Braintree SDK SSLCertificateError on AppEngine local dev server


The use of <a href="https://developers.braintreepayments.com/start/hello-server/python" rel="nofollow">Braintree SDK</a> under my local dev_appserver.py is returning following error on braintree.ClientToken.generate():

SSLError: SSLCertificateError: Invalid and/or missing SSL certificate for URL: https://api.sandbox.braintreegateway.com:443/merchants/<merchant_id>/client_token

I am using the requests_toolbelt at the start of my server:

# Make requests work in GAE import requests from requests_toolbelt.adapters import appengine appengine.monkeypatch()

Explicitly excluding SSL Validation doesn't work either (returns with the same error message):


In fact, without requests_toolbelt, the error I get when calling .generate() is:

ProtocolError('Connection aborted.', error(13, 'Permission denied'))

I also tried the hack in the main.py of <a href="https://github.com/agfor/braintree-python-appengine" rel="nofollow">braintree-python-appengine</a> project but I get the same SSL error message back.

<h3>My dev environment:</h3> <ul><li>MacOSX 10.11.6</li> <li>gcloud app Python Extensions 1.9.63</li> <li>Python 2.7.10</li> <li>requests==2.18.4</li> <li>braintree==3.39.0</li> <li>Flask==0.12.2</li> </ul><h3>Note:</h3> <ol><li>Once deployed to Google App Engine, I get the client token back without any problem</li> <li>Directly use of requests on https://www.braintreepayments.com/ returns 200 without any errors</li> </ol>


Braintree support kindly replied to my inquiry with (on 2017-11-20):


The error you're receiving is generally related to the SSL/TLS protocols being used when your app is run; our sandbox environment requires connections to be made via TLS 1.2, a requirement that does not yet apply to production.

From review, it appears that the protocols being used when the app is deployed locally are not valid for our environment. If the app settings are localised within the Google App Engine, that may be the cause of the issue; Python uses the system-supplied OpenSSL, and TLSv1.2 requires OpenSSL 1.0.1c or later.


So the root cause is my version of Python which uses an older version of OpenSSL:

$ python --version Python 2.7.10 $ python >> import ssl >> ssl.OPENSSL_VERSION >> 'OpenSSL 0.9.8zh 14 Jan 2016'

The solution is to upgrade my version of python via brew:

$ brew install python $ python2 --version Python 2.7.14 $ python2 >> import ssl >> ssl.OPENSSL_VERSION >> 'OpenSSL 1.0.2m 2 Nov 2017'

Then, launching my dev server using newly installed python solves the SSLCertificateError:

python2 $appserver_path/dev_appserver.py ...


  • PIP not working - proxy - Connection aborted
  • Pip can't install any package
  • Google cloud dev_appserver.py unable to host laravel project locally
  • How to trigger processing of yaml files in local build?
  • How to fetch the file list from gcs?
  • toString() for each element of an array in Javascript [duplicate]
  • Can't figure out a function to return a reference to a given type stored in RefCell
  • writing file in heroku filesystem and reading it with web app
  • How do I include superscripts in NSString?
  • Filtering SPARQL results by day and month
  • Errno::ECONNREFUSED No connection could be made because
  • Compiling Haskell programs in Windows: is it possible without downloading something such as Cygwin?
  • Why is it ambiguous to call overloaded ambig(long) and ambig(unsigned long) with an integer literal?
  • Where in the relevant specification is it documented that some comments in a SQL script are, in fact
  • Program crashes when run outside IDE
  • three.js WebVR example code works on threejs.org but not on my local server
  • Connecting Google Cloud SQL with Wordpress on Google Compute Engine
  • Using extern @class in order to add a category?
  • iOS Localization Doesn't Work with More Than 63 Files
  • Is there a way to set up a fallback for the formAction attribute in HTML5?
  • why calling cd shell command through system() or execvp() from a child process won't work?
  • Trying to get the char code of ENTER key
  • WPF - CanExecute dosn't fire when raising Commands from a UserControl
  • NHibernate Validation Localization with S#arp Architecture
  • How can I send an e-mail from a vbs script
  • QLineEdit password safety
  • What is the “return” in scheme?
  • Accessing IRQ description array within a module and displaying action names
  • Fill an image in a square container while keeping aspect ratio
  • Rearranging Cells in UITableView Bug & Saving Changes
  • Why winpcap requires both .lib and .dll to run?
  • Is there a mandatory requirement to switch app.yaml?
  • Windows forms listbox.selecteditem displaying “System.Data.DataRowView” instead of actual value
  • What are the advantages and disadvantages of reading an entire file into a single String as opposed
  • Getting Messege Twice Using IMvxMessenger
  • sending mail using smtp is too slow
  • How to get NHibernate ISession to cache entity not retrieved by primary key
  • costura.fody for a dll that references another dll
  • Reading document lines to the user (python)
  • Binding checkboxes to object values in AngularJs