snowsql - tls_process_server_certificate

Question

New to snowsql.

Installed snowsql and ran the command snowsql -a <account_name> -u <user_name> and that failed with below error:

2022-04-28 18:50:59,058 (21492/MainThread) snowflake.connector.vendored.urllib3.connectionpool WARNING connectionpool:781 - Retrying (Retry(total=0, connect=None, read=None, redirect=None, status=None)) after connection broken by 'SSLError(SSLError("bad handshake: Error([('SSL routines', 'tls_process_server_certificate', 'certificate verify failed')],)",),)': /session/v1/login-request?request_id=#####&request_guid=##### 2022-04-28 18:50:59,059 (21492/MainThread) snowflake.connector.vendored.urllib3.connectionpool DEBUG connectionpool:975 - Starting new HTTPS connection (2): <account_name>.snowflakecomputing.com:443 2022-04-28 18:50:59,227 (21492/MainThread) snowflake.connector.network DEBUG
network:1034 - Hit non-retryable SSL error, HTTPSConnectionPool(host='<account_name>.snowflakecomputing.com', port=443): Max retries exceeded with url: /session/v1/login-request?request_id=0b8e3a19-e618-4554-93a9-eb3a8c6d3a11&request_guid=97351d12-de91-422b-aecc-2fe38bef3032 (Caused by SSLError(SSLError("bad handshake: Error([('SSL routines', 'tls_process_server_certificate', 'certificate verify failed')],)",),))

even tried running

snowsql -a <account_name> -u <user_name> -o insecure_mode=True

the result was the same.

Not sure if i need to make any change to SYSTEM$WHITELIST.

the snowcd after installing worked just fine.

Answer 1

The SSL certificate error is due to an SSL proxy that intercepts the SSL/TLS certificate by decrypting the certificate, inspecting and re-encrypting the certificate. Some SSL proxies insert an extra certificate into the SSL chain.

This action renders the certificate chain invalid, as Snowflake doesn't support an SSL proxy that decrypts our certificate and replaces the certificate. SSL-TLS Interception (AKA TLS Proxy or HTTPS Interception) is by definition a Man-In-The-Middle attack. Therefore, this is a risk to Snowflake and it will not be supported.

Please refer to the document here: https://docs.snowflake.com/en/user-guide/snowsql-start.html

Snowflake's security model does not allow Secure Sockets Layer (SSL) proxies (using an HTTPS certificate). Your proxy server must use a publicly-available Certificate Authority (CA), reducing potential security risks such as a MITM (Man In The Middle) attack through a compromised proxy.

If you must use your SSL proxy, we strongly recommend that you update the server policy to pass through the Snowflake certificate such that no certificate is altered in the middle of communications.

To use Snowsql insecure mode, you will need to edit the Snowsql config file by adding the following to the [option] section:

insecure_mode = True

The configuration file can be found in either one of these locations:

 /etc/snowsql.cnf
 /etc/snowflake/snowsql.cnf
 /usr/local/etc/snowsql.cnf
 <HOME_DIR>/.snowsql.cnf (supported only for backward compatibility)
 <HOME_DIR>/.snowsql/config

Please refer to the Snowsql config guide here: https://docs.snowflake.com/en/user-guide/snowsql-config.html