New to snowsql.
Installed snowsql and ran the command snowsql -a <account_name> -u <user_name> and that failed
with below error:
2022-04-28 18:50:59,058 (21492/MainThread)
snowflake.connector.vendored.urllib3.connectionpool WARNING
connectionpool:781 - Retrying (Retry(total=0, connect=None,
read=None, redirect=None, status=None)) after connection broken by
'SSLError(SSLError("bad handshake: Error([('SSL routines',
'tls_process_server_certificate', 'certificate verify
failed')],)",),)':
/session/v1/login-request?request_id=#####&request_guid=#####
2022-04-28 18:50:59,059 (21492/MainThread)
snowflake.connector.vendored.urllib3.connectionpool DEBUG
connectionpool:975 - Starting new HTTPS connection (2):
<account_name>.snowflakecomputing.com:443 2022-04-28 18:50:59,227
(21492/MainThread) snowflake.connector.network DEBUG
network:1034 - Hit non-retryable SSL error,
HTTPSConnectionPool(host='<account_name>.snowflakecomputing.com',
port=443): Max retries exceeded with url:
/session/v1/login-request?request_id=0b8e3a19-e618-4554-93a9-eb3a8c6d3a11&request_guid=97351d12-de91-422b-aecc-2fe38bef3032
(Caused by SSLError(SSLError("bad handshake: Error([('SSL routines',
'tls_process_server_certificate', 'certificate verify
failed')],)",),))
even tried running
snowsql -a <account_name> -u <user_name> -o insecure_mode=True
the result was the same.
Not sure if i need to make any change to SYSTEM$WHITELIST.
the snowcd after installing worked just fine.
The SSL certificate error is due to an SSL proxy that intercepts the SSL/TLS certificate by decrypting the certificate, inspecting and re-encrypting the certificate. Some SSL proxies insert an extra certificate into the SSL chain.
This action renders the certificate chain invalid, as Snowflake doesn't support an SSL proxy that decrypts our certificate and replaces the certificate. SSL-TLS Interception (AKA TLS Proxy or HTTPS Interception) is by definition a Man-In-The-Middle attack. Therefore, this is a risk to Snowflake and it will not be supported.
Please refer to the document here:
https://docs.snowflake.com/en/user-guide/snowsql-start.html
Snowflake's security model does not allow Secure Sockets Layer (SSL) proxies (using an HTTPS certificate). Your proxy server must use a publicly-available Certificate Authority (CA), reducing potential security risks such as a MITM (Man In The Middle) attack through a compromised proxy.
If you must use your SSL proxy, we strongly recommend that you update the server policy to pass through the Snowflake certificate such that no certificate is altered in the middle of communications.
To use Snowsql insecure mode, you will need to edit the Snowsql config file by adding the following to the [option] section:
insecure_mode = True
The configuration file can be found in either one of these locations:
/etc/snowsql.cnf
/etc/snowflake/snowsql.cnf
/usr/local/etc/snowsql.cnf
<HOME_DIR>/.snowsql.cnf (supported only for backward compatibility)
<HOME_DIR>/.snowsql/config
Please refer to the Snowsql config guide here: https://docs.snowflake.com/en/user-guide/snowsql-config.html
Related
I'm trying to add a new package using poetry add, but it always comes with this error:
HTTPSConnectionPool(host='10.140.240.64', port=443): Max retries exceeded with url: /api/v4/projects/118/packages/pypi/files/47f05b39ebe470235b70724fb049985ea75fad6c1a5007ad3462f3d430da338b/tg_client-0.1.10-py3-none-any.whl (Caused by SSLError(SSLCertVerificationError(1, '[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: self signed certificate (_ssl.c:1129)')))
Who knows how to skip this verification?
Updated:
I try to add a package from private repository:
[[tool.poetry.source]]
name = "my_package"
url = "https://..."
secondary = true
Maybe that is why the solution poetry config certificates.my_package.cert false doesn't work.
https://python-poetry.org/docs/repositories/#certificates:
The value of certificates.< repository >.cert can be set to false if certificate verification is required to be skipped. This is useful for cases where a package source with self-signed certificates are used.
poetry config certificates.foo.cert false
I found 2 working solutions:
Use poetry version<=1.0.9 and use CURL_CA_BUNDLE="" poetry install;
Extract certificate from the repository as described here then copy-paste it in the end of file with path requests.utils.DEFAULT_CA_BUNDLE_PATH (python).
I know that I can disable SSL verification in Python's request package as follows:
import requests
response = requests.put("some.host/RESTfulService/My/Endpoint/", verify=False)
The problem is that I use a package in which requests is used to make requests with it's default setting verify=True and I cannot access this keyword argument to set it to False which throws the obvious error:
requests.exceptions.SSLError: HTTPSConnectionPool(host='some.host', port=443): Max retries exceeded with url: /RESTfulService/My/Endpoint/ (Caused by SSLError(SSLCertVerificationError(1, '[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: self signed certificate (_ssl.c:1129)')))
Is there any way to deactivate SSL verification globally in requests e. g. by setting an environment variable?
I am trying to create a EventHubConsumerClient using TENANT_ID, CLIENT_ID, CLIENT_SECRET. Here is my sample code. However I always get a warning:
like this:
2021-09-27:16:56:39,92 WARNING [get_token_mixin.py:get_token] ClientSecretCredential.get_token failed: Authentication failed: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: self signed certificate in certificate chain (_ssl.c:1129)
2021-09-27:16:56:39,98 WARNING [decorators.py:wrapper] EnvironmentCredential.get_token failed: Authentication failed: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: self signed certificate in certificate chain (_ssl.c:1129)
os.environ["AZURE_TENANT_ID"] = tenantId
os.environ["AZURE_CLIENT_ID"] = client_id
os.environ["AZURE_CLIENT_SECRET"] = client_secret
credential = EnvironmentCredential()
self.client = EventHubConsumerClient(fully_qualified_namespace,
eventhub_name,
consumer_group=group,
credential=credential,
http_proxy=self.HTTP_PROXY, ssl_verify=True)
I know that my tenantId, clientId and secret are correct because I am able to do a post request and get a token. However to create a client, our solution does not return a connection_string and hence I have to do clientid authentication: https://github.com/Azure/azure-sdk-for-python/blob/main/sdk/eventhub/azure-eventhub/samples/sync_samples/client_identity_authentication.py
This might be caused either by server configuration or Python configuration.
If your z/OSMF was configured with self signed certificate, the python3 output error is:
certificate verify failed: self signed certificate in certificate chain
The default value for parameter verify is True. Python 3.6+ installer has its own default certificate store for verifying SSL connections. The system certificate store will not be used any more. To use default certificate store, python library certifi must be installed in advance.
You can use command "pip3 install certifi" to install it.
Python default certificate store was in cacert.pem file, you can get it by
import certifi
certifi.where()
'/Library/Frameworks/Python.framework/Versions/3.9/lib/python3.9/site-packages/certifi/cacert.pem'
For more information refer to the community blog
I am hosting a site using SSL / HTTPS, and am attempting to make a request to it from a Python 2.7 script on the server (Ubuntu 18.04).
When running the script, I get this error:
requests.exceptions.SSLError: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:727)
However, when I run curl --verbose -X GET -I <url> on the same server, it says the certificate was verified.
I do know that the cert is in fact valid and is not a self signed cert.
Any ideas on what I can do to get python to accept that cert?
Edit: here's the code to trigger the issue. Note that I'm not including the URL as it is not accessible to the general public:
import requests
r = requests.get('https://www.example.org')
print r.status_code
I am trying to use Google Cloud Profiler in a python script running locally. It seems it is having problems to connect with a metadata server:
WARNING:googlecloudprofiler.client:Failed to fetch instance/zone from GCE metadata server: HTTPConnectionPool(host='metadata', port=80): Max retries exceeded with url: /computeMetadata/v1/instance/zone (Caused by NewConnectionError(': Failed to establish a new connection: [Errno -2] Name or service not known',))
WARNING:googlecloudprofiler.client:Failed to fetch instance/name from
GCE metadata server: HTTPConnectionPool(host='metadata', port=80): Max
retries exceeded with url: /computeMetadata/v1/instance/name (Caused
by NewConnectionError(': Failed to establish a new connection: [Errno -2] Name
or service not known',))
Since the app seems to be running correctly and the profiler is collecting data successfully, is it OK if I just ignore the warnings or will I likely encounter some problems in the future?
If you're running locally (and haven't, for example, manually zone in the config), these warnings are expected, so ignoring them is definitely okay.
(Disclosure: I work at Google on Stackdriver Profiler)