Update (2019-02-07): the issue has now been fixed, so if you're still running into this, try gcloud components update.
At some point during the past few monthts, my bq tool stopped working. Even a simple thing shows this error:
$ bq show
BigQuery error in show operation: Cannot contact server. Please try again.
Traceback: Traceback (most recent call last):
File "/opt/google-cloud-sdk/platform/bq/bigquery_client.py", line 685, in BuildApiClient
response_metadata, discovery_document = http.request(discovery_url)
File "/opt/google-cloud-sdk/platform/bq/third_party/oauth2client_4_0/transport.py", line 176, in new_request
redirections, connection_type)
File "/opt/google-cloud-sdk/platform/bq/third_party/oauth2client_4_0/transport.py", line 283, in request
connection_type=connection_type)
File "/opt/google-cloud-sdk/platform/bq/third_party/httplib2/__init__.py", line 1626, in request
(response, content) = self._request(conn, authority, uri, request_uri, method, body, headers, redirections, cachekey)
File "/opt/google-cloud-sdk/platform/bq/third_party/httplib2/__init__.py", line 1368, in _request
(response, content) = self._conn_request(conn, request_uri, method, body, headers)
File "/opt/google-cloud-sdk/platform/bq/third_party/httplib2/__init__.py", line 1288, in _conn_request
conn.connect()
File "/opt/google-cloud-sdk/platform/bq/third_party/httplib2/__init__.py", line 1082, in connect
raise SSLHandshakeError(e)
SSLHandshakeError: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:726)
I've tried the following:
sudo gcloud components update(version 221.0.0).sudo pacman -Syu(system update) to get the latest set of SSL certificates. This is Arch Linux, so pretty much always bleeding edge.sudo gcloud components reinstall.- Uninstalling
google-cloud-sdk, wiping out remaining/opt/google-cloud-sdkand reinstalling entirely from AUR. - Adding
--httplib2_debuglevel=3(valid values are not documented, found the value3here). This does not give any extra output. - Adding one of
--ca_certificates_file=/etc/ca-certificates/extracted/tls-ca-bundle.pem,--ca_certificates_file=/etc/ca-certificates/extracted/ca-bundle.trust.crtand--ca_certificates_file=/etc/ssl/certs/ca-certificates.crtone of which must surely be the bundle of root certificates on my system. The last one of these is used by curl, which can talk towww.googleapis.comjust fine. - Poking at the source code to discover that
/opt/google-cloud-sdk/platform/bq/third_party/httplib2/cacerts.txtis the cert bundle used by default. If I try this one withcurl --cacert ..., it still works. - Setting the
GOOGLE_APPLICATION_CREDENTIALSenvironment variable in this shell. As expected, this also doesn't make a difference; the SSL error occurs beforebqhas even had a chance to begin the OAuth handshake. - Adding
--disable_ssl_validation. This "works" but is obviously not secure.
Anyone else seeing this, or have ideas how to debug/solve?
I'm seeing the exact same issue using Arch Linux as well.
When you issue a bq command on the command line however, I'm pretty sure that the certificate file at /opt/google-cloud-sdk/platform/bq/third_party/httplib2/cacerts.txt is not used, because the flag --ca_certificates_file=/etc/ssl/certs/ca-certificates.crt will is put into the flags automatically in the application bootstrap process. On Arch Linux, this file is a symlink to /etc/ca-certificates/extracted/tls-ca-bundle.pem.
I've tried using curl and openssl s_client with this CA bundle against the API URL being called, which is
https://www.googleapis.com/discovery/v1/apis/bigquery/v2/rest
and it works just fine.
My assumption is, that this is not an issue with missing or expired certificates. My pyopenssl package is at version 18.0.0, so I'm at the newest version here. However, I think this issue is caused by unsupported ciphers or algorithms in the TLS handshake process.
There's a public issue tracker with a similar behavior that you're having. I suggest starring it to keep updated about it as well providing your scenario.
If you're behind a corporate proxy, on comment #8 there's a scenario which the corporate proxy replaces the certificate, and the workaround is provided on comment #16
Hope it helps.
来源:https://stackoverflow.com/questions/52849750/bq-command-line-tool-throws-certificate-verify-failed