SSL3_GET_SERVER_CERTIFICATE:certificate verify failed

774 views
Skip to first unread message
Message has been deleted

Amit Bhosle

unread,
Jul 7, 2017, 8:41:44 PM7/7/17
to Google App Engine
Hi,

I'm getting this error when invoking firebase_admin.auth.verify_id_token API.
I've verified that I'm using the latest certificate bundle (certifi-2017.4.17 - actually, reinstalled it as well).. 

can someone pls help? 

This is in the dev_appserver of google app engine, on a Windows 10 machine with Python 2.7.. 

Thanks

George (Cloud Platform Support)

unread,
Jul 10, 2017, 11:31:44 AM7/10/17
to Google App Engine
Hello Amit, 

A corrupted installation might be at the root of this. For troubleshooting purposes, it is useful checking that your files match the following pattern, indicated here in general lines: 

~/gsutil$ ls -l gslib/data/cacerts.txt 
-rw-r--r-- 1  gslib/data/cacerts.txt 

~/gsutil$ sha1sum gslib/data/cacerts.txt 
183c495586bf93d2efsdfdyuiiqww5b1b4fa1tycvbvn gslib/data/cacerts.txt 

The output from the following command may prove quite useful as well: 

~/gsutil$ host storage.googleapis.com 

storage-ugc.l.googleusercontent.com has address some_ip_address_here
storage-ugc.l.googleusercontent.com has address some_ip_address_here 
storage-ugc.l.googleusercontent.com has address some_ip_address_here 
storage-ugc.l.googleusercontent.com has IPv6 address some_ipv6_address_here

(It is OK if your resolver may have different IP addresses) 

Amit Bhosle

unread,
Jul 11, 2017, 2:07:04 PM7/11/17
to Google App Engine
Hi George,

thanks for the response.. 

nslookup from my windows machine is showing the following info:

Non-authoritative answer:
Server:  <my ISP>
Address:  192.168.1.1

Addresses:  2607:f8b0:400a:808::2010
          172.217.3.208


also - not sure what gslib is.. i thought installing certifi would be enough.. 

$ find . -name "cacert*"
./lib/certifi/cacert.pem
./lib/httplib2/cacerts.txt


Do you know how i can check if the required certificate is even present in the above places? (both of the above files have some certs - and i'm assuming the certifi/cacert.pem is the one being used.. 

Thanks
Amit

Amit Bhosle

unread,
Jul 11, 2017, 3:55:51 PM7/11/17
to Google App Engine
btw, I'm able to successfully invoke other APIs that are also hosted on googleapis.com - e.g., places APIs, radarsearch, etc.. 
One sample URL is below - as you can see, it is also an HTTPS endpoint.

https://maps.googleapis.com/maps/api/place/details/json?key=API-KEY&placeid=PLACE-ID

the _GOOGLE_APIS_CERTS_URL is listed as:
Not sure what the diffs would be in using this API or the one via the firebase admin client.. Could be that certificate verification is not done for this API..?
or an issue with the firebase_admin or google.oauth2 python libraries?

Amit Bhosle

unread,
Jul 11, 2017, 5:26:29 PM7/11/17
to Google App Engine
Hi again - thought i'll post an update here based on my debugging.

the initial issue was that I was getting an error: "TypeError: must be _socket.socket, not socket"
I was trying some workarounds mentioned on some forums/blogs, and ended up with the certificate error.. 

I tried a different workaround now (seems similar to the earlier one) - this one monkey-patches an additional platform.platform() method.. 


"Certificate for key id cfaaafe371b3e2b1a832251233ea51be086ce9c3 not found"


digging through the code, looks like the certs are fetched from the GOOGLE_APIS_CERTS_URL I mentioned above: 

 59 def verify_token(id_token, request, audience=None,
 60                  certs_url=_GOOGLE_OAUTH2_CERTS_URL):
 61     """Verifies an ID token and returns the decoded token.
 62
 63     Args:
 64         id_token (Union[str, bytes]): The encoded token.
 65         request (google.auth.transport.Request): The object used to make
 66             HTTP requests.
 67         audience (str): The audience that this token is intended for. If None
 68             then the audience is not verified.
 69         certs_url (str): The URL that specifies the certificates to use to
 70             verify the token. This URL should return JSON in the format of
 71             ``{'key id': 'x509 certificate'}``.
 72
 73     Returns:
 74         Mapping[str, Any]: The decoded token.
 75     """
 76     certs = _fetch_certs(request, certs_url)
 77
 78     return jwt.decode(id_token, certs=certs, audience=audience)



do you know why the set of certs could be missing the one extracted from my firebase token?

thanks
Amit



On Tuesday, July 11, 2017 at 12:55:51 PM UTC-7, Amit Bhosle wrote:
btw, I'm able to successfully invoke other APIs that are also hosted on googleapis.com - e.g., places APIs, radarsearch, etc.. 
One sample URL is below - as you can see, it is also an HTTPS endpoint.

Amit Bhosle

unread,
Jul 12, 2017, 3:48:00 PM7/12/17
to Google App Engine
this is somewhat resolved now.. the main issue was the "TypeError: must be _socket.socket, not socket" error.. the workaround / monkeypatch i linked above is working.
i got a new firebase token and the code now works (following through the code, the firebase token has a certificate id embedded in it (and no cert with that ID is currently being vended from the certs URL that is used).. i guess the set of valid certs gets updated over time).. 

George (Cloud Platform Support)

unread,
Jul 12, 2017, 3:56:28 PM7/12/17
to Google App Engine
gslib may be found at /usr/lib/google-cloud-sdk/platform/gsutil/gslib/data in linux, or at an equivalent path in Windows, starting from the sdk install directory. 

What are you attempting to do exactly? Do you want to authenticate your app for connection to cloud resources? Do you want to authenticate users? To clarify things, it may be advisable to read the "Introduction to the Admin Auth API" and the info linked at "Verify ID Tokens". 

Amit Bhosle

unread,
Jul 13, 2017, 1:14:24 PM7/13/17
to Google App Engine
George - Did you even read my previous messages? :)
Reply all
Reply to author
Forward
0 new messages