Hi again - thought i'll post an update here based on my debugging. the initial issue was that I was getting an error: "TypeError: must be _socket.socket, not socket" I was trying some workarounds mentioned on some forums/blogs, and ended up with the certificate error..
I tried a different workaround now (seems similar to the earlier one) - this one monkey-patches an additional platform.platform() method.. https://stackoverflow.com/questions/9604799/can-python-requests-library-be-used-on-google-app-engine "Certificate for key id cfaaafe371b3e2b1a832251233ea51be086ce9c3 not found" digging through the code, looks like the certs are fetched from the GOOGLE_APIS_CERTS_URL I mentioned above: https://www.googleapis.com/robot/v1/metadata/x509/[email protected] see line 76 in google.oauth2.id_token.py: 59 def verify_token(id_token, request, audience=None, 60 certs_url=_GOOGLE_OAUTH2_CERTS_URL): 61 """Verifies an ID token and returns the decoded token. 62 63 Args: 64 id_token (Union[str, bytes]): The encoded token. 65 request (google.auth.transport.Request): The object used to make 66 HTTP requests. 67 audience (str): The audience that this token is intended for. If None 68 then the audience is not verified. 69 certs_url (str): The URL that specifies the certificates to use to 70 verify the token. This URL should return JSON in the format of 71 ``{'key id': 'x509 certificate'}``. 72 73 Returns: 74 Mapping[str, Any]: The decoded token. 75 """ 76 certs = _fetch_certs(request, certs_url) 77 78 return jwt.decode(id_token, certs=certs, audience=audience) do you know why the set of certs could be missing the one extracted from my firebase token? thanks Amit On Tuesday, July 11, 2017 at 12:55:51 PM UTC-7, Amit Bhosle wrote: > > btw, I'm able to successfully invoke other APIs that are also hosted on > googleapis.com - e.g., places APIs, radarsearch, etc.. > One sample URL is below - as you can see, it is also an HTTPS endpoint. > > https://maps.googleapis.com/maps/api/place/details/json?key=API-KEY&placeid=PLACE-ID > > > the _GOOGLE_APIS_CERTS_URL is listed as: > > https://www.googleapis.com/robot/v1/metadata/x509/[email protected] > > > Not sure what the diffs would be in using this API or the one via the > firebase admin client.. Could be that certificate verification is not done > for this API..? > or an issue with the firebase_admin or google.oauth2 python libraries? > > > > On Tuesday, July 11, 2017 at 11:07:04 AM UTC-7, Amit Bhosle wrote: >> >> Hi George, >> >> thanks for the response.. >> >> nslookup from my windows machine is showing the following info: >> >> $ nslookup storage.googleapis.com >> Non-authoritative answer: >> Server: <my ISP> >> Address: 192.168.1.1 >> >> Name: storage.l.googleusercontent.com >> Addresses: 2607:f8b0:400a:808::2010 >> 172.217.3.208 >> Aliases: storage.googleapis.com >> >> >> also - not sure what gslib is.. i thought installing certifi would be >> enough.. >> >> $ find . -name "cacert*" >> ./lib/certifi/cacert.pem >> ./lib/httplib2/cacerts.txt >> >> >> Do you know how i can check if the required certificate is even present >> in the above places? (both of the above files have some certs - and i'm >> assuming the certifi/cacert.pem is the one being used.. >> >> Thanks >> Amit >> >> On Monday, July 10, 2017 at 8:31:44 AM UTC-7, George (Cloud Platform >> Support) wrote: >>> >>> Hello Amit, >>> >>> A corrupted installation might be at the root of this. For >>> troubleshooting purposes, it is useful checking that your files match the >>> following pattern, indicated here in general lines: >>> >>> ~/gsutil$ ls -l gslib/data/cacerts.txt >>> -rw-r--r-- 1 gslib/data/cacerts.txt >>> >>> ~/gsutil$ sha1sum gslib/data/cacerts.txt >>> 183c495586bf93d2efsdfdyuiiqww5b1b4fa1tycvbvn gslib/data/cacerts.txt >>> >>> The output from the following command may prove quite useful as well: >>> >>> ~/gsutil$ host storage.googleapis.com >>> >>> storage.googleapis.com is an alias for >>> storage-ugc.l.googleusercontent.com. >>> storage-ugc.l.googleusercontent.com has address some_ip_address_here >>> storage-ugc.l.googleusercontent.com has address some_ip_address_here >>> storage-ugc.l.googleusercontent.com has address some_ip_address_here >>> storage-ugc.l.googleusercontent.com has IPv6 address >>> some_ipv6_address_here >>> >>> (It is OK if your resolver may have different IP addresses) >>> >>> -- You received this message because you are subscribed to the Google Groups "Google App Engine" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To post to this group, send email to [email protected]. Visit this group at https://groups.google.com/group/google-appengine. To view this discussion on the web visit https://groups.google.com/d/msgid/google-appengine/30f69491-5765-4dc3-ac48-3607ae85fcc6%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
