I built a small backend application in .NET 5 using Snowflake.Data, the .NET Connector from Snowflake. The app is supposed to be pulling data from a single schema in SNOWFLAKE_SAMPLE_DATA. I am adding the SnowflakeDbConnection as an IDbConnection in Startup.cs. Then, I have a Service that initializes the connection when it gets called by my Controller. Pretty simple setup.
When the service gets called, it calls IDbConnection.Open(), sets the ConnectionString, and then...
The connection fails to open and times out. I get the error Snowflake Internal Error: Unable to connect. One or more errors occurred. (Request reach its timeout.) SqlState: 08006, VendorCode: 27001)
So IDbConnection is properly mapping to Snowflake, but that's about all I know from that error.
Per the guidance in Snowflake's docs, I installed SnowCD (their diagnostic tool) and ran it against allowlist.json, downloaded and verified per the docs. Basically, it's a list of all the ports that the Connector needs to access, and you can just run a quick check without running the whole app - it's not connected to the app code at all. Anyway, I get a single error:
Check for 1 hosts failed, display as follow:
==============================================
Host: ocsp.pki.goog
Port: 80
Type: OCSP_RESPONDER
Failed Check: HTTP checker
Error: Invalid http code received: 404 Not Found
Suggestion: Check the connection to your http host or transparent Proxy
This is one of two OCSP_RESPONDER entries in allowlist.json, but it is NOT the one that appears when I check the certificate in the browser, nor the one Snowflake says it uses for deployments in my cluster. The one that is being used (digicert) doesn't throw an error. I'm not using any proxy, I'm not working behind a firewall, etc. It's just me on my laptop, working on my localhost.
So I used telnet to check my connection to ocsp.pki.goog, and it's fine on ports 80 and 443, as well as when I make a curl request.
My questions:
- Why is this failing through SnowCD when it is ok from my terminal?
- Why does allowlist.json include 2 OCSP providers? Does it need 2 certificates? Why?
- Is the .NET Connector also trying to contact ocsp.pki.goog and failing, and that's why my connection is failing?
It seems like the timeout behavior and vague error message line up with not being able to contact the certificate provider, but I have no insight into where that might be happening inside the nuget package, nor again why 2 OCSP responses would be needed.
How can I figure out what is happening here? Is it something I can work around somehow?
I don't need write capability, which is why I'm using the .NET driver and not ODBC. Would that be a better/more reliable choice or am I likely to run into the same issue? I'd rather not go back to square 1, though - so what am I not thinking of for troubleshooting the .NET connector?
Also, for the record, I've played around plenty with my connection string, my https settings, etc. No change in behavior, and it seems like those issues would generate different behavior/errors anyway.