Certificate verification failure when running gclient sync

5,056 views
Skip to first unread message

Shezan Baig

unread,
Nov 21, 2013, 2:08:09 PM11/21/13
to chromi...@chromium.org
After a recent sync, I started getting the following error:

________ running 'download_from_google_storage --no_resume --platform=linux* --no_auth --bucket chromium-gn -s src/tools/gn/bin/linux/gn.sha1' in '/media/BIGSTOR/chromium.trunk'
/media/BIGSTOR/depot_tools/third_party/boto/pyami/config.py:75: UserWarning: Unable to load AWS_CREDENTIAL_FILE ()
  warnings.warn('Unable to load AWS_CREDENTIAL_FILE (%s)' % full_path)
Failure: [Errno 1] _ssl.c:504: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed.

It looks like https://codereview.chromium.org/76583002 sets env['AWS_CREDENTIAL_FILE'] to an empty string, which is not handled well by $depot_tools/third_party/boto/pyami/config.py

*Unsetting* AWS_CREDENTIAL_FILE (instead of setting it to an empty string) removes the first warning.  However, I still get:

Failure: [Errno 1] _ssl.c:504: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed.

I'm not sure where this error is coming from, and what certificate is not getting verified.  Does anyone have any idea about this?

Thanks!
-shez-

Abhijeet Kandalkar

unread,
Dec 19, 2013, 3:28:45 AM12/19/13
to chromi...@chromium.org

I am also facing same problem.

@shez : Could you please help me if you figure out solution.

Regards,
Abhijeet

Shezan Baig

unread,
Dec 19, 2013, 9:33:58 AM12/19/13
to kandalkar....@gmail.com, chromi...@chromium.org

I narrowed it down to a bad proxy configuration at my workplace.  The same command works fine from home.

--
--
Chromium Developers mailing list: chromi...@chromium.org
View archives, change email options, or unsubscribe:
http://groups.google.com/a/chromium.org/group/chromium-dev

To unsubscribe from this group and stop receiving emails from it, send an email to chromium-dev...@chromium.org.

Sylvain G

unread,
Feb 19, 2014, 3:21:51 AM2/19/14
to chromi...@chromium.org, kandalkar....@gmail.com
Would you happen to know how to fix the proxy configuration?

I'm facing the same problem, but cannot bypass my proxy (living in China, a proxy is needed to access google). I tried 2 different proxies, both have the same issue...

Shezan Baig

unread,
Feb 19, 2014, 6:44:12 AM2/19/14
to sylvain...@gmail.com, chromi...@chromium.org, kandalkar....@gmail.com

The network people at my workplace are aware of this and they are working on a solution.  Basically, if the proxy is blocking it, there's not much you can do apart from getting them to allow access.

For now, I can get by without downloading GN.  If the proxy is still an issue for me when the time comes that I actually need GN, then I'll probably just try figure out a way to build it from source, rather than downloading the binary.  But I haven't reached that stage yet..

Sylvain G

unread,
Feb 19, 2014, 6:56:01 AM2/19/14
to chromi...@chromium.org, sylvain...@gmail.com, kandalkar....@gmail.com
Thanks,

It seems there is a workaround for the certificate problem using a proxy.
I used "gsutil config -r" to create a ~/.boto file with proxy details filled in, then made sure download_from_google_storage.py was using this file (ignoring the --no-auth option coming from gclient. sorry it's dirty).

It seems to work as "gclient runhooks" completes and i can now build chromium.

Shezan Baig

unread,
Feb 19, 2014, 6:59:33 AM2/19/14
to sylvain...@gmail.com, chromi...@chromium.org, kandalkar....@gmail.com

I'm pretty sure I tried that :)

This was a few months ago though, and I haven't tried since.  Maybe (hopefully?) things have changed since then :)

Thanks!

徐亮

unread,
Feb 23, 2014, 7:01:01 AM2/23/14
to chromi...@chromium.org, sylvain...@gmail.com, kandalkar....@gmail.com
I'm a newbie of webrtc and chromium from China. I have same problem when I tried to compile webrtc.


  b.  export PATH="$PATH":`pwd`/depot_tools
  d.  gclient sync --force

After a long time downloading,  I got error:

Syncing projects:  97% (39/40), done.tools/win/supalink
......
________ running 'download_from_google_storage --directory --recursive --num_threads=10 --no_auth --bucket chromium-webrtc-resources trunk/resources' in '/home/lxu/workspace/webrtc'
/home/lxu/depot_tools/third_party/boto/pyami/config.py:75: UserWarning: Unable to load AWS_CREDENTIAL_FILE ()
  warnings.warn('Unable to load AWS_CREDENTIAL_FILE (%s)' % full_path)
Failure: 'NoneType' object is not callable.


I haven't set AWS_CREDENTIAL_FILE env and I haven't set any proxy. 

Do the GFW block the google storage? But I can download other 39 dependencies until the last one.

Sylvain, I saw you have a workaround. Can you share the detail with me?

Thanks.

Xu Liang


在 2014年2月19日星期三UTC+8下午7时56分01秒,Sylvain G写道:

徐亮

unread,
Feb 23, 2014, 8:55:08 AM2/23/14
to chromi...@chromium.org, sylvain...@gmail.com
I had tried :

env http_proxy=http://aaa.bbb.com:8080/  gclient sync --force

Now I had got "certificate verify failed". 

/home/lxu/depot_tools/third_party/boto/pyami/config.py:75: UserWarning: Unable to load AWS_CREDENTIAL_FILE ()
  warnings.warn('Unable to load AWS_CREDENTIAL_FILE (%s)' % full_path)
Failure: [Errno 1] _ssl.c:504: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed.

What's the detail about : "I used "gsutil config -r" to create a ~/.boto file with proxy details filled in, then made sure download_from_google_storage.py was using this file (ignoring the --no-auth option coming from gclient. "


2014-02-23 20:38 GMT+08:00 徐亮 <lxu...@gmail.com>:

I'm working at Ubuntu 12.04. 

Do you mean set a HTTP proxy at Ubuntu just like :

env http_proxy=http://aaa.bbb.com:8080/  gclient sync --force

thanks.


2014-02-23 20:26 GMT+08:00 Abhijeet Kandalkar <kandalkar....@gmail.com>:

Set proxy before running gclient sync.1




--
Liang Xu



--
Liang Xu



--
Liang Xu

Sylvain G

unread,
Feb 24, 2014, 2:09:04 AM2/24/14
to chromi...@chromium.org, sylvain...@gmail.com
Hi,

what I did is the following:
- get gsutils (it's not in depot_tools) https://developers.google.com/storage/docs/gsutil
- type "gsutils config -r ". this will create a ~/.boto file that provides connection details (proxy, among others) for read-only access to google servers.
- modify this ~/.boto file to fill in the proxy infos from your location (around line 85)
- then i did a dirty hack in the code of download_from_google_storage.py (from depot_tools), around line 396, replace:

  # Set the boto file to /dev/null if we don't need auth.
  if options.no_auth:
    options.boto = os.devnull

with:

  # Set the boto file to /dev/null if we don't need auth.
  if options.no_auth:
    options.boto = "~/.boto" #path to the boto file you created with gsutils
    #options.boto = os.devnull

- then i simply run "gclient sync", and it worked for me

hope it helps

sathish kumar

unread,
May 19, 2014, 5:57:14 AM5/19/14
to chromi...@chromium.org, sylvain...@gmail.com
This is not working for me.. do have any other solution?

Primiano Tucci

unread,
May 19, 2014, 6:19:07 AM5/19/14
to sathish...@gmail.com, Chromium-dev, sylvain...@gmail.com
Note that this mailing list is for chromium development, you probably might want to ask this question on discuss-webrtc.

- get gsutils (it's not in depot_tools)

This is wrong. gsutil IS in depot_tools (/path/to/depot_tools/third_party/gsutil). depot_tools will use their own version of gsutil AFAIK.
Try to run gsutil config -r on that instance, not whatever you have in your path.
i.e., /path/to/depot_tools/third_party/gsutil/gsutil config -r
Reply all
Reply to author
Forward
0 new messages