GAMADV-X SSL CERTIFICATE_VERIFY_FAILED error, only for SOME queries

231 views
Skip to first unread message

MarionBates

unread,
Jan 17, 2017, 3:07:40 PM1/17/17
to GAM for G Suite
Hi,

Apologies if this has been asked/answered, OR if I'm posting in the wrong forum. I'm trying to use GAMADV-X and am getting certificate_verify_failed errors but only on CERTAIN commands. E.g. "gam info user" works, but "gam user [blah] print contacts" fails:

-------
[root@gamhost gamadv-x]# ./gam info user marion...@domain.com
  Settings:
    First Name: Marion
    Last Name: Bates
    Full Name: Marion Bates
    Is a Super Admin: False
    Is Delegated Admin: False
    Has Agreed to Terms: True
    IP Whitelisted: False
    Account Suspended: False
    Must Change Password: False
    Google Unique ID: [redacted]
    Customer ID: [redacted]
    Mailbox is setup: True
    Included in GAL: True
    Creation Time: 2016-07-13T13:05:40.000Z
    Last login time: 2017-01-13T14:20:48.000Z
    Google Org Unit Path: /Staff
    Photo URL: [redacted]
  Groups: (1)
    IT Alerts: it-a...@domain.com
  Licenses: (1)
    Google-Apps-Unlimited

[root@gamhost gamadv-x]# ./gam user marion...@domain.com print contactgroups
Getting all Contact Groups for marion...@domain.com
Temporary error: 1 - [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:590). Backing off 16 seconds..
------

We're not doing MITM SSL inspection, and the system time is correct. Any other suggestions?

Please advise...thank you very much!

-- MB

Ross Scroggs

unread,
Jan 17, 2017, 3:38:56 PM1/17/17
to google-ap...@googlegroups.com
Marion,

What this means is that the SSL certificates on your PC/Mac are not set up correctly:
Most APIs are going to: 'https://www.googleapis.com/auth/API specific 
The Contacts API is going to: https://www.google.com/m8/feeds

Try this: ./gam config no_verify_ssl true user marion...@domain.com print contact groups

Ross

--
You received this message because you are subscribed to the Google Groups "GAM for G Suite" group.
To unsubscribe from this group and stop receiving emails from it, send an email to google-apps-manager+unsub...@googlegroups.com.
To post to this group, send email to google-apps-manager@googlegroups.com.
Visit this group at https://groups.google.com/group/google-apps-manager.
To view this discussion on the web visit https://groups.google.com/d/msgid/google-apps-manager/b85ee939-d51d-4b43-a927-43cfdb9a7cf5%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.



--

MarionBates

unread,
Jan 18, 2017, 10:36:27 AM1/18/17
to GAM for G Suite
Hi Ross,

Thank you for the reply! FYI this is a CentOS 7 system. Based on that link and other similar posts, I tried the following:

update-ca-trust force-enable
(got https://curl.haxx.se/ca/cacert-2017-01-18.pem, copied it to /etc/pki/ca-trust/source/anchors/)
update-ca-trust extract

But still got the same message when I tried the printcontactgroups command. 

I then tried 

/usr/local/bin/gamadv-x/gam config no_verify_ssl true user marion...@domain.com print contactgroups


but it gave the same error message! So THEN I edited ~/.gam/gam.cfg and changed

no_verify_ssl = false


to

no_verify_ssl = true


and tried

/usr/local/bin/gamadv-x/gam user marion...@domain.com print contactgroups


and STILL got the same error.

What am I doing wrong?

Thank you again, very much.

-- MB
To post to this group, send email to google-ap...@googlegroups.com.



--

Ross Scroggs

unread,
Jan 18, 2017, 11:56:12 AM1/18/17
to google-ap...@googlegroups.com
Marion,

I've updated the certificates that GAM uses: https://github.com/taers232c/GAMADV-X/releases

Set no_verify_ssl = false in gam.cfg

To unsubscribe from this group and stop receiving emails from it, send an email to google-apps-man...@googlegroups.com.

To post to this group, send email to google-ap...@googlegroups.com.
Visit this group at https://groups.google.com/group/google-apps-manager.

MarionBates

unread,
Jan 18, 2017, 12:45:58 PM1/18/17
to GAM for G Suite
Hi Ross,

Hmm, do I need to nuke cache(s) or something? I installed the updated version, but same result. My cfg is below, along with example output again:

[root@gamhost gamadv-x]# ./gam version
Ross Scroggs <ross.s...@gmail.com>
Python 2.7.12 64-bit final
google-api-python-client 1.5.5
Linux-3.10.0-514.2.2.el7.x86_64-x86_64-with-centos-7.3.1611-Core x86_64
Path: /usr/local/bin/gamadv-x
[root@gamhost gamadv-x]# ls ~/.gam
client_secrets.json  gamcache  gam.cfg  oauth2service.json  oauth2.txt  oauth2.txt.lock
[root@gamhost gamadv-x]# cat ~/.gam/gam.cfg 
[DEFAULT]
activity_max_results = 100
auto_batch_min = 0
batch_size = 50
cache_dir = /root/.gam/gamcache
cache_discovery_only = false
charset = utf-8
client_secrets_json = client_secrets.json
config_dir = /root/.gam
contact_max_results = 100
csv_input_column_delimiter = ,
csv_output_column_delimiter = ,
csv_output_convert_cr_nl = false
csv_output_field_delimiter = ' '
customer_id = my_customer
debug_level = 0
device_max_results = 500
domain = ''
drive_dir = /root/Downloads
drive_max_results = 1000
email_batch_size = 100
extra_args = 
member_max_results = 200
no_browser = true
no_cache = false
no_update_check = false
no_verify_ssl = false
num_threads = 25
oauth2_txt = oauth2.txt
oauth2service_json = oauth2service.json
section = ''
show_convert_cr_nl = false
show_counts_min = 1
show_gettings = true
timezone = utc
todrive_conversion = true
todrive_parent = root
todrive_timestamp = false
user_max_results = 500

[root@gamhost gamadv-x]# /usr/local/bin/gamadv-x/gam user marion...@domain.com print contactgroups
Getting all Contact Groups for marion...@domain.com
Temporary error: 1 - [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:590). Backing off 16 seconds...^C[root@wa
tchhouse gamadv-x]# /usr/local/bin/gamadv-x/gam user marion...@domain.com print drivesettings
Getting Drive Settings for marion...@domain.com
email,languageCode,DRIVE,GMAIL,PHOTOS,folderColorPalette,quotaBytesUsedAggregate,permissionId,largestChangeId,quotaBytesUsedInTrash,domainSharingPolicy,quotaType,name,quotaBytesTotal,rootFolderId,quotaBytesUsed
marion...@domain.com,en-US,0kb,272mb,0kb,"[u'#ac725e', u'#d06b64', u'#f83a22', u'#fa573c', u'#ff7537', u'#ffad46', u'#fad165', u'#fbe983', u'#b3dc6c', u'#7bd148', u'#16a765', u'#42d692', u'#92e1c0', u'#9fe1e7', u'#9fc6e7', u'#4986e7', u'#9a9cff', u'#b99aff', u'#a47ae2', u'#cd74e6', u'#f691b2', u'#cca6ac', u'#cabdbf', (...etc)

Thank you again for your rapid responses and help -- I'm sure we're close and I'm probably missing something obvious!

-- MB

Ross Scroggs

unread,
Jan 18, 2017, 2:26:34 PM1/18/17
to google-ap...@googlegroups.com
Marion,

You can empty /root/.gam/gamcache

Ross


--
You received this message because you are subscribed to the Google Groups "GAM for G Suite" group.
To unsubscribe from this group and stop receiving emails from it, send an email to google-apps-manager+unsub...@googlegroups.com.
To post to this group, send email to google-apps-manager@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/google-apps-manager/a2fae84b-b1e4-4a3b-b9dd-3c0720812d32%40googlegroups.com.

For more options, visit https://groups.google.com/d/optout.



--

MarionBates

unread,
Jan 18, 2017, 2:46:11 PM1/18/17
to GAM for G Suite
Hi Ross,

OK, I did that, and rebooted the whole server (for different reasons), and tried again, but still no luck.  :(  

I get the same error if I try to "show sites" too. I don't know if that offers any clues. 

I'll keep poking...thanks again,

-- MB
To post to this group, send email to google-ap...@googlegroups.com.



--

Ross Scroggs

unread,
Jan 18, 2017, 2:51:01 PM1/18/17
to google-ap...@googlegroups.com
Marion,

Call me at 510-421-0357 or Skype at rossscroggs

Ross

To unsubscribe from this group and stop receiving emails from it, send an email to google-apps-manager+unsubscribe...@googlegroups.com.
To post to this group, send email to google-ap...@googlegroups.com.
Visit this group at https://groups.google.com/group/google-apps-manager.



--

--
You received this message because you are subscribed to the Google Groups "GAM for G Suite" group.
To unsubscribe from this group and stop receiving emails from it, send an email to google-apps-manager+unsub...@googlegroups.com.
To post to this group, send email to google-apps-manager@googlegroups.com.

Visit this group at https://groups.google.com/group/google-apps-manager.
To view this discussion on the web visit https://groups.google.com/d/msgid/google-apps-manager/5f7aa4dd-6be1-4dbe-97ff-1a6522ebeea8%40googlegroups.com.

For more options, visit https://groups.google.com/d/optout.



--

MarionBates

unread,
Jan 20, 2017, 10:07:24 AM1/20/17
to GAM for G Suite
Just to update the thread: Something about my environment doesn't play nice with the precompiled binary of GAMADV-X. When I use the source version, it works as expected.  :)   Thanks again, Ross!

-- MB
To unsubscribe from this group and stop receiving emails from it, send an email to google-apps-manager+unsub...@googlegroups.com.
To post to this group, send email to google-ap...@googlegroups.com.
Visit this group at https://groups.google.com/group/google-apps-manager.



--

--
You received this message because you are subscribed to the Google Groups "GAM for G Suite" group.
To unsubscribe from this group and stop receiving emails from it, send an email to google-apps-manager+unsub...@googlegroups.com.
To post to this group, send email to google-ap...@googlegroups.com.
Visit this group at https://groups.google.com/group/google-apps-manager.



--

Ross Scroggs

unread,
Jan 20, 2017, 11:09:13 AM1/20/17
to google-ap...@googlegroups.com
Marion,

Is this at home? Does the source version do contacts without no_verify_ssl true?

Inquiring minds want to know,

Ross

To unsubscribe from this group and stop receiving emails from it, send an email to google-apps-manager+unsubscribe...@googlegroups.com.
To post to this group, send email to google-ap...@googlegroups.com.
Visit this group at https://groups.google.com/group/google-apps-manager.



--

--
You received this message because you are subscribed to the Google Groups "GAM for G Suite" group.
To unsubscribe from this group and stop receiving emails from it, send an email to google-apps-manager+unsubscribe...@googlegroups.com.

To post to this group, send email to google-ap...@googlegroups.com.
Visit this group at https://groups.google.com/group/google-apps-manager.



--

--
You received this message because you are subscribed to the Google Groups "GAM for G Suite" group.
To unsubscribe from this group and stop receiving emails from it, send an email to google-apps-manager+unsub...@googlegroups.com.
To post to this group, send email to google-apps-manager@googlegroups.com.

Visit this group at https://groups.google.com/group/google-apps-manager.
To view this discussion on the web visit https://groups.google.com/d/msgid/google-apps-manager/cfdbc104-1345-4d63-ad4a-891e53bb64c3%40googlegroups.com.

For more options, visit https://groups.google.com/d/optout.



--

MarionBates

unread,
Jan 25, 2017, 11:21:44 AM1/25/17
to GAM for G Suite
Hi Ross, sorry for delayed reply. This is all still on the same host -- CentOS 7 -- I have not yet had a chance to test from another environment, but when I do, I will post results.  :)

Thanks,

-- MB
To unsubscribe from this group and stop receiving emails from it, send an email to google-apps-manager+unsub...@googlegroups.com.
To post to this group, send email to google-ap...@googlegroups.com.
Visit this group at https://groups.google.com/group/google-apps-manager.



--

--
You received this message because you are subscribed to the Google Groups "GAM for G Suite" group.
To unsubscribe from this group and stop receiving emails from it, send an email to google-apps-manager+unsub...@googlegroups.com.
To post to this group, send email to google-ap...@googlegroups.com.
Visit this group at https://groups.google.com/group/google-apps-manager.



--

--
You received this message because you are subscribed to the Google Groups "GAM for G Suite" group.
To unsubscribe from this group and stop receiving emails from it, send an email to google-apps-manager+unsub...@googlegroups.com.
To post to this group, send email to google-ap...@googlegroups.com.
Visit this group at https://groups.google.com/group/google-apps-manager.



--
Reply all
Reply to author
Forward
0 new messages