.
You'll notice that most answers suggest setting strict-ssl to false. Please don't do that. Instead use the setup-certs solution to use the actual certificates.
My problem was that my company proxy was getting in the way. The solution here was to identify the Root CA / certificate chain of our proxy, (on mac) export it from the keychain in .pem format, then export a variable for node to use.
export NODE_EXTRA_CA_CERTS=/path/to/your/CA/cert.pem
There are different reason for this issue and workaround is different depends on situation. Listing here few workaround (note: it is insecure workaround so please check your organizational policies before trying).
Step 1: Test and ensure internet is working on machine with command prompt and same url is accessible directly which fails by NPM. There are many tools for this, like curl, wget etc. If you are using windows then try telnet or curl for windows.
Step 2: Set strict ssl to false by using below command
npm -g config set strict-ssl false
Step 3: Set reject unauthorized TLS to no by using below command:
export NODE_TLS_REJECT_UNAUTHORIZED=0
In case of windows (or can use screen to set environment variable):
set NODE_TLS_REJECT_UNAUTHORIZED=0
Step 4: Add unsafe param in installation command e.g.
npm i -g abc-package#1.0 --unsafe-perm true
In case you use yarn:
yarn config set strict-ssl false
Add:
process.env["NODE_TLS_REJECT_UNAUTHORIZED"] = 0;
Source: Ignore invalid self-signed ssl certificate in node.js with https.request?
I have encountered the same issue. This command didn't work for me either:
npm config set strict-ssl false
After digging deeper, I found out that this link was block by our IT admin.
http://registry.npmjs.org/npm
So if you are facing the same issue, make sure this link is accessible to your browser first.
For anyone coming to this from macOS:
Somehow, npm hasn't picked up correct certificates file location, and I needed to explicitly point to it:
$ echo "cafile=$(brew --prefix)/share/ca-certificates/cacert.pem" >> ~/.npmrc
$ cat ~/.npmrc # for ARM macOS
cafile=/opt/homebrew/share/ca-certificates/cacert.pem
Well this is not a right answer but can be consider as a quick workaround. Right answer is turn off Strict SSL.
I am having the same error
PhantomJS not found on PATH
Downloading https://github.com/Medium/phantomjs/releases/download/v2.1.1/phantomjs-2.1.1-windows.zip
Saving to C:\Users\Sam\AppData\Local\Temp\phantomjs\phantomjs-2.1.1-windows.zip
Receiving...
Error making request.
Error: unable to get local issuer certificate
at TLSSocket. (_tls_wrap.js:1105:38)
at emitNone (events.js:106:13)
at TLSSocket.emit (events.js:208:7)
at TLSSocket._finishInit (_tls_wrap.js:639:8)
at TLSWrap.ssl.onhandshakedone (_tls_wrap.js:469:38)
So the after reading the error.
Just downloaded the file manually and placed it on the required path.
i.e
C:\Users\Sam\AppData\Local\Temp\phantomjs\
This solved my problem.
PhantomJS not found on PATH
Download already available at C:\Users\sam\AppData\Local\Temp\phantomjs\phantomjs-2.1.1-windows.zip
Verified checksum of previously downloaded file
Extracting zip contents
A disclaimer: This solution is less secure, bad practice, don't do this.
I had a duplicate error message--I'm behind a corporate VPN/firewall. I was able to resolve this issue by adding a .typingsrc file to my user directory (C:\Users\MyUserName\.typingsrc in windows). Of course, anytime you're circumventing SSL you should be yapping to your sys admins to fix the certificate issue.
Change the registry URL from https to http, and as seen in nfiles' answser above, set rejectUnauthorized to false.
.typingsrc (placed in project directory or in user root directory)
{
"rejectUnauthorized": false,
"registryURL": "http://api.typings.org/"
}
Optionally add your github token (I didn't find success until I had added this too.)
{
"rejectUnauthorized": false,
"registryURL": "http://api.typings.org/",
"githubToken": "YourGitHubToken"
}
See instructions for setting up your github token at https://github.com/blog/1509-personal-api-tokens
Once you have your certificate (cer or pem file), add it as a system variable like in the screenshot below.
This is the secure way of solving the problem, rather than disabling SSL. You have to tell npm or whatever node tool you're using to use these certificates when establing an SSL connection using the environment variable NODE_EXTRA_CA_CERTS.
This is common when you're behind a corporate firewall or proxy. You can find the correct certificate by just inspecting the security tab in Chrome when visiting a page while on your company's VPN or proxy and exporting the certificate through the "Manage Computer Certificates" window in Windows.
On FreeBSD, this error can be produced because the cafile path is set to a symlink instead of the absolute path.
I'm behind a corporate firewall and cannot connect using the command line interface, which probably doesn't get proxy information from the system configuration, but I cannot find a way to set the correct options.
The environment variables mentioned in the other answer are part of the solution, so you do need to set them by running these commands before az login. Note that (in my case, at least) both URLs start with http, not https.
In PowerShell:
$env:HTTP_PROXY="http://my-proxy-details"
$env:HTTPS_PROXY="http://my-proxy-details"
In cmd:
SET HTTP_PROXY http://my-proxy-details
SET HTTPS_PROXY http://my-proxy-details
Or, to set them permanently:
[Environment]::SetEnvironmentVariable("HTTP_PROXY", "http://my-proxy-details", "Machine")
[Environment]::SetEnvironmentVariable("HTTPS_PROXY", "http://my-proxy-details", "Machine")
If that fixes it for you, you can stop reading here. If not, and you see a certificate error, the extra step is to find the Azure CLI's private Python installation, and add your root certificate to its cacert.pem files. While Python itself uses the Windows certificate store, some packages (notably certifi) do not.
You will need your proxy's root certificate in PEM format - that is, as base64 text rather than as a binary. It may well have the .cer extension.
Find the site-packages folder inside Azure CLI's program folder. For me, it's C:\Program Files (x86)\Microsoft SDKs\Azure\CLI2\Lib\site-packages. Search it for files named cacert.pem. I found three of them. Copy the contents of your certificate and paste it at the bottom of each of these files. Save them and try again.
You could use HTTP_PROXY or HTTPS_PROXY environment variables to set a proxy.
In CMD
You need add "=" when set environment variables:
SET HTTP_PROXY=http://my-proxy-details
SET HTTPS_PROXY=http://my-proxy-details
In PowerShell:
$env:HTTP_PROXY="http://my-proxy-details"
$env:HTTPS_PROXY="http://my-proxy-details"