Diagnosing Common Connectivity Issues

There are a variety of issues you could encounter while connecting to any online service, including Snowflake.

Currently, this topic focuses only on the potential issues you may encounter with the OCSP (Online Certificate Status Protocol) checks performed by Snowflake clients.

As an integral component of securing communications, each Snowflake client (Python, JDBC, ODBC, etc.) verifies the current validity of the signed Snowflake certificate issued by a trusted CA (certificate authority). If communication is blocked between a Snowflake client and the CA site or OCSP responder, a TLS/SSL error is generated.

In this Topic:

Verifying Communication with Your CA Site or OCSP Responder

To verify that communication is not blocked:

Step 1: Retrieve the URL for Your Certificate

Retrieve the URL used by Snowflake for OCSP checks on your signed Snowflake certificate:

  1. In Google Chrome, log into the Snowflake web interface.

  2. In the top-right corner of the browser window, click the icon (“Customize and control Google Chrome”). Then, click on More Tools » Developer Tools.

  3. The Developer Tools frame appears. In the frame, click on the Security tab.

  4. Click the View certificate button, then expand the Details section.

  5. Scroll through the details until you find the appropriate extension and make note of the URL for:

    Online Certificate Status Protocol (e.g. http://ocsp.netsolssl.com)

    For example:

    Viewing OCSP URL for certificate in Developer Tools

Next, test your ability to access the URL (see Step 2). Various network issues could prevent the Snowflake client from accessing the URL. For example, your firewall may be blocking access to the sites used by Snowflake.

Step 2: Test the URL

Complete the operating system-specific steps to check whether you can reach the URL (<ocsp_url>) you retrieved in Step 1:

Windows:
  1. Open a PowerShell window on the host where the connectivity problem persists.

  2. Execute the following command:

    Invoke-WebRequest <ocsp_url>
    

    The Invoke-WebRequest command sends an HTTP request to a web page or web service and returns a response.

Linux / Mac OS:
  1. Open a terminal on the host where the connectivity problem persists.

  2. Execute the following command:

    curl -I <ocsp_url>
    

If successful, the command will return results similar to:

HTTP/1.1 200 OK
Server: Apache
X-OCSP-Responder-ID: dwdccaocsp27
Content-Length: 5
Content-Type: application/ocsp-response
Date: Thu, 09 Aug 2018 19:19:20 GMT
Connection: keep-alive

If the command return an error, report the issue to your network administrator to diagnose further. They might need to explicitly whitelist the OCSP host used to check your certificate.

If the command returns a status code other than 200, contact Snowflake Support.

CA Site and OCSP Responder Hosts Used by Snowflake (by Cloud Platform and Region)

Snowflake uses the following hosts for OCSP certification checks. Note that the hosts may differ by Snowflake Region for a given cloud platform.

Important

These are examples of the most commonly-used hosts. For each region (or individual account), Snowflake may use a certificate issued by a different CA, which results in different hosts and URLs. For example:

  • For most accounts in US West (on AWS), Snowflake currently uses Digicert-signed certificates from Network Solutions.
  • For other Snowflake Regions (on AWS), Snowflake mostly uses certificates from the Amazon CA.

In addition, Snowflake may change certificates as they expire or require enhancement, which will result in different hosts and URLs.

For a complete list of hosts and URLs for your account, please contact Snowflake Support.

Snowflake on AWS

Host US West Other Regions Notes
ocsp.snowflakecomputing.com:80 Snowflake’s OCSP response cache server. Note that the hostname is different if AWS PrivateLink is enabled.
*.amazontrust.com:80  
*.digicert.com:80  
*.netsolssl.com:80    
*.ss2.us:80  
*.usertrust.com:80    

Snowflake on Microsoft Azure

Host East US 2 Notes
ocsp.snowflakecomputing.com:80 Snowflake’s OCSP response cache server.
*.digicert.com:80  
*.msocsp.com:80  

OCSP Certification Checks Require Port 80

All communication with Snowflake happens using port 443. However, OSCP certification checks are transmitted over port 80. If your workstation is behind a firewall, make sure that the network administrator for your organization has opened the firewall to traffic on ports 443 and 80.

JDBC and ODBC Drivers No Longer Use CRL

A CRL (certificate revocation list) specifies the certificates that have been explicitly revoked by a given CA. Older versions of the JDBC and ODBC drivers used either CRL or OCSP to verify TLS/SSL certificates. Starting with the following versions, the drivers use only OCSP for all certificate verification:

  • JDBC 3.5.0 (or higher).
  • ODBC 2.15.0 (or higher)