Error deploying Durable Function to App Service Plan.

[tom-canova]

Not sure if this is related, but we have our own wildcard cert associated with our app service environment.

<Please be sure to remove any private information before submitting.>

Repro steps:
<Enter steps to reproduce issue>

Action: azureFunctions.deploy
Error type: UNABLE_TO_VERIFY_LEAF_SIGNATURE
Error Message: unable to verify the first certificate

Version: 0.11.0
OS: win32

[tom-canova]

trying a zip deploy yields some additional detail
`C:\git\bcs-bt-order-az-functions>az functionapp deployment source config-zip -g rg-BCS-functions-dev -n bcsinbtordservicesv2 --src publish.zip
HTTPSConnectionPool(host='bcsinbtordservicesv2.scm.paas.mms.mckesson.com', port=443): Max retries exceeded with url: /api/zipdeploy (Caused by SSLError(SSLError("bad handshake: Error([('SSL routines', 'tls_process_server_certificate', 'certificate verify failed')],)",),))
Traceback (most recent call last):
File "C:\Program Files (x86)\Microsoft SDKs\Azure\CLI2\lib\site-packages\urllib3\contrib\pyopenssl.py", line 441, in wrap_socket
cnx.do_handshake()
File "C:\Program Files (x86)\Microsoft SDKs\Azure\CLI2\lib\site-packages\OpenSSL\SSL.py", line 1806, in do_handshake
self._raise_ssl_error(self._ssl, result)
File "C:\Program Files (x86)\Microsoft SDKs\Azure\CLI2\lib\site-packages\OpenSSL\SSL.py", line 1546, in _raise_ssl_error
_raise_current_error()
File "C:\Program Files (x86)\Microsoft SDKs\Azure\CLI2\lib\site-packages\OpenSSL_util.py", line 54, in exception_from_error_queue
raise exception_type(errors)
OpenSSL.SSL.Error: [('SSL routines', 'tls_process_server_certificate', 'certificate verify failed')]

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
File "C:\Program Files (x86)\Microsoft SDKs\Azure\CLI2\lib\site-packages\urllib3\connectionpool.py", line 601, in urlopen
chunked=chunked)
File "C:\Program Files (x86)\Microsoft SDKs\Azure\CLI2\lib\site-packages\urllib3\connectionpool.py", line 346, in _make_request
self._validate_conn(conn)
File "C:\Program Files (x86)\Microsoft SDKs\Azure\CLI2\lib\site-packages\urllib3\connectionpool.py", line 850, in validate_conn
conn.connect()
File "C:\Program Files (x86)\Microsoft SDKs\Azure\CLI2\lib\site-packages\urllib3\connection.py", line 326, in connect
ssl_context=context)
File "C:\Program Files (x86)\Microsoft SDKs\Azure\CLI2\lib\site-packages\urllib3\util\ssl.py", line 329, in ssl_wrap_socket
return context.wrap_socket(sock, server_hostname=server_hostname)
File "C:\Program Files (x86)\Microsoft SDKs\Azure\CLI2\lib\site-packages\urllib3\contrib\pyopenssl.py", line 448, in wrap_socket
raise ssl.SSLError('bad handshake: %r' % e)
ssl.SSLError: ("bad handshake: Error([('SSL routines', 'tls_process_server_certificate', 'certificate verify failed')],)",)

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
File "C:\Program Files (x86)\Microsoft SDKs\Azure\CLI2\lib\site-packages\requests\adapters.py", line 440, in send
timeout=timeout
File "C:\Program Files (x86)\Microsoft SDKs\Azure\CLI2\lib\site-packages\urllib3\connectionpool.py", line 639, in urlopen
_stacktrace=sys.exc_info()[2])
File "C:\Program Files (x86)\Microsoft SDKs\Azure\CLI2\lib\site-packages\urllib3\util\retry.py", line 388, in increment
raise MaxRetryError(_pool, url, error or ResponseError(cause))
urllib3.exceptions.MaxRetryError: HTTPSConnectionPool(host='bcsinbtordservicesv2.scm.paas.mms.mckesson.com', port=443): Max retries exceeded with url: /api/zipdeploy (Caused by SSLError(SSLError("bad handshake: Error([('SSL routines', 'tls_process_server_certificate', 'certificate verify failed')],)",),))

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
File "C:\Program Files (x86)\Microsoft SDKs\Azure\CLI2\lib\site-packages\knack\cli.py", line 194, in invoke
cmd_result = self.invocation.execute(args)
File "C:\Program Files (x86)\Microsoft SDKs\Azure\CLI2\lib\site-packages\azure\cli\core\commands_init_.py", line 342, in execute
six.reraise(*sys.exc_info())
File "C:\Program Files (x86)\Microsoft SDKs\Azure\CLI2\lib\site-packages\six.py", line 693, in reraise
raise value
File "C:\Program Files (x86)\Microsoft SDKs\Azure\CLI2\lib\site-packages\azure\cli\core\commands_init_.py", line 315, in execute
result = cmd(params)
File "C:\Program Files (x86)\Microsoft SDKs\Azure\CLI2\lib\site-packages\azure\cli\core\commands_init_.py", line 175, in call
return super(AzCliCommand, self).call(*args, **kwargs)
File "C:\Program Files (x86)\Microsoft SDKs\Azure\CLI2\lib\site-packages\knack\commands.py", line 109, in call
return self.handler(*args, **kwargs)
File "C:\Program Files (x86)\Microsoft SDKs\Azure\CLI2\lib\site-packages\azure\cli\core_init_.py", line 349, in default_command_handler
result = op(**command_args)
File "C:\Program Files (x86)\Microsoft SDKs\Azure\CLI2\lib\site-packages\azure\cli\command_modules\appservice\custom.py", line 164, in enable_zip_deploy
r = requests.post(zip_url, data=zip_content, headers=headers)
File "C:\Program Files (x86)\Microsoft SDKs\Azure\CLI2\lib\site-packages\requests\api.py", line 112, in post
return request('post', url, data=data, json=json, **kwargs)
File "C:\Program Files (x86)\Microsoft SDKs\Azure\CLI2\lib\site-packages\requests\api.py", line 58, in request
return session.request(method=method, url=url, **kwargs)
File "C:\Program Files (x86)\Microsoft SDKs\Azure\CLI2\lib\site-packages\requests\sessions.py", line 508, in request
resp = self.send(prep, **send_kwargs)
File "C:\Program Files (x86)\Microsoft SDKs\Azure\CLI2\lib\site-packages\requests\sessions.py", line 618, in send
r = adapter.send(request, **kwargs)
File "C:\Program Files (x86)\Microsoft SDKs\Azure\CLI2\lib\site-packages\requests\adapters.py", line 506, in send
raise SSLError(e, request=request)
requests.exceptions.SSLError: HTTPSConnectionPool(host='bcsinbtordservicesv2.scm.paas.mms.mckesson.com', port=443): Max retries exceeded with url: /api/zipdeploy (Caused by SSLError(SSLError("bad handshake: Error([('SSL routines', 'tls_process_server_certificate', 'certificate verify failed')],)",),))`

[tom-canova]

I ended up addressing this with setting to environment variable REQUESTS_CA_BUNDLE to a pem formatted CA store with additional CAs and our wildcard cert used on the ASE and with the functions

[tom-canova]

Seems like a hack to need to manually set a python environment variable, though I do understand the need to provide additional certs. It would be helpful if it was better documented and if the error messages were helpful to provide a link to a possible solution

[ejizba]

@tom-canova glad you got it figured out. Just curious - how did you find that environment variable?

Also I'd like to understand your scenario better. Why do you need additional certs? Are you behind a proxy? Or is this specific to your ASE?

[tom-canova]

We have our own internal CA from which we created the wildcard cert which is associated with our ASE which runs on a private vnet Sent from Yahoo Mail for iPhone On Thursday, October 11, 2018, 6:41 PM, Eric Jizba <notifications@github.com> wrote: @tom-canova glad you got it figured out. Just curious - how did you find that environment variable? Also I'd like to understand your scenario better. Why do you need additional certs? Are you behind a proxy? Or is this specific to your ASE? — You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub, or mute the thread.

[ejizba]

Closing as external. VS Code has made some improvements to certs on Insiders and it was working for me there. See microsoft/vscode#52880