ssl – “bq”命令行工具抛出CERTIFICATE_VERIFY_FAILED

更新(2019-02-07):
issue现在已经修复,所以如果您仍然遇到此问题,请尝试gcloud组件更新.

在过去几个月的某个时刻,我的bq工具停止工作.即使是简单的事情也会显示此错误:

$bq show
BigQuery error in show operation: Cannot contact server. Please try again.
Traceback: Traceback (most recent call last):
File "/opt/google-cloud-sdk/platform/bq/bigquery_client.py", line 685, in BuildApiClient
response_metadata, discovery_document = http.request(discovery_url)
File "/opt/google-cloud-sdk/platform/bq/third_party/oauth2client_4_0/transport.py", line 176, in new_request
redirections, connection_type)
File "/opt/google-cloud-sdk/platform/bq/third_party/oauth2client_4_0/transport.py", line 283, in request
connection_type=connection_type)
File "/opt/google-cloud-sdk/platform/bq/third_party/httplib2/__init__.py", line 1626, in request
(response, content) = self._request(conn, authority, uri, request_uri, method, body, headers, redirections, cachekey)
File "/opt/google-cloud-sdk/platform/bq/third_party/httplib2/__init__.py", line 1368, in _request
(response, content) = self._conn_request(conn, request_uri, method, body, headers)
File "/opt/google-cloud-sdk/platform/bq/third_party/httplib2/__init__.py", line 1288, in _conn_request
conn.connect()
File "/opt/google-cloud-sdk/platform/bq/third_party/httplib2/__init__.py", line 1082, in connect
raise SSLHandshakeError(e)
SSLHandshakeError: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:726)

我尝试过以下方法:

> sudo gcloud组件更新(版本221.0.0).
> sudo pacman -Syu(系统更新)获取最新的SSL证书集.这是Arch Linux,所以几乎总是前沿.
> sudo gcloud组件重新安装.
>卸载google-cloud-sdk,消除剩余的/ opt / google-cloud-sdk并完全从AUR重新安装.
>添加–httplib2_debuglevel = 3(未记录有效值,找到值3 here).这不会产生任何额外的输出.
>添加–ca_certificates_file = / etc / ca-certificates / extracted / tls-ca-bundle.pem, – ca_certificates_file = / etc / ca-certificates / extracted / ca-bundle.trust.crt和–ca_certificates_file = /etc/ssl/certs/ca-certificates.crt其中一个肯定是我系统上的根证书包.最后一个是curl使用的,它可以很好地与www.googleapis.com交谈.
>查看源代码,发现/opt/google-cloud-sdk/platform/bq/third_party/httplib2/cacerts.txt是默认使用的证书捆绑包.如果我用curl –cacert尝试这个…,它仍然有效.
>在此shell中设置GOOGLE_APPLICATION_CREDENTIALS环境变量.正如预期的那样,这也没有什么区别;在bq甚至有机会开始OAuth握手之前发生SSL错误.
>添加–disable_ssl_validation.这“有效”,但显然不安全.

其他人看到这个,或有想法如何调试/解决?

最佳答案 我也看到了使用Arch Linux的完全相同的问题.

但是,当您在命令行上发出bq命令时,我很确定未使用/opt/google-cloud-sdk/platform/bq/third_party/httplib2/cacerts.txt中的证书文件,因为标志 – -ca_certificates_file = / etc / ssl / certs / ca-certificates.crt将在应用程序引导过程中自动放入标志中.在Arch Linux上,此文件是/etc/ca-certificates/extracted/tls-ca-bundle.pem的符号链接.

我已经尝试将curl和openssl s_client与此CA捆绑包一起用于调用的API URL,即

https://www.googleapis.com/discovery/v1/apis/bigquery/v2/rest

它工作得很好.

我的假设是,这不是丢失或过期证书的问题.我的pyopenssl包的版本是18.0.0,所以我在这里是最新版本.但是,我认为此问题是由TLS握手过程中不受支持的密码或算法引起的.

点赞