googlecl: ssl.SSLError: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:581)

[zdroik@…]

googlecl stopped working with a recent update from the last month. it is SSL related.

google -v docs list
....
 File "/opt/local/Library/Frameworks/Python.framework/Versions/2.7/lib/python2.7/site-packages/googlecl/base.py", line 399, in retry_operation
    raise unexpected
ssl.SSLError: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:581)

[ryandesign (Ryan Carsten Schmidt)]

Which "recent update from the last month" do you mean? googlecl's version has not changed in two years (not since r101174).

[zdroik@…]

The update was not googlecl related.

I simply update macports with a monthly refresh.

port selfupdate; port upgrade outdated

I have not tracked down which underlying software update broke it.

[ned-deily (Ned Deily)]

Python has changed: as of 2.7.9, certificates are now verified by default. (​https://www.python.org/downloads/release/python-279/). So it is possible that a TLS (SSL) connection to a server that used to work now fails because the certificate validation is now being enforced. If so, the trick is to figure out which one and then, if necessary, add any custom or missing root CA's to the user's root CA store for the MacPorts OpenSSL (/opt/local/etc/openssl).

[mouse07410 (Mouse)]

The problem is with the latest macports openssl-1.0.1k_0 upgrade. It broke certificate signature:

$ openssl verify -CAfile Forest_CA.pem RabbitMQ-manager.pem
RabbitMQ-manager.pem: CN = RabbitMQ-manager, O = The Burrow, OU = Messengers, C = US
error 7 at 0 depth lookup:certificate signature failure
$ /usr/bin/openssl verify -CAfile Forest_CA.pem RabbitMQ-manager.pem
RabbitMQ-manager.pem: OK
$ openssl version
OpenSSL 1.0.1k 8 Jan 2015
$ /usr/bin/openssl version
OpenSSL 0.9.8za 5 Jun 2014
$