snowflake-connector-nodejs icon indicating copy to clipboard operation
snowflake-connector-nodejs copied to clipboard

Published 20 hours ago verified publisher icon snowflakedb

OCSP is randomly failing in latest release

Open mhseiden opened this issue 7 years ago • 10 comments

We are seeing the following error bubble up on occasion. It looks like it's coming from the ocsp library that y'all are using.

ERROR: [9:34:45.3445 AM]: OCSP validation failed: Error: Unsupported type: object at: (shallow)

mhseiden avatar Nov 10 '18 17:11 mhseiden

hmm, sounds like garbage was returned from OCSP responder... The driver needs retry.

Currently NodeJS doesn't cache the OCSP response nor uses the OCSP cache server, OCSP check is not as stable as JDBC, ODBC, Python Connector. We'll add it in the earliest opportunity. For workaround, use insecureConnect parameter to skip OCSP check.

This answer is not correct. See below.

var connectionOptions =
{
  account: testaccount, ... , insecureConnect: true
}

Note insecureConnect=true will still do 1) verify the certificate signature, 2) check validity, 3) ensure the certificate is associated with the hostname.

smtakeda avatar Nov 13 '18 17:11 smtakeda

insecureConnect: true is not working for us. We are still getting:

ERROR: [2:24:02.242 PM]: OCSP validation failed: Error: Bad OCSP response status: try_later
Unable to connect: Network error. Could not reach Snowflake.

Edit: Using snowflake-sdk version 1.1.8, Node 8.12.0. Code looks like this:

var snowflake = require('snowflake-sdk');

var connection = snowflake.createConnection({
  account: '<our account name>',
  username: '<username>',
  password: '<password>',
  insecureConnect: true
});

connection.connect((err, conn) => {
  if (err) {
    console.error('Unable to connect: ' + err.message);
  } else {
    console.log('Successfully connected as id: ' + connection.getId());
  }
});

natesilva avatar Nov 15 '18 22:11 natesilva

Workaround: the insecureConnect option needs to be passed to snowflake.configure(...), not to the createConnection function.

snowflake.configure({insecureConnect: true});
var connection = snowflake.createConnection(...);

natesilva avatar Nov 15 '18 22:11 natesilva 

  code: 401001,
  message: 'Network error. Could not reach Snowflake.',
  cause: Error: Bad OCSP response status: try_later

seeing the same issue

rem7 avatar Nov 15 '18 22:11 rem7

For anyone still encountering this issue, more information is here:

https://support.snowflake.net/s/group/0F90Z000000U8d9SAC/alerts-awsus-west

For anyone using my snowflake-promise library (which is another NPM module that wraps this library), you can work around the issue; see the changelog for that library.

natesilva avatar Nov 16 '18 16:11 natesilva

Is there any update on this issue?

What is the impact of using insecureConnect:true. I assume we want the OCSP checks when using node client?

moniecodes avatar Oct 14 '20 21:10 moniecodes

FWIW I was having the OCSP validation failed: Error: Unsupported type: object at: (shallow) error and it turned out to be the version of asn1.js that was getting resolved. I think that the version range isn't restrictive enough so if another library uses asn1.js but an incompatible version it can break this library. I fixed it by adding:

  "resolutions": {
    "asn1.js": "^5.4.1"
  },

To my package.json file (I use Yarn, the syntax might vary for NPM). I'm not sure if it is the same issue you are having but it might help.

NoxHarmonium avatar Oct 18 '20 22:10 NoxHarmonium

FWIW I was having the OCSP validation failed: Error: Unsupported type: object at: (shallow) error and it turned out to be the version of asn1.js that was getting resolved. I think that the version range isn't restrictive enough so if another library uses asn1.js but an incompatible version it can break this library. I fixed it by adding:

  "resolutions": {
    "asn1.js": "^5.4.1"
  },

To my package.json file (I use Yarn, the syntax might vary for NPM). I'm not sure if it is the same issue you are having but it might help.

Thank you! This worked for me, in Node I just set the following in package.json dependencies:

    "asn1": "^0.2.4",

, delete my package-lock.json / node_modules to make sure a lower version wasn't still being used, then rerun npm install. Snowflake is now connecting correctly.

bajohn avatar Feb 10 '21 15:02 bajohn

@NoxHarmonium @bajohn thanks for pointing me in the right direction. I dove into snowflake-sdk's ocsp and asn1.js dependencies (with the help of yarn why). It looks really messy:

In a recent install, I ended up with

So I can definitely see how this can cause problems. I think the issue would best be solved in ocsp and asn1.js, releasing packages that update to the latest versions (assuming they're compatible). Then, I'd expect to just need

UPDATE: I can confirm that the following worked:

yarn set resolution --save 'asn1.js@npm:^4.8.0' ^5.0.0
yarn set resolution --save 'asn1.js-rfc2560@npm:^4.0.0' ^5.0.0
yarn set resolution --save 'asn1.js-rfc5280@npm:^2.0.0' ^3.0.0

markandrus avatar Oct 14 '21 10:10 markandrus

@NoxHarmonium @bajohn thanks for pointing me in the right direction. I dove into snowflake-sdk's ocsp and asn1.js dependencies (with the help of yarn why). It looks really messy:

In a recent install, I ended up with

So I can definitely see how this can cause problems. I think the issue would best be solved in ocsp and asn1.js, releasing packages that update to the latest versions (assuming they're compatible). Then, I'd expect to just need

UPDATE: I can confirm that the following worked:

yarn set resolution --save 'asn1.js@npm:^4.8.0' ^5.0.0
yarn set resolution --save 'asn1.js-rfc2560@npm:^4.0.0' ^5.0.0
yarn set resolution --save 'asn1.js-rfc5280@npm:^2.0.0' ^3.0.0

You're a legend, this worked beautifully

wpride avatar Mar 17 '22 01:03 wpride

this very, very old issue should be hopefully resolved by now with the newer releases, which don't have the previous ocsp dependency (v1.6.9 and up) thank you so much everyone for your contribution and help here.

i'm closing this now but if you still find it being an issue in the more recent releases, please reopen it and we'll take a look.

sfc-gh-dszmolka avatar Jan 25 '23 19:01 sfc-gh-dszmolka