[Core] Add truststore library so System certificates are trusted automatically

[timja]

Related command

core

Description

Fixes #28050
Fixes #26456
Fixes #29948

Testing Guide

Run az commands when behind a MitM proxy with the certificates in a trusted OS store and without setting the REQUESTS_CA_BUNDLE environment value

e.g. I've been using:

az rest --uri $STORAGE_ACCOUNT

Before:

HTTPSConnectionPool(host='***.web.core.windows.net', port=443): Max retries exceeded with url: / (Caused by SSLError(SSLCertVerificationError(1, '[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: unable to get issuer certificate (_ssl.c:1000)')))
Certificate verification failed. This typically happens when using Azure CLI behind a proxy that intercepts traffic with a self-signed certificate. Please add this certificate to the trusted CA bundle. More info: https://docs.microsoft.com/cli/azure/use-cli-effectively#work-behind-a-proxy.

After:

The requested content does not exist.(<!DOCTYPE html><html><head><title>WebContentNotFound</title></head><body><h1>The requested content does not exist.</h1><p><ul><li>HttpStatusCode: 404</li><li>ErrorCode: WebContentNotFound</li><li>RequestId : 8465eefc-801e-00b6-01fa-464419000000</li><li>TimeStamp : 2024-12-05T09:47:28.0584286Z</li></ul></p></body></html>)

History Notes

[Core] Add truststore library so System certificates are trusted automatically

---

This checklist is used to make sure that common guidelines for a pull request are followed.

• The PR title and description has followed the guideline in Submitting Pull Requests.

• I adhere to the Command Guidelines.

• I adhere to the Error Handling Guidelines.

[azure-client-tools-bot-prd]

Validation for Azure CLI Full Test Starting...

Thanks for your contribution!

[azure-client-tools-bot-prd]

Validation for Breaking Change Starting...

Thanks for your contribution!

[yonzhan]

Thank you for your contribution! We will review the pull request and get back to you soon.

[github-actions]

⚠️Your changes in this PR will be released on Jan 14, 2025 due to CCOA (extend to Jan 6, 2025)

[microsoft-github-policy-service]

Thank you for your contribution timja! We will review the pull request and get back to you soon.

[FumingZhang]

This seems to be a proper way to handle CA cert verification failure, but the newly added lib truststore requires Python 3.10+, while azure-cli still supports Python 3.9, cc @jiasli

[jiasli]

Applying SSLContextAdapter in send_raw_request() will only affect az rest. All other commands that use Azure Python SDK will not benefit from this change. MSAL is not affected either.

There is a similar feature request AzureAD/microsoft-authentication-library-for-python#685 for supporting using certificates from system certificate store for service principal authentication.

[jiasli]

Thanks for the contribution, but we currently don't have a plan to support system certificate store (#19305).