Blob download_as_string SSL error on Google Container Engine

Question

I'm running a container on Google Container Engine. Inside this container, I have some python code that is trying to read a blob from a bucket hosted o Google Cloud Storage.

The code is as simple as:

from google.cloud import storage

gs = storage.Client(project="my-shiny-project")
gc_bucket = gs.get_bucket("my-bucket")
blob = gc_bucket.get_blob("my-blob")
print blob.download_as_string()

The code above works just fine on my local machine. However, when I run this in a Docker container on GKE, the part upto creation of the blob object works just fine. However, the call to download_as_string fails with:

Traceback (most recent call last):
  File "<stdin>", line 1, in <module>
  File "/usr/lib/python2.7/site-packages/google/cloud/storage/blob.py", line 453, in download_as_string
    self.download_to_file(string_buffer, client=client)
  File "/usr/lib/python2.7/site-packages/google/cloud/storage/blob.py", line 412, in download_to_file
    self._do_download(transport, file_obj, download_url, headers)
  File "/usr/lib/python2.7/site-packages/google/cloud/storage/blob.py", line 363, in _do_download
    response = download.consume(transport)
  File "/usr/lib/python2.7/site-packages/google/resumable_media/download.py", line 136, in consume
    transport, u'GET', self.media_url, headers=headers)
  File "/usr/lib/python2.7/site-packages/google/resumable_media/_helpers.py", line 134, in http_request
    return transport.request(method, url, data=data, headers=headers)
  File "/usr/lib/python2.7/site-packages/google/auth/transport/requests.py", line 179, in request
    method, url, data=data, headers=request_headers, **kwargs)
  File "/usr/lib/python2.7/site-packages/requests/sessions.py", line 468, in request
    resp = self.send(prep, **send_kwargs)
  File "/usr/lib/python2.7/site-packages/requests/sessions.py", line 576, in send
    r = adapter.send(request, **kwargs)
  File "/usr/lib/python2.7/site-packages/requests/adapters.py", line 447, in send
    raise SSLError(e, request=request)
requests.exceptions.SSLError: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:661)

Any ideas why this failure happens?

FWIW, I tried other operations on the blob object such as getting the id, content_type, size, etc. These operations worked just fine. Even the exists() method of that object worked just fine (which presumably did an actual HEAD request on the object).

I'm using an 'alpine 3.5' container image. Python version is "Python 2.7.13 (default, Dec 22 2016, 09:22:15)"

[EDIT]

I changed the image to 'debian:jessie' and the code worked just fine. The openssl packages in these images have different versions. Looks like that has some effect. Would still be good to know exactly what the problem was.

Answer 1

I figure out myself, I had to add to Dockerfile:

# Base Stuff
RUN apk add --update \
openjdk8-jre \
ca-certificates \
java-cacerts \
libre2 \
libre2-dev \
gcc \
build-base \
linux-headers \
musl-dev \
python3-dev \
make \
openssl \
openssl-dev \
py3-openssl \
libffi \
libffi-dev \
openssh \
openssh-client \
python3-dev 

RUN update-ca-certificates && gcloud -q components install gsutil

And that made the trick.