SSL3_GET_SERVER_CERTIFICATE:certificate verify failed

[bbaldino]

Hey Simon, I've been running into this error when trying to log in using OAuth. I've torn my hair out tracing it all the way down and trying multiple cacerts.txt files but they've all been to no avail. For what it's worth it used to be working fine. I'm able to reproduce it by running the following code:

from gmusicapi import Musicmanager

if __name__ == "__main__":
    mm = Musicmanager();
    mm.perform_oauth()

And then following the prompts.

Can you check if you're seeing this? If not, can you paste the content of your cacerts.txt from httplib2 (or wherever you have it configured)?

Thanks -brian

[simon-weber]

Hey there; thanks for reporting this.

Google's certs on one of the Music manager endpoints hasn't verified for over a year now, haha. I ended up just turning it off on affected urls.

I'll see if I can recreate this, and if so I'll likely just turn off verification on more endpoints. For what it's worth, there doesn't seem to be anything wrong with the cert -- Google's code trusts it, at least.

[lukegb]

Err, this seems like an upstream bug. The cert for android.clients.google.com is actually valid, but only if you (i.e. the SSL library) a) supports Server Name Indication (or SNI) b) supports wildcard certificates c) supports the Subject Alternative Name field d) supports wildcards in the SAN field

Unfortunately, requests uses urllib3 which, under Python 2 uses httplib which does not support SNI (since the ssl module doesn't have it exposed, even if it's built in to OpenSSL). As of Python 3.2, http.client does (if it's built into OpenSSL).

At least, that's the conclusion I came to in my spelunking.

[bbaldino]

I was about to mention that I'm actually using httplib2, but it looks like the same issue (no SNI) applies (and there are no plans to fix it for Python 2.x). I'll have to give the same test a try with Python 3.2 I suppose.

Trying to figure out how/why things had been working before, though...

Since (I believe) you're supporting Python 2.5-2.7, would it make sense to disable the certificate validation? Or perhaps at least bubble up the option to disable it? Not ideal, but unsure what the other options are?

Thanks for taking a look.

[simon-weber]

Hm, I can't recreate this. I'm using 2.7.2 in a venv, and here's my cacerts.txt.

[bbaldino]

Interesting...your certs file is the same as mine, although I'm on Python version 2.6.6. I'll have to check and see if I can get Python 2.7.2 running in my environment and see how that goes.

[bbaldino]

Hey Simon, Finally got around to trying this out but I ran into some other problems...was only able to find 2.7.3 for my distro but, just by switching Python versions, all of a sudden the library (when imported from the test file I pasted above) has issues with finding one of the protobuf classes:

  File "t.py", line 6, in <module>
    from gmusicapi import Musicmanager
  File "/boot/config/plugins/bgmm/bgmm/libs/gmusicapi/__init__.py", line 9, in <module>
    from gmusicapi.clients import Webclient, Musicmanager, Mobileclient
  File "/boot/config/plugins/bgmm/bgmm/libs/gmusicapi/clients/__init__.py", line 1, in <module>
    from gmusicapi.clients.webclient import Webclient
  File "/boot/config/plugins/bgmm/bgmm/libs/gmusicapi/clients/webclient.py", line 6, in <module>
    from gmusicapi.clients.shared import _Base
  File "/boot/config/plugins/bgmm/bgmm/libs/gmusicapi/clients/shared.py", line 3, in <module>
    from gmusicapi.utils import utils
  File "/boot/config/plugins/bgmm/bgmm/libs/gmusicapi/utils/utils.py", line 16, in <module>
    from google.protobuf.descriptor import FieldDescriptor

Seems a bit odd...still digging around.

[bbaldino]

Well...managed to sort out the above issues only to find...I can no longer reproduce the problem! Maybe Google updated their certs...either way, thanks for taking a look!

[simon-weber]

Glad everything is working! Feel free to reopen if you run into this again.