22

Recently, I upgraded my GAE SDK to ver. 1.7.4 and it started to throw 'InvalidCertificateException' when I try to run development server. I searched about this error and some people said it goes away with time, but mine didn't. What should I look into to fix this problem? I am using python framework Django for my app if that has to matter somehow.

$ dev_appserver.py ./
INFO     2012-12-16 07:44:31,412 appcfg.py:586] Checking for updates to the SDK.
Traceback (most recent call last):
  File "/usr/local/bin/dev_appserver.py", line 171, in <module>
    run_file(__file__, globals())
  File "/usr/local/bin/dev_appserver.py", line 167, in run_file
    execfile(script_path, globals_)
  File "/Applications/GoogleAppEngineLauncher.app/Contents/Resources/GoogleAppEngine-default.bundle/Contents/Resources/google_appengine/google/appengine/tools/dev_appserver_main.py", line 747, in <module>
    sys.exit(main(sys.argv))
  File "/Applications/GoogleAppEngineLauncher.app/Contents/Resources/GoogleAppEngine-default.bundle/Contents/Resources/google_appengine/google/appengine/tools/dev_appserver_main.py", line 680, in main
    update_check.CheckForUpdates()
  File "/Applications/GoogleAppEngineLauncher.app/Contents/Resources/GoogleAppEngine-default.bundle/Contents/Resources/google_appengine/google/appengine/tools/appcfg.py", line 597, in CheckForUpdates
    runtime=self.config.runtime)
  File "/Applications/GoogleAppEngineLauncher.app/Contents/Resources/GoogleAppEngine-default.bundle/Contents/Resources/google_appengine/google/appengine/tools/appengine_rpc.py", line 391, in Send
    f = self.opener.open(req)
  File "/Library/Frameworks/Python.framework/Versions/2.7/lib/python2.7/urllib2.py", line 394, in open
    response = self._open(req, data)
  File "/Library/Frameworks/Python.framework/Versions/2.7/lib/python2.7/urllib2.py", line 412, in _open
    '_open', req)
  File "/Library/Frameworks/Python.framework/Versions/2.7/lib/python2.7/urllib2.py", line 372, in _call_chain
    result = func(*args)
  File "/Library/Frameworks/Python.framework/Versions/2.7/lib/python2.7/urllib2.py", line 1207, in https_open
    return self.do_open(httplib.HTTPSConnection, req)
  File "/Applications/GoogleAppEngineLauncher.app/Contents/Resources/GoogleAppEngine-default.bundle/Contents/Resources/google_appengine/lib/fancy_urllib/fancy_urllib/__init__.py", line 379, in do_open
    url_error.reason.args[1])
fancy_urllib.InvalidCertificateException: Host appengine.google.com returned an invalid certificate (_ssl.c:503: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed): 
To learn more, see http://code.google.com/appengine/kb/general.html#rpcssl
taelimoh
  • 1,003
  • 1
  • 11
  • 24
  • It seems your root certs are not up to date. GAE certs are signed by Google Certificate Authority - so your root cert store needs to be updated. Are you missing any software updates for your mac? – Burhan Khalid Dec 16 '12 at 08:05
  • @BurhanKhalid Thanks. I'll check on that and get back to you. – taelimoh Dec 16 '12 at 08:07
  • @BurhanKhalid Nope, everything is updated but still throwing the exception. – taelimoh Dec 16 '12 at 08:13
  • 3
    quick workaround that I found: delete the file google_appengine/lib/ cacerts/cacerts.txt from your installed SDK. – taelimoh Dec 16 '12 at 09:22
  • I have no idea why but this issue resolved itself. Now the development server works with cacerts.txt w/o a problem. – taelimoh Dec 17 '12 at 03:20
  • Deleting the contents of my cacerts folder works for me. – John Dec 19 '12 at 11:37

4 Answers4

39

Quick workaround that I found: delete the file google_appengine/lib/cacerts/cacerts.txt from your installed SDK.

Starting from the GoogleAppEngineLauncher:

GoogleAppEngineLauncher/Contents/Resources/GoogleAppEngineDefault.bundle/Content‌​s/Resources/google_appengine/lib/cacerts/cacerts.txt

EDIT #

as of google app engine SDK 1.8.1 this file as been renamed to urlfetch_cacerts.txt. Still in the same directory and removing it still fixes the problem.

– @Harrison

taelimoh
  • 1,003
  • 1
  • 11
  • 24
  • 1
    I guess for some reason cacerts.txt is not getting updated while upgrading the SDK. It's not hard to fix but still bugs me. – taelimoh Feb 18 '13 at 23:53
  • 5
    **Note:** as of google app engine SDK 1.8.1 this file as been renamed to `urlfetch_cacerts.txt`. Still in the same directory and removing it still fixes the problem. – Harrison Jul 06 '13 at 18:12
  • I was getting this because our company does a man-in-the-middle kinda thing with our firewall. I added our corporate CA files into the (two) files mentioned above, and it worked. – Brad Sep 09 '13 at 18:22
  • This fix doesn't work on 1.8.8, at least on arch linux. Does anyone have any suggestions? – Smerk Jan 06 '14 at 22:08
  • @Smerk Did you check for 'urlfetch_cacerts.txt'? 'cacerts.txt' was renamed to it since SDK 1.8.1. – taelimoh Jan 07 '14 at 12:24
  • 2
    @asitaru Yup I deleted that along with the rest of the cert files and the problem persisted. A co-worker of mine actually found the fix last night for this particular problem(he uses arch as well)-- we had to hardcode in ssl.py(in the core python files) to use TLSv1 as the ssl protocol. It's a huge hack-- we're messing with the core python files for pete's sake!-- but it works. If anyone needs more details then add a comment and I can explain our fix in more detail. – Smerk Jan 07 '14 at 17:47
2

Compact answer, current as of January 2014 (just survived an SDK update):

rm file /Applications/GoogleAppEngineLauncher.app/Contents/Resources/GoogleAppEngine-default.bundle/Contents/Resources/google_appengine/lib/cacerts/urlfetch_cacerts.txt

or ...

cd /Applications/GoogleAppEngineLauncher.app/Contents/Resources/GoogleAppEngine-default.bundle/Contents/Resources/google_appengine/lib/cacerts/
rm urlfetch_cacerts.txt

and everything runs smoothly again.

And you better delete "cacerts.txt" (in the same directory), too. Otherwise the sdk command line tools will throw exceptions, too :(

Markus Breuer
  • 117
  • 1
  • 6
1

FYI: if you are on a Mac running Mavericks, this error might be due to using python 2.7.6 or lower, which has a known bug that causes this error.

For example, you would get a similar error by simply trying to get any SSL page:

pip install requests
python

>>> import requests
>>> requests.get("https://github.com")

The above would yield the same SSL cert errors. In this case, none of the gcloud (Google cloud SDK) commands work.

Upgrade to python 2.7.8 (or newer 2.7.X) to solve the problem (worked for me).

orcaman
  • 6,263
  • 8
  • 54
  • 69
0

Upgrading Python from 2.7.3 to 2.7.9 fixed it for me. I'm on Mac OS X 10.6.8 (Snow Leopard).

baby bunny
  • 1