RANDOM -> SSLCertificateError: Invalid and/or missing SSL certificate for URL - with disabled certificates checks [35897687]

Can't Repro

Bug

More Info Required

Status Update

No update yet.

Description

ce...@gmail.com

created issue #1

May 15, 2014 04:51PM

I found that sometime is generated random exception - sometimes all is working sometimes I receive such invalid exception:

Invalid and/or missing SSL certificate for URL:

https://dl.dropbox.com/x/x/x.jpg

(x replace secret data)

It is ignore flag passed to function disabling certificate check - It looks that this flag is passed in invalid way.

rpc = urlfetch.create_rpc(deadline = 10)
urlfetch.make_fetch_call(rpc, restaurantViewImage.sourceUrl)

I think so since found such code in SDK (FLAG set to True or False check certificates - see documentation - False is not None == True is not None!):
if validate_certificate is not None:
request.set_mustvalidateservercertificate(validate_certificate)

Comments

ce...@gmail.com <ce...@gmail.com> #2May 15, 2014 04:52PM

I am still thinking that "SSLCertificateError" is projection of something else ... - maybe timeout???

ce...@gmail.com <ce...@gmail.com> #3May 15, 2014 04:54PM

def make_fetch_call(rpc, url, payload=None, method=GET, headers={},
allow_truncated=False, follow_redirects=True,
validate_certificate=None):
"""Executes the RPC call to fetch a given HTTP URL.

The first argument is a UserRPC instance. See urlfetch.fetch for a
thorough description of remaining arguments.

Raises:
InvalidMethodError: if requested method is not in _VALID_METHODS
ResponseTooLargeError: if the response payload is too large
InvalidURLError: if there are issues with the content/size of the
requested URL

Returns:
The rpc object passed into the function.

"""

ro...@gmail.com <ro...@gmail.com> #4May 31, 2014 05:04PM

Recently, I saw similar certificate errors starting to appear when testing my code from the development server (locally, not on Google's servers in production).
The requested domain is

https://graph.facebook.com, so regular SSL certificate errors are highly unlikely, and, as you say here, the error probably lies somewhere else...

jo...@google.com <jo...@google.com> #5Aug 8, 2014 05:29PM

Marked as fixed, reassigned to jo...@google.com.

Hi! Thanks for the issue report. As I understand, this was a problem with URLFetch in the development server. It has been fixed since App Engine release 1.9.7.

ni...@gmail.com <ni...@gmail.com> #6Dec 14, 2014 06:02AM

I have run into this issue and I'm on: 1.9.17.107

This has *not* been fixed.

Please re-open.

> File "/app/admin.py", line 725, in get_image_from_filepicker
result = urlfetch.fetch(url)
> File "/Applications/GoogleAppEngineLauncher.app/Contents/Resources/GoogleAppEngine-default.bundle/Contents/Resources/google_appengine/google/appengine/api/urlfetch.py", line 271, in fetch
return rpc.get_result()
> File "/Applications/GoogleAppEngineLauncher.app/Contents/Resources/GoogleAppEngine-default.bundle/Contents/Resources/google_appengine/google/appengine/api/apiproxy_stub_map.py", line 613, in get_result
return self.__get_result_hook(self)
> File "/Applications/GoogleAppEngineLauncher.app/Contents/Resources/GoogleAppEngine-default.bundle/Contents/Resources/google_appengine/google/appengine/api/urlfetch.py", line 425, in _get_fetch_result
> 'Invalid and/or missing SSL certificate for URL: ' + url)
> SSLCertificateError: Invalid and/or missing SSL certificate for URL:

https://www.filepicker.io/api/file/fooooooooooooo

[Deleted User] <[Deleted User]> #7Apr 7, 2015 02:48PM

Hi, is the fix planned ?

js...@google.com <js...@google.com> Apr 15, 2015 06:43PM

Status: Assigned (reopened)

br...@gmail.com <br...@gmail.com> #8Feb 23, 2016 10:18PM

I still see this happening. Version: 1.9.32 on OSX :/

Any news about this ?

ar...@google.com <ar...@google.com> #9Feb 27, 2016 12:00AM

Status: New

I've been running a test for a few days and haven't caught a single cert validation error, using urlfetch.make_fetch_call(rpc, url, validate_certificate=False). Is there a method we can test which will reliably reproduce this issue?

ar...@google.com <ar...@google.com> #10Mar 14, 2016 04:07PM

I'm just posting an update to this thread as we haven't heard from you in a while. Please let us know if you can provide any information on how to reproduce the issue and we will be happy to look into this further.

ra...@google.com <ra...@google.com> #11Mar 19, 2016 01:02AM

Every server mentioned in this thread has a cert with a wildcard CN.

ar...@google.com <ar...@google.com> #12Mar 20, 2016 05:33PM

I've been testing against all of the domains mentioned in this thread but have not yet seen the cert error come up (1.9.34 on Debian Jessie). I'll need a method to reproduce the error at least somewhat reliably before I can submit an issue to the engineering team.

ar...@google.com <ar...@google.com> #13Apr 5, 2016 07:11PM

Status: Won't Fix (Not Reproducible)

As we've not been able to reproduce this issue I am closing this out, however if you are still affected please feel free to open a new issue with steps to reproduce and which refers back to this one for context.

ro...@gmail.com <ro...@gmail.com> #14Apr 7, 2016 04:09PM

There is still a lot of people upvoting this thread on SO:

http://stackoverflow.com/q/24106098/145997 (46 upvotes and counting).
Unfortunately, none of us came up with reliable reproducing steps. However the problem is still alive...

[Deleted User] <[Deleted User]> #15Apr 20, 2016 11:22AM

I get this issue with the following URL (and many others from the same domain):

https://www.skandiafastigheter.se/PageFiles/212121/premise-30635001.jpg

using simply:

> urlfetch.fetch(url, validate_certificate=False, deadline=60)

I'm running 1.9.23 on OSX. I do not see this issue on the production environment.

It's happening consistently for me, so please let me know if there is something I can provide to ease the debugging.

jo...@peleteiro.net <jo...@peleteiro.net> #16Nov 20, 2016 02:13AM

Are we getting rid of manual patches on local appengine? Please, it's insane.