When verifying HTTPS connection, urlopen and requests by default use different CA bundles:
Such inconsistency frequently causes issues. It is also difficult to handle such inconsistency correctly:
According to the documentation of urllib.request:
https://docs.python.org/3/library/urllib.request.html
The Requests package is recommended for a higher-level HTTP client interface.
All Azure Python SDKs use requests to make HTTPS request, so does azure.cli.core.util.send_raw_request, so all usages of urllib.request.urlopen should be replaced by requests.
When verifying HTTPS connection,
urlopenandrequestsby default use different CA bundles:urlopenuses the system CA bundle (https://docs.python.org/3/library/ssl.html#ssl.create_default_context)requestsuses (https://requests.readthedocs.io/en/latest/user/advanced/#ssl-cert-verification)REQUESTS_CA_BUNDLECURL_CA_BUNDLEcertifi.where()Such inconsistency frequently causes issues. It is also difficult to handle such inconsistency correctly:
az bicep install: Fix the CERTIFICATE_VERIFY_FAILED for generating SSL #20183az bicep: Fix to use requests environment variables for CA bundle #21807https://downloads.bicep.azure.com/from Mariner 2.0 fails withssl.SSLCertVerificationError#26007According to the documentation of
urllib.request:https://docs.python.org/3/library/urllib.request.html
All Azure Python SDKs use
requeststo make HTTPS request, so doesazure.cli.core.util.send_raw_request, so all usages ofurllib.request.urlopenshould be replaced byrequests.