Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

SNOW-1822170: Doesn't load TRUSTED CERTIFICATE when used with REQUESTS_CA_BUNDLE #2667

Open
NawreCode opened this issue Nov 22, 2024 · 1 comment
Open

SNOW-1822170: Doesn't load TRUSTED CERTIFICATE when used with REQUESTS_CA_BUNDLE #2667

NawreCode opened this issue Nov 22, 2024 · 1 comment
Labels
bug Something isn't working status-triage Issue is under initial triage

Comments

@NawreCode
Copy link

NawreCode commented Nov 22, 2024
edited
Loading

Hi, we are facing an issue when using a trusted ca-bundle in our setup.

  1. What version of Python are you using?
Python 3.9.18 (main, Apr 10 2024, 10:24:50) 
[GCC 13.2.1 20230801]
  1. What operating system and processor architecture are you using?
Linux-6.11.9-arch1-1-x86_64-with-glibc2.40

(also tested on alma8, should be reproducible on any OS)

  1. What are the component versions in the environment (pip freeze)?

Reproduce with snowflake-snowpark-python==1.25.0

asn1crypto==1.5.1
certifi==2024.8.30
cffi==1.17.1
charset-normalizer==3.4.0
cloudpickle==2.2.1
cryptography==43.0.3
filelock==3.16.1
idna==3.10
numpy==2.0.2
packaging==24.2
pandas==2.2.3
platformdirs==4.3.6
protobuf==5.28.3
pyarrow==18.0.0
pycparser==2.22
PyJWT==2.10.0
pyOpenSSL==24.2.1
python-dateutil==2.9.0.post0
pytz==2024.2
PyYAML==6.0.2
requests==2.32.3
six==1.16.0
snowflake-connector-python==3.12.3
snowflake-snowpark-python==1.25.0
sortedcontainers==2.4.0
tomlkit==0.13.2
typing_extensions==4.12.2
tzdata==2024.2
tzlocal==5.2
urllib3==1.26.20

  1. What did you do?

    1. export REQUESTS_CA_BUNDLE=/etc/ca-certificates/extracted/ca-bundle.trust.crt => adapt the path to your OS
    2. run the sample code to create a session:
from snowflake.snowpark import Session

connection_parameters = {
   ...
}

session = Session.builder.configs(connection_parameters).create()

Result:
ERROR:snowflake.connector.ocsp_snowflake:No CA bundle file is found in the system. Set REQUESTS_CA_BUNDLE to the file. and a nice stack trace.

  1. What did you expect to see?

It should be able to load the certificates from the ca-bundle.trust.crt file, and create the session.

We investigated a bit and it looks like it comes from snowflake.connector.ocsp_asn1crypto.py::SnowflakeOCSPAsn1Crypto::read_cert_bundle, where it is only loading certificates of type CERTIFICATE. However, in ca-bundle.trusted.crt, the certificates are of type TRUSTED CERTIFICATE, here is an extract:

# ACCVRAIZ1
-----BEGIN TRUSTED CERTIFICATE-----
xxxxxxxxx
-----END TRUSTED CERTIFICATE-----
@NawreCode NawreCode added bug Something isn't working needs triage Initial RCA is required labels Nov 22, 2024
@github-actions github-actions bot changed the title Doesn't load TRUSTED CERTIFICATE when used with REQUESTS_CA_BUNDLE SNOW-1822170: Doesn't load TRUSTED CERTIFICATE when used with REQUESTS_CA_BUNDLE Nov 22, 2024
@sfc-gh-sghosh
Copy link

Hello @NawreCode ,

Thanks for raising the issue, we are looking into it, will update.

Regards,
Sujan

@sfc-gh-sghosh sfc-gh-sghosh added status-triage Issue is under initial triage and removed needs triage Initial RCA is required labels Dec 3, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something isn't working status-triage Issue is under initial triage
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@NawreCode @sfc-gh-sghosh