Functionapp deploy health check fails when no public network access

[solita-tonimiettinen]

Describe the bug

When doing a config-zip deploy to a Function App that has IP restrictions to only allow incoming traffic to functions from certain Service Tags, the deployment succeeds (upload and trigger sync ok) but fails when doing a check for service health. SCM has been configured to allow public access.

I assume this is because the Function is not reachable from where the CLI command is called even though the error claims to be about certificate verification, because with public network access it succeeds.
Doing zip upload and trigger syncing manually via SCM url and management API works.

It would be nice if there was a workaround, e.g. disabling the health check. Now the error is failing CD pipelines, even though the deployment itself is successful.

About auto-suggested solutions: this is a Flex Consumption tier fn app, and I cannot see "advanced tool site" settings on networking blade. Basic auth is turned on.

Related command

az functionapp deployment source config-zip -g ${rg} -n ${fn_app_name} --src ${deploymentzip}

Errors

Getting scm site credentials for zip deployment
Starting zip deployment. This operation can take a while to complete ...
Deployment endpoint responded with status code 202 for deployment id "a80925ff-5aed-4e12-a5eb-efcae6e9d5a0"
Waiting for sync triggers...
Checking the health of the function app
HTTPSConnectionPool(host='func-3423586-northeurope-001.azurewebsites.net', port=443): Max retries exceeded with url: /admin/host/status (Caused by SSLError(SSLEOFError(8, '[SSL: UNEXPECTED_EOF_WHILE_READING] EOF occurred in violation of protocol (_ssl.c:1000)')))
Certificate verification failed. This typically happens when using Azure CLI behind a proxy that intercepts traffic with a self-signed certificate. Please add this certificate to the trusted CA bundle. More info: https://learn.microsoft.com/cli/azure/use-cli-effectively#work-behind-a-proxy.

Issue script & Debug output

CLI output after other steps have completed

cli.azure.cli.command_modules.appservice.custom: Checking the health of the function app

...

urllib3.connectionpool: https://func-3423586-northeurope-001.azurewebsites.net:443 "GET /admin/host/status HTTP/1.1" 403 1892
urllib3.connectionpool: Starting new HTTPS connection (1): func-3423586-northeurope-001.azurewebsites.net:443
cli.azure.cli.core.azclierror: Traceback (most recent call last):
  File "/opt/az/lib/python3.12/site-packages/urllib3/connectionpool.py", line 715, in urlopen
    httplib_response = self._make_request(
                       ^^^^^^^^^^^^^^^^^^^
  File "/opt/az/lib/python3.12/site-packages/urllib3/connectionpool.py", line 404, in _make_request
    self._validate_conn(conn)
  File "/opt/az/lib/python3.12/site-packages/urllib3/connectionpool.py", line 1060, in _validate_conn
    conn.connect()
  File "/opt/az/lib/python3.12/site-packages/urllib3/connection.py", line 419, in connect
    self.sock = ssl_wrap_socket(
                ^^^^^^^^^^^^^^^^
  File "/opt/az/lib/python3.12/site-packages/urllib3/util/ssl_.py", line 449, in ssl_wrap_socket
    ssl_sock = _ssl_wrap_socket_impl(
               ^^^^^^^^^^^^^^^^^^^^^^
  File "/opt/az/lib/python3.12/site-packages/urllib3/util/ssl_.py", line 493, in _ssl_wrap_socket_impl
    return ssl_context.wrap_socket(sock, server_hostname=server_hostname)
           ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/opt/az/lib/python3.12/ssl.py", line 455, in wrap_socket
    return self.sslsocket_class._create(
           ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/opt/az/lib/python3.12/ssl.py", line 1041, in _create
    self.do_handshake()
  File "/opt/az/lib/python3.12/ssl.py", line 1319, in do_handshake
    self._sslobj.do_handshake()
ssl.SSLEOFError: [SSL: UNEXPECTED_EOF_WHILE_READING] EOF occurred in violation of protocol (_ssl.c:1000)

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
  File "/opt/az/lib/python3.12/site-packages/requests/adapters.py", line 667, in send
    resp = conn.urlopen(
           ^^^^^^^^^^^^^
  File "/opt/az/lib/python3.12/site-packages/urllib3/connectionpool.py", line 801, in urlopen
    retries = retries.increment(
              ^^^^^^^^^^^^^^^^^^
  File "/opt/az/lib/python3.12/site-packages/urllib3/util/retry.py", line 594, in increment
    raise MaxRetryError(_pool, url, error or ResponseError(cause))
urllib3.exceptions.MaxRetryError: HTTPSConnectionPool(host='func-3423586-northeurope-001.azurewebsites.net', port=443): Max retries exceeded with url: /admin/host/status (Caused by SSLError(SSLEOFError(8, '[SSL: UNEXPECTED_EOF_WHILE_READING] EOF occurred in violation of protocol (_ssl.c:1000)')))

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
  File "/opt/az/lib/python3.12/site-packages/knack/cli.py", line 233, in invoke
    cmd_result = self.invocation.execute(args)
                 ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/opt/az/lib/python3.12/site-packages/azure/cli/core/commands/__init__.py", line 666, in execute
    raise ex
  File "/opt/az/lib/python3.12/site-packages/azure/cli/core/commands/__init__.py", line 734, in _run_jobs_serially
    results.append(self._run_job(expanded_arg, cmd_copy))
                   ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/opt/az/lib/python3.12/site-packages/azure/cli/core/commands/__init__.py", line 703, in _run_job
    result = cmd_copy(params)
             ^^^^^^^^^^^^^^^^
  File "/opt/az/lib/python3.12/site-packages/azure/cli/core/commands/__init__.py", line 336, in __call__
    return self.handler(*args, **kwargs)
           ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/opt/az/lib/python3.12/site-packages/azure/cli/core/commands/command_operation.py", line 120, in handler
    return op(**command_args)
           ^^^^^^^^^^^^^^^^^^
  File "/opt/az/lib/python3.12/site-packages/azure/cli/command_modules/appservice/custom.py", line 688, in enable_zip_deploy_functionapp
    response = check_flex_app_after_deployment(cmd, resource_group_name, name)
               ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/opt/az/lib/python3.12/site-packages/azure/cli/command_modules/appservice/custom.py", line 731, in check_flex_app_after_deployment
    response = requests.get(host_status_url, headers=headers,
               ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/opt/az/lib/python3.12/site-packages/requests/api.py", line 73, in get
    return request("get", url, params=params, **kwargs)
           ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/opt/az/lib/python3.12/site-packages/requests/api.py", line 59, in request
    return session.request(method=method, url=url, **kwargs)
           ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/opt/az/lib/python3.12/site-packages/requests/sessions.py", line 589, in request
    resp = self.send(prep, **send_kwargs)
           ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/opt/az/lib/python3.12/site-packages/requests/sessions.py", line 703, in send
    r = adapter.send(request, **kwargs)
        ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/opt/az/lib/python3.12/site-packages/requests/adapters.py", line 698, in send
    raise SSLError(e, request=request)
requests.exceptions.SSLError: HTTPSConnectionPool(host='func-3423586-northeurope-001.azurewebsites.net', port=443): Max retries exceeded with url: /admin/host/status (Caused by SSLError(SSLEOFError(8, '[SSL: UNEXPECTED_EOF_WHILE_READING] EOF occurred in violation of protocol (_ssl.c:1000)')))

cli.azure.cli.core.azclierror: HTTPSConnectionPool(host='func-3423586-northeurope-001.azurewebsites.net', port=443): Max retries exceeded with url: /admin/host/status (Caused by SSLError(SSLEOFError(8, '[SSL: UNEXPECTED_EOF_WHILE_READING] EOF occurred in violation of protocol (_ssl.c:1000)')))
az_command_data_logger: HTTPSConnectionPool(host='func-3423586-northeurope-001.azurewebsites.net', port=443): Max retries exceeded with url: /admin/host/status (Caused by SSLError(SSLEOFError(8, '[SSL: UNEXPECTED_EOF_WHILE_READING] EOF occurred in violation of protocol (_ssl.c:1000)')))
Certificate verification failed. This typically happens when using Azure CLI behind a proxy that intercepts traffic with a self-signed certificate. Please add this certificate to the trusted CA bundle. More info: https://learn.microsoft.com/cli/azure/use-cli-effectively#work-behind-a-proxy.

Expected behavior

Function Deployment succeeds

Environment Summary

azure-cli 2.71.0

core 2.71.0
telemetry 1.1.0

Dependencies:
msal 1.31.2b1
azure-mgmt-resource 23.1.1

Python location '/opt/az/bin/python3'
Config directory '/home/user/.azure'
Extensions directory '/home/user/.azure/cliextensions'

Python (Linux) 3.12.8 (main, Mar 25 2025, 10:55:23) [GCC 13.3.0]

Additional context

No response

[yonzhan]

Thank you for opening this issue, we will look into it.

[microsoft-github-policy-service]

Thanks for the feedback! We are routing this to the appropriate team for follow-up. cc @AnatoliB, @Francisco-Gamino, @shreyabatra4.

[github-actions]

Here are some similar issues that might help you. Please check if they can solve your problem.

• Az webapp depoyment config-zip fails certificate verification #26635
• az webapp deploy fails because of an SSL error, (incorrectly) suggesting that I'm behind a proxy #24321

---

Possible solution (Extracted from existing issue, might be incorrect; please verify carefully)

Solution 1:

Ensure that the 'Advanced Tool Site' is accessible in the networking settings of the App Service. The CLI deployment uses that site and needs access to it. Allowing access to the advanced tool site solved the issue for me.

Reference:

• az webapp deploy fails because of an SSL error, (incorrectly) suggesting that I'm behind a proxy #24321 (comment)

Solution 2:

Check the App Services Configuration blade under General Settings in the Azure portal. Ensure that 'Basic Authentication' is turned on. Disabling basic authentication for FTP and SCM access can block access, especially if using a service principal with a client secret, as it uses basic auth.

Reference:

• Az webapp depoyment config-zip fails certificate verification #26635 (comment)
• Az webapp depoyment config-zip fails certificate verification #26635 (comment)

Powered by issue-sentinel

[microsoft-github-policy-service]

Thanks for the feedback! We are routing this to the appropriate team for follow-up. cc @AnatoliB, @Francisco-Gamino, @shreyabatra4.