0

I'm working with a local-dev environment of Python GAE. In my code, I'm using the app_identity module to fetch the App ID Token for my project, like this:

scope = "https://www.googleapis.com/auth/userinfo.email"
app_id_token, expiry = app_identity.get_access_token(scope)

But when that pathway is invoked, I get this error thrown from the appengine module. It appears that when my project attempts to fetch an OAuth token to access Google Cloud services it is getting an SSL validation error on the URL used to get that token. 

ERROR    2017-01-03 02:41:11,489 api_server.py:272] Exception while handling service_name: "app_identity_service"
method: "GetAccessToken"
request: "\n.https://www.googleapis.com/auth/cloud-platform"
request_id: "MzGyxBKeMe"

Traceback (most recent call last):
  File "/opt/google-cloud-sdk/platform/google_appengine/google/appengine/tools/devappserver2/api_server.py", line 247, in _handle_POST
    api_response = _execute_request(request).Encode()
  File "/opt/google-cloud-sdk/platform/google_appengine/google/appengine/tools/devappserver2/api_server.py", line 186, in _execute_request
    make_request()
  File "/opt/google-cloud-sdk/platform/google_appengine/google/appengine/tools/devappserver2/api_server.py", line 181, in make_request
    request_id)
  File "/opt/google-cloud-sdk/platform/google_appengine/google/appengine/api/apiproxy_stub.py", line 131, in MakeSyncCall
    method(request, response)
  File "/opt/google-cloud-sdk/platform/google_appengine/google/appengine/api/app_identity/app_identity_keybased_stub.py", line 223, in _Dynamic_GetAccessToken
    headers={'Content-Type': 'application/x-www-form-urlencoded'})
  File "/opt/google-cloud-sdk/platform/google_appengine/google/appengine/api/urlfetch.py", line 271, in fetch
    return rpc.get_result()
  File "/opt/google-cloud-sdk/platform/google_appengine/google/appengine/api/apiproxy_stub_map.py", line 613, in get_result
    return self.__get_result_hook(self)
  File "/opt/google-cloud-sdk/platform/google_appengine/google/appengine/api/urlfetch.py", line 432, in _get_fetch_result
    'Invalid and/or missing SSL certificate for URL: ' + url)
SSLCertificateError: Invalid and/or missing SSL certificate for URL: https://accounts.google.com/o/oauth2/token

What confuses me is that this doesn't seem like it should be an environment configuration problem because it is SSL cert validation. However, neither of my teammates see this problem when we work from the same commit in our repository. I've tried re-cloning my repository, rebooting my machine, resetting my Docker setup. None of it has had an effect. Any advice into what's going on would be appreciated. Thank you.

David Harper
  • 43
  • 2

1 Answers1

0

One of my teammates figured out the solution to this. One of the certs bundled with the SDK have an expired cert in their chain... so my setup broke with the New Year.

HTTPException: invalid and/or missing SSL certificate for url: https://accounts.google.com/o/oauth2/token

He removed my certs that were bundled with the SDK, which causes GAE to use the OS's defaults.

David Harper
  • 43
  • 2