Python's httplib2 package did not validate ssl certificates in versions < 7.0, and started to from 7.0 and up. Unfortunately, it ships with its own set of trusted ssl certificates which comprise only a medium-sized subset of all of your favorite sites' certs (for instance, wikipedia fails when pinged at https://en.wikipedia.org!). The error looks like this:
File "/home/deploy/.virtualenvs/sandbox.koaladeal.com/local/lib/ python2.7/site-packages/ httplib2/__init__.py", line 1597, in request
(response, content) = self._request(conn, authority, uri, request_uri, method, body, headers, redirections, cachekey)
File "/home/deploy/.virtualenvs/sandbox.koaladeal.com/local/lib/ python2.7/site-packages/ httplib2/__init__.py", line 1345, in _request
(response, content) = self._conn_request(conn, request_uri, method, body, headers)
File "/home/deploy/.virtualenvs/sandbox.koaladeal.com/local/lib/ python2.7/site-packages/ httplib2/__init__.py", line 1281, in _conn_request
conn.connect()
File "/home/deploy/.virtualenvs/sandbox.koaladeal.com/local/lib/ python2.7/site-packages/ httplib2/__init__.py", line 1036, in connect
raise SSLHandshakeError(e)
SSLHandshakeError: [Errno 1] _ssl.c:504: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
So the solution is to use ubuntu's system default cert file, which lives at /etc/ssl/certs/ca-certificates.crt. I ended up overwriting the one that shipped with httplib2, which fixes the problem globally, but fails if we ever reinstall httplib2. Hence this blog post for posterity. If anyone knows of another way to globally install a new certificates file for httplib2 without changing the package itself, I'm all ears. I might just onboard the package to our project (but then I have to remember never to pip install it...).
by the way, this page was most helpful.
facepalms: 3