HTTPException: invalid and/or missing SSL certificate for url: https://accounts.google.com/o/oauth2/token

Question

When I call for the Google Earth Engine (GEE) Python APIs through Google AppEngine, it throws out a HTTPException which says "HTTPException: invalid and/or missing SSL certificate for url: https://accounts.google.com/o/oauth2/token". The project runs well before the New Year's Holiday, but it suddenly broke out without any changes on my own codes when I tested it on yesterday.

The detailed error information

Answer 1

I am also experiencing the same issue in my python script with App Engine. It was running fine a few days ago and the certificate for accounts.google.com is valid until March, 9th 2017

File "/Users/QQQ/Documents/Developpements/ae-python-project/app/user_spreadsheet_auth.py", line 55, in _get_service
  service = build('sheets', 'v4', http=http_auth)
File "/Users/QQQ/Documents/Developpements/ae-python-project/libs/oauth2client/_helpers.py", line 133, in positional_wrapper
  return wrapped(*args, **kwargs)
File "/Users/QQQ/Documents/Developpements/ae-python-project/libs/googleapiclient/discovery.py", line 222, in build
  cache)
File "/Users/QQQ/Documents/Developpements/ae-python-project/libs/googleapiclient/discovery.py", line 269, in _retrieve_discovery_doc
  resp, content = http.request(actual_url)
File "/Users/QQQ/Documents/Developpements/ae-python-project/libs/oauth2client/transport.py", line 159, in new_request
  credentials._refresh(orig_request_method)
File "/Users/QQQ/Documents/Developpements/ae-python-project/libs/oauth2client/client.py", line 744, in _refresh
  self._do_refresh_request(http)
File "/Users/QQQ/Documents/Developpements/ae-python-project/libs/oauth2client/client.py", line 775, in _do_refresh_request
  body=body, headers=headers)
File "/Users/QQQ/Documents/Developpements/ae-python-project/libs/oauth2client/transport.py", line 282, in request
  connection_type=connection_type)
File "/Users/QQQ/Documents/Developpements/ae-python-project/libs/httplib2/__init__.py", line 1609, in request
  (response, content) = self._request(conn, authority, uri, request_uri, method, body, headers, redirections, cachekey)
File "/Users/QQQ/Documents/Developpements/ae-python-project/libs/httplib2/__init__.py", line 1351, in _request
  (response, content) = self._conn_request(conn, request_uri, method, body, headers)
File "/Users/QQQ/Documents/Developpements/ae-python-project/libs/httplib2/__init__.py", line 1307, in _conn_request
  response = conn.getresponse()
File "/Users/QQQ/google-cloud-sdk/platform/google_appengine/google/appengine/dist27/gae_override/httplib.py", line 532, in getresponse
  raise HTTPException(str(e))
HTTPException: Invalid and/or missing SSL certificate for URL: https://accounts.google.com/o/oauth2/token

Edit: it looks like the issue has been reported here a few hours ago : https://code.google.com/p/googleappengine/issues/detail?id=13477

Answer 2

On the tracker for this GAE issue, the maintainers give a workaround:

As a temporary workaround, you can replace the expired urlfetch_cacerts.txt with https://curl.haxx.se/ca/cacert.pem

On linux you can use the following command: wget https://curl.haxx.se/ca/cacert.pem -O {Root of Python SDK}/lib/cacerts/urlfetch_cacerts.txt

Answer 3

For Windows, because the SDK is stored in an Admin Read-only area, I used Windows File Explorer in two steps instead of a script.

First download https://curl.haxx.se/ca/cacert.pem to a folder, e.g. Downloads.

curl https://curl.haxx.se/ca/cacert.pem > urlfetch_cacerts.txt

You can also use a browser to download the file and rename it.

Check where your cacerts are stored. I found them in

C:\Program Files (x86)\Google\google_appengine\lib\cacerts

Others report it in:

C:\Program Files (x86)\Google\Cloud SDK\google-cloud-sdk\platform\google_appengine\lib\cacerts\urlfetch_cacerts.txt 

With Admin credentials, rename the file urlfetch_cacerts.txt to something else.

Then copy the downloaded file cacerts.pem to

C:\Program Files (x86)\Google\google_appengine\lib\cacerts

And rename it to urlfetch_cacerts.txt

Voila!