az cli - ssl - "Basic Constraints of CA cert not marked critical" #32749
Description
Describe the bug
Hey all. In our corporate environment, we MiTM our traffic using a network monitoring tool. We get this below error when using az login, and we have already set the related SSL cert environment variables.
This error below makes me feel like our cert that we're trusting is missing some sort of field. Is there any way we can fix this, or override the validation and still trust our cert?
"""HTTPSConnectionPool(host='login.microsoftonline.com', port=443): Max retries exceeded with url: /organizations/v2.0/.well-known/openid-configuration (Caused by SSLError(SSLCertVerificationError(1, '[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: Basic Constraints of CA cert not marked critical (_ssl.c:1032)')))"""
Related command
az login
Errors
"""HTTPSConnectionPool(host='login.microsoftonline.com', port=443): Max retries exceeded with url: /organizations/v2.0/.well-known/openid-configuration (Caused by SSLError(SSLCertVerificationError(1, '[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: Basic Constraints of CA cert not marked critical (_ssl.c:1032)')))"""
Issue script & Debug output
"""HTTPSConnectionPool(host='login.microsoftonline.com', port=443): Max retries exceeded with url: /organizations/v2.0/.well-known/openid-configuration (Caused by SSLError(SSLCertVerificationError(1, '[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: Basic Constraints of CA cert not marked critical (_ssl.c:1032)')))"""
Expected behavior
az login works.
Environment Summary
azure-cli 2.83.0
core 2.83.0
telemetry 1.1.0
Dependencies:
msal 1.35.0b1
azure-mgmt-resource 23.3.0
Python location 'C:\Program Files\Microsoft SDKs\Azure\CLI2\python.exe'
Config directory 'C:\Users\User.azure'
Extensions directory 'C:\Users\User.azure\cliextensions'
Python (Windows) 3.13.11 (tags/v3.13.11:6278944, Dec 5 2025, 16:26:58) [MSC v.1944 64 bit (AMD64)]
Additional context
No response