Invalid and/or missing SSL certificate for URL when calling apiclient.discovery.build

4.3k views Asked by At

So I'm running my google endpoint locally with dev_appserver.py. I use the API explorer to test the application.

The code I'm using to create the Service, so I can call the API is the following:

from apiclient.discovery import build 
from oauth2client.client import GoogleCredentials
credentials = GoogleCredentials.get_application_default()
service = build('speech', 'v1beta1', credentials=credentials)

I receive an SSL error (Invalid and/or missing SSL certificate), even though when I access the stated URL via browser it works fine (that is, the green padlock shows up).

I'm not sure what changed, but this was working fine not long ago.

I tried to disable SSL checking, but was unable to.

Full logs below:

INFO     2017-01-02 03:12:02,724 discovery.py:267] URL being requested: GET https://www.googleapis.com/discovery/v1/apis/speech/v1beta1/rest?userIp=0.2.0.3
ERROR    2017-01-02 03:12:03,022 wsgi.py:263] 
Traceback (most recent call last):
  File "/home/vini/opt/google-cloud-sdk/platform/google_appengine/google/appengine/runtime/wsgi.py", line 240, in Handle
    handler = _config_handle.add_wsgi_middleware(self._LoadHandler())
  File "/home/vini/opt/google-cloud-sdk/platform/google_appengine/google/appengine/runtime/wsgi.py", line 299, in _LoadHandler
    handler, path, err = LoadObject(self._handler)
  File "/home/vini/opt/google-cloud-sdk/platform/google_appengine/google/appengine/runtime/wsgi.py", line 85, in LoadObject
    obj = __import__(path[0])
  File "/mnt/b117/home/vini/udacity/cerci-endpoint/api.py", line 28, in <module>
    service = build('speech', 'v1beta1', credentials=credentials)
  File "/mnt/b117/home/vini/udacity/cerci-endpoint/lib/oauth2client/_helpers.py", line 133, in positional_wrapper
    return wrapped(*args, **kwargs)
  File "/mnt/b117/home/vini/udacity/cerci-endpoint/lib/googleapiclient/discovery.py", line 222, in build
    cache)
  File "/mnt/b117/home/vini/udacity/cerci-endpoint/lib/googleapiclient/discovery.py", line 269, in _retrieve_discovery_doc
    resp, content = http.request(actual_url)
  File "/mnt/b117/home/vini/udacity/cerci-endpoint/lib/httplib2/__init__.py", line 1609, in request
    (response, content) = self._request(conn, authority, uri, request_uri, method, body, headers, redirections, cachekey)
  File "/mnt/b117/home/vini/udacity/cerci-endpoint/lib/httplib2/__init__.py", line 1351, in _request
    (response, content) = self._conn_request(conn, request_uri, method, body, headers)
  File "/mnt/b117/home/vini/udacity/cerci-endpoint/lib/httplib2/__init__.py", line 1307, in _conn_request
    response = conn.getresponse()
  File "/home/vini/opt/google-cloud-sdk/platform/google_appengine/google/appengine/dist27/gae_override/httplib.py", line 532, in getresponse
    raise HTTPException(str(e))
HTTPException: Invalid and/or missing SSL certificate for URL: https://www.googleapis.com/discovery/v1/apis/speech/v1beta1/rest?userIp=0.2.0.3

Any ideas what could be causing this problem?

Do I have to "install" or update the SSL certificates used by python?

3

There are 3 answers

5
danielx On BEST ANSWER

According to App Engine issue 13477 it seems that some of the certificates found in urlfetch_cacerts.txt that is included in the App Engine Python SDK / gcloud-sdk expired 2017-01-01.

As a temporary workaround, you can replace the contents of <your-cloud-sdk-path>/platform/google_appengine/lib/cacerts/urlfetch_cacerts.txt with https://curl.haxx.se/ca/cacert.pem

1
Fakeer On

Got this error on local dev environment as recently as Aug 2017. The fix is to update all urlfetch calls and force validation of the certs:

urlfetch.fetch(url=url, validate_certificate=True)

Did not have to touch the gcloud certs (MacOS). See Issuing an HTTPS request.

0
seyisulu On

To build on the answer by @danielx for those on macOS, this is what worked for me. The path to the certificates for me was:

/Applications/GoogleAppEngineLauncher.app/Contents/Resources/GoogleAppEngine-default.bundle/Contents/Resources/google_appengine/lib/cacerts/urlfetch_cacerts.txt

To update it, I used the following steps:

cd /Applications/GoogleAppEngineLauncher.app/Contents/Resources/GoogleAppEngine-default.bundle/Contents/Resources/google_appengine/lib/cacerts
mv urlfetch_cacerts.txt urlfetch_cacerts.bup
curl -o urlfetch_cacerts.txt -k https://curl.haxx.se/ca/cacert.pem

If you don't have curl installed, you can manually download the certificates an move them to the folder above. Don't forget to restart the App Engine dev server if it is already running.