Skip to content

SNOW-1822170: Doesn't load TRUSTED CERTIFICATE when used with REQUESTS_CA_BUNDLE #2667

New issue
Jump to bottom
New issue
Jump to bottom
Open
Open
SNOW-1822170: Doesn't load TRUSTED CERTIFICATE when used with REQUESTS_CA_BUNDLE#2667
Labels
bugSomething isn't workingstatus-triageIssue is under initial triage
@NawreCode

Description

@NawreCode
NawreCode
opened on Nov 22, 2024

Hi, we are facing an issue when using a trusted ca-bundle in our setup.

  1. What version of Python are you using?
Python 3.9.18 (main, Apr 10 2024, 10:24:50) 
[GCC 13.2.1 20230801]
  1. What operating system and processor architecture are you using?
Linux-6.11.9-arch1-1-x86_64-with-glibc2.40

(also tested on alma8, should be reproducible on any OS)

  1. What are the component versions in the environment (pip freeze)?

Reproduce with snowflake-snowpark-python==1.25.0

asn1crypto==1.5.1
certifi==2024.8.30
cffi==1.17.1
charset-normalizer==3.4.0
cloudpickle==2.2.1
cryptography==43.0.3
filelock==3.16.1
idna==3.10
numpy==2.0.2
packaging==24.2
pandas==2.2.3
platformdirs==4.3.6
protobuf==5.28.3
pyarrow==18.0.0
pycparser==2.22
PyJWT==2.10.0
pyOpenSSL==24.2.1
python-dateutil==2.9.0.post0
pytz==2024.2
PyYAML==6.0.2
requests==2.32.3
six==1.16.0
snowflake-connector-python==3.12.3
snowflake-snowpark-python==1.25.0
sortedcontainers==2.4.0
tomlkit==0.13.2
typing_extensions==4.12.2
tzdata==2024.2
tzlocal==5.2
urllib3==1.26.20

  1. What did you do?

    1. export REQUESTS_CA_BUNDLE=/etc/ca-certificates/extracted/ca-bundle.trust.crt => adapt the path to your OS
    2. run the sample code to create a session:
from snowflake.snowpark import Session

connection_parameters = {
   ...
}

session = Session.builder.configs(connection_parameters).create()

Result:
ERROR:snowflake.connector.ocsp_snowflake:No CA bundle file is found in the system. Set REQUESTS_CA_BUNDLE to the file. and a nice stack trace.

  1. What did you expect to see?

It should be able to load the certificates from the ca-bundle.trust.crt file, and create the session.

We investigated a bit and it looks like it comes from snowflake.connector.ocsp_asn1crypto.py::SnowflakeOCSPAsn1Crypto::read_cert_bundle, where it is only loading certificates of type CERTIFICATE. However, in ca-bundle.trusted.crt, the certificates are of type TRUSTED CERTIFICATE, here is an extract:

# ACCVRAIZ1
-----BEGIN TRUSTED CERTIFICATE-----
xxxxxxxxx
-----END TRUSTED CERTIFICATE-----

Metadata

Assignees

No one assigned

    Labels

    bugSomething isn't workingstatus-triageIssue is under initial triage

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions