Google cloud storage URL signer returning SSL3_GET_SERVER_CERTIFICATE

Question

I've been using the following script for signing GCS urls successfully for some time now.

It's basically just a wrapper around the python requests module that adds a signature to the url based on the provisioned private key.

    md5_digest = base64.b64encode(hashlib.md5(data).digest())
    base_url, query_params = self._MakeUrl('PUT', path, content_type,
                                           md5_digest)
    headers = {}
    headers['Content-Type'] = content_type
    headers['Content-Length'] = str(len(data))
    headers['Content-MD5'] = md5_digest
    return self.session.put(base_url, params=query_params, headers=headers,
                            data=data)

I used a service account with the p12 key converted to pem and was able to store and fetch resources.

A few days ago (December 2015), it stopped working and returns the following error from the python requests module:

requests.exceptions.SSLError: [Errno 1] _ssl.c:510: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed

Disabling the request verification helped me overcome the issue, but it's not a valid solution.

self.session.verify = False

Any ideas for what could be causing this issue? What could have triggered this now?

Thanks

Do you get the same error when using gsutil signurl? If you look around on StackOverflow for similar instances of this error, it usually occurs when something has changed with the certificate authorities on your machine. See http://stackoverflow.com/a/12864892/2263165 — Travis Hobrla, Dec 29 '15 at 18:21
Using CURL to fetch the url produced by gsutils works well. Also, the url produced by my script when used with curl seems to work. Why would the signed url used with the requests module (2.9.1) produce this error on the same machine in which curl works? — odedfos, Dec 30 '15 at 08:21
Apparently some other package installed in my project alongside the requests module triggers this error. When running on a clean environment it works well. — odedfos, Dec 30 '15 at 09:15
Turns out the blame was on a package named certifi which was installed as a requirement of another package. This package integrates with the requests module. Having an older version of openssl does not agree with it and cause error for many common urls (even https://www.google.com). Updating the openssl can be tricky. Your welcome to follow the trail... https://github.com/certifi/python-certifi/issues/32 — odedfos, Dec 30 '15 at 15:17
You should post a self-answer to this question now that the issue is resolved. Best of luck! — Nick, Dec 31 '15 at 00:20

score 0 · Accepted Answer · answered Dec 31 '15 at 18:49

It turns out the blame was on a package named certifi which was installed as a requirement by another package in my project.

The certifi package integrates with the requests module. Having an older version of openssl does not agree with it and is the cause for many common urls (even requests.get('https://www.google.com')) to fail with this error.

A solution could be upgrading the OS, Updating only the openssl, or removing the certifi package (which will result in some vulnerability).

You're welcome to follow the trail...

Google cloud storage URL signer returning SSL3_GET_SERVER_CERTIFICATE

1 Answers1