Diagnosing Common Connectivity Issues

There are a variety of issues you could encounter while connecting to any online service, including Snowflake. For now, this topic focuses on issues with the certificate revocation list (CRL) or online certificate status protocol (OCSP) checks performed by Snowflake clients. As an integral component of securing communications, Snowflake clients verify the current validity of the signed Snowflake certificate issued by a trusted certificate authority (CA). If communication between the client and the CA or OCSP responder is blocked, an SSL error is generated.

Note also that all communication with Snowflake happens using port 443. However, CRL and OSCP certification checks are transmitted over port 80. If your workstation is behind a firewall, make sure that the network administrator for your organization has opened the firewall to traffic on ports 443 and 80.

In this Topic:

Step 1: Retrieve the CA Site and OCSP Responder URLs for Your SSL Certificate

View the URLs used by Snowflake for CRL and OCSP checks:

  1. In Google Chrome, log into your Snowflake account.

  2. Click More Tools » Developer Tools from the menu in the top-right corner.

  3. Click on the Security tab.

  4. Click the View certificate button.

  5. Expand the Details section.

  6. Locate and make note of the following URLs:

    • CRL Distribution Points
    • Online Certificate Status Protocol

Next, test your ability to access the URLs. Various network issues could prevent the Snowflake client from accessing the URLs. For example, your firewall may be blocking access to the sites used by Snowflake.

Step 2: Test the URLs by Verifying Communication with the Sites

Complete the steps for your operating system to check whether you can reach the URLs you retrieved in Step 1.

Windows

  1. Open a PowerShell window on the host where the connectivity problem persists.

  2. Execute the following commands. The Invoke-WebRequest command sends an HTTP request to a web page or web service and returns a response.

    Invoke-WebRequest -Outfile crl_test.html <crl_url>
    
    Invoke-WebRequest <ocsp_url>
    

    Where:

    • crl_url is the CRL Distribution Points URL you retrieved. Input the entire URL path, e.g. http://crl.netsolssl.com/NetworkSolutionsOVServerCA2.crl.
    • ocsp_url is the Online Certificate Status Protocol URL you retrieved.

    If the commands return an error, report the issue to your network administrator to diagnose further.

Linux or Mac OS

  1. Open a terminal on the host where the connectivity problem persists.

  2. Execute the following commands:

    curl -I <crl_url>
    
    curl -I <ocsp_url>
    

    Where:

    • crl_url is the CRL Distribution Points URL you retrieved. Input the entire URL path, e.g. http://crl.netsolssl.com/NetworkSolutionsOVServerCA2.crl.
    • ocsp_url is the Online Certificate Status Protocol URL you retrieved.

    If the command returns an error, report the issue to your network administrator to diagnose further.

    If the command returns a status code other than 200, contact Snowflake Support.