I can successfully access Snowflake via snowsql, and a browser using the same credentials. However, those credentials do not work with the Driver as laid out in odbc-mac guide. When I test according to "Step 3: Test the ODBC Driver" I get the following eperience:
$ "/Library/Application Support/iODBC/bin/iodbctest"
iODBC Demonstration program
This program shows an interactive SQL processor
Driver Manager: 03.52.1521.0607
Enter ODBC connect string (? shows list): dsn=SnowflakeDSII;pwd=[pwd]
OOB curl_easy_perform() failed: Problem with the SSL CA cert (path? access rights?)
OOB curl_easy_perform() failed: Problem with the SSL CA cert (path? access rights?)
OOB curl_easy_perform() failed: Problem with the SSL CA cert (path? access rights?)
OOB curl_easy_perform() failed: Problem with the SSL CA cert (path? access rights?)
OOB curl_easy_perform() failed: Problem with the SSL CA cert (path? access rights?)
1: SQLDriverConnect = [Snowflake][DSI] An error occurred while attempting to retrieve the error message for key 'SFRestRequestFailed' with message parameters ['[host]:443/session/v1/login-request?requestId=[id]&request_guid=[guid]&databaseName=[db_name]&warehouse=[wh]&roleName=[role]', 'CURLerror (curl_easy_perform() failed) - code=77 msg='Problem with the SSL CA cert (path? access rights?)' osCode=2 osMsg='No (-1) SQLSTATE=HY000
1: ODBC_Connect = [Snowflake][DSI] An error occurred while attempting to retrieve the error message for key 'SFRestRequestFailed' with message parameters ['[host]:443/session/v1/login-request?requestId=[id]&request_guid=[guid]&databaseName=[db]&warehouse=[wh]&roleName=[role]', 'CURLerror (curl_easy_perform() failed) - code=77 msg='Problem with the SSL CA cert (path? access rights?)' osCode=2 osMsg='No (-1) SQLSTATE=HY000
my odbc.ini file is
[ODBC Data Sources]
SnowflakeDSII = Snowflake
[SnowflakeDSII]
Server = [host account].[aws region].snowflakecomputing.com
UID = [user]
Role = [role]
Database = [db]
Warehouse = [warehouse]
Driver = /opt/snowflake/snowflakeodbc/lib/universal/libSnowflake.dylib
Also...
I installed the driver: snowflake_odbc_mac_arm64-2.25.0.dmg
I had to manually mkdir universal and cp lib/libSnowflake.dylib lib/universal/libSnowflake.dylib
(And the error files too)
Thank you for your time!
Update
Also note the system couldn't find the following error files:
"exceptionMessage": "CURLerror (curl_easy_perform() failed) - code=77 msg='Problem with the SSL CA cert (path? access rights?)' osCode=2 osMsg='No such file or directory'",
"request": "https://[host].us-east-1.snowflakecomputing.com:443/session/v1/login-request?requestId=b5ebf406-989e-4aab-a043-6b4b656961cd&request_guid=8b68691f-db12-44c3-9a91-1fc685cd87a5&databaseName=[db]&warehouse=[wh]&roleName=[role]",
"sqlState": "HY000"
"/opt/snowflake/snowflakeodbc/lib/universal/en-US/SFMessages.xml"
"/opt/snowflake/snowflakeodbc/lib/universal/SFMessages_en-US.xml"
So I touched them, but then the error said they were 'empty'
The issue was that many of the files that the system needs to be in /lib/universal are not there.
The solution is to either sym link, or move them from /opt/snowflake/snowflakeodbc
for example:
# I found
/opt/snowflake/snowflakeodbc/lib/universal/en-US/SFMessages.xml
in
/opt/snowflake/snowflakeodbc/ErrorMessages
Also
/opt/snowflake/snowflakeodbc/lib/cacert.pem
# needed to be moved to
/opt/snowflake/snowflakeodbc/lib/univeral/cacert.pem
Thank you, #Sergiu for the logging guidance!
Related
I am trying to use flyway tool for database migration. I am able to run it when using sql authentication but I have to use active directory authentication. my connection string looks like this
flyway.url=jdbc:sqlserver://:;databaseName=;authentication=ActiveDirectoryInteractive;ssl=true
and I have flyway user and password in the conf file.
I am getting below error:
SQL State : 08S01
Error Code : 0
Message : The driver could not establish a secure connection to SQL Server by using Secure Sockets Layer (SSL) encryption. Error: "PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification
path to requested target". ClientConnectionId:991bff03-8d3e-4326-99c8-a182a11d3ac7
Caused by: com.microsoft.sqlserver.jdbc.SQLServerException: The driver could not establish a secure connection to SQL Server by using Secure Sockets Layer (SSL) encryption. Error: "PKIX path building failed:
sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target". ClientConnectionId:
Caused by: javax.net.ssl.SSLHandshakeException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
Caused by: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
Caused by: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
I found one article on flyway site about ssl support and it requires sql server certificates to be copied for flyway to use. I am looking for another workaround for that. Any help is appreciated.
thanks
i am using Gatling 3.0.0 as a plugin in SBT i am configuring the browser as given in the https://gatling.io/docs/current/http/recorder/#recorder under configuration heading after then when i start the recorder using gatling:startRecorder in sbt and try to hit my website https://www.example.com/ Firefox displayed
Did Not Connect: Potential Security Issue
Firefox detected a potential security threat and did not continue to www.mydomain.com because this website requires a secure connection.
www.mydomain.com has a security policy called HTTP Strict Transport Security (HSTS), which means that Firefox can only connect to it securely. You can’t add an exception to visit this site
and here are the exception logs
ioEventLoopGroup-2-1] DEBUG io.netty.handler.ssl.util.InsecureTrustManagerFactory - Accepting a server certificate: CN=www.mydomain.com
14:44:55.604 [nioEventLoopGroup-4-2] DEBUG io.gatling.recorder.http.Mitm$ - Open new server channel
14:44:55.607 [nioEventLoopGroup-4-1] WARN io.netty.channel.DefaultChannelPipeline - An exceptionCaught() event was fired, and it reached at the tail of the pipeline. It usually means the last handler in the pipeline did not handle the exception.
io.netty.handler.codec.DecoderException: javax.net.ssl.SSLHandshakeException: Received fatal alert: bad_certificate
at io.netty.handler.codec.ByteToMessageDecoder.callDecode(ByteToMessageDecoder.java:472)
at io.netty.handler.codec.ByteToMessageDecoder.channelRead(ByteToMessageDecoder.java:278)
at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:362)
at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:348)
at io.netty.channel.AbstractChannelHandlerContext.fireChannelRead(AbstractChannelHandlerContext.java:340)
at io.netty.channel.DefaultChannelPipeline$HeadContext.channelRead(DefaultChannelPipeline.java:1434)
at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:362)
at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:348)
at io.netty.channel.DefaultChannelPipeline.fireChannelRead(DefaultChannelPipeline.java:965)
at io.netty.channel.nio.AbstractNioByteChannel$NioByteUnsafe.read(AbstractNioByteChannel.java:163)
at io.netty.channel.nio.NioEventLoop.processSelectedKey(NioEventLoop.java:644)
at io.netty.channel.nio.NioEventLoop.processSelectedKeysOptimized(NioEventLoop.java:579)
at io.netty.channel.nio.NioEventLoop.processSelectedKeys(NioEventLoop.java:496)
at io.netty.channel.nio.NioEventLoop.run(NioEventLoop.java:458)
at io.netty.util.concurrent.SingleThreadEventExecutor$5.run(SingleThreadEventExecutor.java:897)
at io.netty.util.concurrent.FastThreadLocalRunnable.run(FastThreadLocalRunnable.java:30)
at java.base/java.lang.Thread.run(Thread.java:834)
Caused by: javax.net.ssl.SSLHandshakeException: Received fatal alert: bad_certificate
at java.base/sun.security.ssl.Alert.createSSLException(Alert.java:128)
at java.base/sun.security.ssl.Alert.createSSLException(Alert.java:117)
at java.base/sun.security.ssl.TransportContext.fatal(TransportContext.java:308)
at java.base/sun.security.ssl.Alert$AlertConsumer.consume(Alert.java:279)
at java.base/sun.security.ssl.TransportContext.dispatch(TransportContext.java:181)
at java.base/sun.security.ssl.SSLTransport.decode(SSLTransport.java:164)
at java.base/sun.security.ssl.SSLEngineImpl.decode(SSLEngineImpl.java:672)
at java.base/sun.security.ssl.SSLEngineImpl.readRecord(SSLEngineImpl.java:627)
at java.base/sun.security.ssl.SSLEngineImpl.unwrap(SSLEngineImpl.java:443)
at java.base/sun.security.ssl.SSLEngineImpl.unwrap(SSLEngineImpl.java:422)
at java.base/javax.net.ssl.SSLEngine.unwrap(SSLEngine.java:634)
at io.netty.handler.ssl.SslHandler$SslEngineType$3.unwrap(SslHandler.java:294)
at io.netty.handler.ssl.SslHandler.unwrap(SslHandler.java:1297)
at io.netty.handler.ssl.SslHandler.decodeJdkCompatible(SslHandler.java:1199)
at io.netty.handler.ssl.SslHandler.decode(SslHandler.java:1243)
at io.netty.handler.codec.ByteToMessageDecoder.decodeRemovalReentryProtection(ByteToMessageDecoder.java:502)
at io.netty.handler.codec.ByteToMessageDecoder.callDecode(ByteToMessageDecoder.java:441)
... 16 common frames omitted
14:44:55.609 [recorder-akka.actor.default-dispatcher-4] DEBUG io.gatling.recorder.http.flows.SecuredNoProxyMitmActor - Server channel 6acf48e4 was closed while in Connected state, closing
14:44:55.622 [recorder-akka.actor.default-dispatcher-2] DEBUG io.gatling.recorder.http.flows.PlainNoProxyMitmActor - serverChannel=8d7b2171 received init request http://detectportal.firefox.com/success.txt, connecting
14:44:55.622 [recorder-akka.actor.default-dispatcher-2] DEBUG io.gatling.recorder.http.flows.PlainNoProxyMitmActor - Connecting to Remote(detectportal.firefox.com,80)
14:44:55.629 [recorder-akka.actor.default-dispatcher-4] INFO akka.actor.RepointableActorRef - Message [io.gatling.recorder.http.flows.MitmMessage$ClientChannelInactive] without sender to Actor[akka://recorder/user/$a#-1754914561] was not delivered. [1] dead letters encountered. If this is not an expected behavior, then [Actor[akka://recorder/user/$a#-1754914561]] may have terminated unexpectedly, This logging can be turned off or adjusted with configuration settings 'akka.log-dead-letters' and 'akka.log-dead-letters-during-shutdown'.
14:44:55.655 [nioEventLoopGroup-2-2] DEBUG io.gatling.recorder.http.Mitm$ - Open new client channel
How did you configured proxy in your firefox? Do you have proxy only for http or also for https? If you are proxing also https requests then in recorder settings you need to switch "HTTPS mode" to "Certificate Authority". There will be a button to generate new certificate authority file that you need to import to your browser (Preferences / Privacy & Security / Certificates / View certificates / Import). After that your browser will know that it can trust Gatling proxy server and you should be able to proxy also ssl requests.
I'm trying to connect using SSL, SSL is enabled on the server but I'm not able to connect using the rabbitmq-c client.
I took the amqps_connect_timeout.c example and this is the error that I'm getting at amqp_socket_open_noblock.
SSL peer cert verification failed
When using OpenSSL the connection and verification succeed.
openssl verify -CAfile cacert.pem cert.pem
cert.pem: OK
openssl s_client -connect www.example.com:25586 -CAfile cacert.pem
Verify return code: 0 (ok)
If I disable certificate verification the connection succeed.
amqp_ssl_socket_set_verify_peer(socket, 0);
What am I doing wrong?
I have found what was wrong, my CAfile was missing the intermediate certificate.
Probably openssl s_client is ignoring this by default.
After fixing the cacert file the connection was established from the rabbitmq-c library.
I'm trying to make a client connect to some servers via https, using openssl library.
The call stack is something like this:
SSL_library_init();
SSL_load_error_strings();
SSL_CTX *ctx = SSL_CTX_new(TLSv1_method());
SSL_CTX_load_verify_locations(ctx, "file_with_trusted_certificates", NULL);
SSL *ssl = SSL_new(ctx);
BIO *bio = BIO_new_socket(...);
SSL_set_bio(ssl, bio, bio);
SSL_connect(ssl);
SSL_get_verify_result(ssl);
I have 2 servers with ssl certificates, which I have extracted using openssl tool and put into "file_with_trusted_certificates" file:
openssl s_client -showcerts -connect server_url:443
The problem is the following: one server is validated (though if not using file_with_trusted_certificates it fails with error 19: self signed certificate in certificate chain), but the check of the second server always fails with error 20: unable to get local issuer certificate. When passing
"-CAfile file_with_trusted_certificates"
to openssl tool, both servers get validated.
What I am doing wrong, why doesn't the second server also get validated?
The servers have different ciphers, and the one that succeeds has secure renegotiation enabled.
EDIT:
The C client runs on a arm device, which has libssl v0.9.8. The openssl tool run on the embedded device yields the same result as the C application: error 20 for first server and OK for the other. Using a linux environment, the openssl tool yield OK for both server, but then, maybe the version of the C application would do the same.
After some trial-error, I managed to find the problem.
I needed to add the certificate of the issuer of the root certificate in the chain in "file_with_trusted_certificates" file, but I added just the root certificate in the chain:
Common name: Baltimore CyberTrust Root -> I added this
Issuer: GTE CyberTrust Global Root -> I needed to add the certificate of this
Interestingly, it was working for the other server because the root certificate in the chain was self-signed and authorized:
Common name: AddTrust External CA Root
Issuer: AddTrust External CA Root
I am trying to setup zookeeper on ec2 two instances. as given here and here.
I am trying to run zookeeper which fails with an error:
command: bin/zkCli.sh -server localhost:2181
> 2015-03-15 00:22:35,644 [myid:] - INFO [main:ZooKeeper#438] - Initiating client connection, connectString=localhost:2181 sessionTimeout=30000 watcher=org.apache.zookeeper.ZooKeeperMain$MyWatcher#3ff0efca
Welcome to ZooKeeper!
2015-03-15 00:22:35,671 [myid:] - INFO [main-SendThread(localhost:2181):ClientCnxn$SendThread#975] - Opening socket connection to server localhost/127.0.0.1:2181. Will not attempt to authenticate using SASL (unknown error)
JLine support is enabled
2015-03-15 00:22:35,677 [myid:] - WARN [main-SendThread(localhost:2181):ClientCnxn$SendThread#1102] - Session 0x0 for server null, unexpected error, closing socket connection and attempting reconnect
java.net.ConnectException: Connection refused
at sun.nio.ch.SocketChannelImpl.checkConnect(Native Method)
at sun.nio.ch.SocketChannelImpl.finishConnect(SocketChannelImpl.java:739)
at org.apache.zookeeper.ClientCnxnSocketNIO.doTransport(ClientCnxnSocketNIO.java:361)
at org.apache.zookeeper.ClientCnxn$SendThread.run(ClientCnxn.java:1081)
[zk: localhost:2181(CONNECTING) 0] 2015-03-15 00:22:36,796 [myid:] - INFO [main-SendThread(localhost:2181):ClientCnxn$SendThread#975] - Opening socket connection to server localhost/127.0.0.1:2181. Will not attempt to authenticate using SASL (unknown error)
2015-03-15 00:22:36,797 [myid:] - WARN [main-SendThread(localhost:2181):ClientCnxn$SendThread#1102] - Session 0x0 for server null, unexpected error, closing socket connection and attempting reconnect
zoo.cfg as bellow
tickTime=2000
initLimit=10
syncLimit=5
dataDir=/var/lib/zookeeper
clientPort=2181
server.1=localhost:2888:3888
server.2=<My ec2 private IPs>:2889:3889
also I have created myId file as on both ec2 instances - /var/lib/zookeeper/myid
I also tried to edit /ect/hosts file but still facing the same issue.
also how I can start both of the zookeeper instances by 1 command?
Note: Server get started successfully if I tried with bin/zkCli.sh start command.
Thanks in advance!
look zk log zookeeper.out,if there have connection limit error, configure the following to zoo.cfg.
# the maximum number of client connections.
# increase this if you need to handle more clients
maxClientCnxns=60
This is temporary error , for mine after some time , It gone away :-
This is my zoo.conf file ::-
Dir=../data
clientPort=2181
tickTime=2000
initLimit=5
This error occurred when I forgot to run% ZOOKEEPER_HOME% \ bin \ zkserver.cmd
By running, the problem has been resolved.
Correct this property on the server.properties
default would be localhost change it to match the zookeeper server starup ip and port
zookeeper.connect=0.0.0.0:2181