I’m currently working on a web application using Django and social authentication using django-allauth. It is all great and pretty easy to use, until sign-in just doesn’t work anymore and you get a page describing bad handshake with SSL3_GET_SERVER_CERTIFICATE. Now what?

This happened to me using Django allauth on Django 1.9 when I was trying to signin using the Google OAuth provider, running on Debian GNU/Linux 7. It happended after updating certifi again

So here’s what I did:

• Get the Google CA certificate. You need the G2 DER certificate.
• Convert the G2 certificate to a PEM format:

• openssl x509 -in GIAG2.crt -inform der -out GIAG2.pem -outform PEM

• Then, add some metadata to the file. This command extract some relevant information from the newly created pem file. You can add the output to the top of the newly created PEM file. Make sure to include a blank line before the data and add hashmarks at the beginning of each line:

  $ openssl x509 -in GIAG2.pem -noout -subject -issuer -serial -fingerprint  -sha1
  subject= /C=US/O=Google Inc/CN=Google Internet Authority G2
  issuer= /C=US/O=GeoTrust Inc./CN=GeoTrust Global CA
  serial=023A83
  SHA1 Fingerprint=17:8F:7E:93:A7:4E:D7:3D:88:C2:90:42:22:0B:9A:E6:E4:B3:71:CD

  You should end up with a file resembling this:

  
  # subject= /C=US/O=Google Inc/CN=Google Internet Authority G2
  # issuer= /C=US/O=GeoTrust Inc./CN=GeoTrust Global CA
  # serial=023A83
  # SHA1 Fingerprint=17:8F:7E:93:A7:4E:D7:3D:88:C2:90:42:22:0B:9A:E6:E4:B3:71:CD
  -----BEGIN CERTIFICATE-----
  MIID8DCCAtigAwIBAgIDAjqDMA0GCSqGSIb3DQEBCwUAMEIxCzAJBgNVBAYTAlVT
  MRYwFAYDVQQKEw1HZW9UcnVzdCBJbmMuMRswGQYDVQQDExJHZW9UcnVzdCBHbG9i
  ...
  

• The path to that trustlist depends on the way you’re using python. It’s different when you’re running the code from a virtualenv or a different python version. Here’s what I did using the activated virtual environment:

•  >>> import certifi
  >>> certifi.__path__
  ['/some/venv/local/lib/python2.7/site-packages/certifi']

•  List the files in the directory. In the example here the path to certifi is
  /some/venv/local/lib/python2.7/site-packages/certifi
  You should find a file named cacert.pem. Make sure you have write access to that file.
• Verify if the Google G2 CA is in the file:

  $ grep -i 'Google Internet Authority G2' /some/venv/local/lib/python2.7/site-packages/certifi/cacert.pem

• Add the content of the GIAG2.pem file you just created to the certifi trustlist in cacert.pem. Note: do this when it’s not yet in the file

• sudo cat GIAC2.pem >> /some/venv/local/lib/python2.7/site-packages/certifi/cacert.pem

• The Google G2 certificate was issued by GeoTrust Global CA. You’ll need to add that CA to the truststore when it’s not in there. First see if the CA is in there:

  $ grep -i 'Equifax Secure Certificate Authority' /some/venv/local/lib/python2.7/site-packages/certifi/cacert.pem

• Get the PEM encoded certificate for Equifax Secure Certificate Authority from GeoTrust Root Certificates
• Add some of the fields to the newly downloaded copy:

  $ openssl x509 -in Equifax_Secure_Certificate_Authority.pem -noout -subject -issuer -serial -fingerprint  -sha1
  subject= /C=US/O=Equifax/OU=Equifax Secure Certificate Authority
  issuer= /C=US/O=Equifax/OU=Equifax Secure Certificate Authority
  serial=35DEF4CF
  SHA1 Fingerprint=D2:32:09:AD:23:D3:14:23:21:74:E4:0D:7F:9D:62:13:97:86:63:3A

  You should end up with a file resembling this:

  # subject= /C=US/O=Equifax/OU=Equifax Secure Certificate Authority
  # issuer= /C=US/O=Equifax/OU=Equifax Secure Certificate Authority
  # serial=35DEF4CF
  # SHA1 Fingerprint=D2:32:09:AD:23:D3:14:23:21:74:E4:0D:7F:9D:62:13:97:86:63:3A
  -----BEGIN CERTIFICATE-----
  MIIDIDCCAomgAwIBAgIENd70zzANBgkqhkiG9w0BAQUFADBOMQswCQYDVQQGEwJV
  UzEQMA4GA1UEChMHRXF1aWZheDEtMCsGA1UECxMkRXF1aWZheCBTZWN1cmUgQ2Vy
  ...
  

• Add the content of the Equifax_Secure_Certificate_Authority.pem file you just created to the certifi trustlist in cacert.pem. Note: do this when it’s not yet in the file

• sudo cat Equifax_Secure_Certificate_Authority.pem >> /some/venv/local/lib/python2.7/site-packages/certifi/cacert.pem

• That’s it

As always: no warranties and make sure you’re creating a backup copy of the existing trustlist. Feel free to comment.