SNOW-1794001: Devcontainer (Docker) SSO externalbrowser ERR_CONNECTION_REFUSED

[aleenprd]

Python version

Python 3.8.10

Operating system and processor architecture

Linux-6.6.22-linuxkit-x86_64-with-Ubuntu-20.04-focal

Installed packages

about-time==3.1.1
agate==1.9.1
alive-progress==2.3.1
annotated-types==0.7.0
appdirs==1.4.4
asn1crypto==1.5.1
attrs==23.2.0
azure-core==1.30.1
azure-storage-blob==12.20.0
Babel==2.15.0
backoff==2.2.1
beautifulsoup4==4.12.3
black==24.4.2
boto3==1.34.116
botocore==1.34.116
cachetools==5.3.3
certifi==2024.2.2
cffi==1.16.0
cfgv==3.4.0
chardet==5.2.0
charset-normalizer==3.3.2
click==8.0.4
colorama==0.4.6
cryptography==42.0.7
daff==1.3.46
dbt-adapters==1.2.1
dbt-common==1.2.0
dbt-core==1.8.0
dbt-exposures-crawler @ git+https://github.com/esenilsson/dbt-exposures-crawler@11cac433ec75685aa24abcf60af121a22b263478
dbt-extractor==0.5.1
dbt-semantic-interfaces==0.5.1
dbt-snowflake==1.8.0
defusedxml==0.7.1
diff_cover==9.0.0
distlib==0.3.8
elementary-data==0.15.1
exceptiongroup==1.2.1
filelock==3.14.0
google-api-core==2.19.0
google-auth==2.29.0
google-cloud-core==2.4.1
google-cloud-storage==2.16.0
google-crc32c==1.5.0
google-resumable-media==2.7.0
googleapis-common-protos==1.63.0
grapheme==0.6.0
identify==2.5.36
idna==3.7
importlib-metadata==6.11.0
importlib_resources==6.4.0
iniconfig==2.0.0
isodate==0.6.1
jaraco.classes==3.4.0
jeepney==0.8.0
Jinja2==3.1.4
jinja2-simple-tags==0.6.1
jmespath==1.0.1
jsonschema==4.22.0
jsonschema-specifications==2023.12.1
keyring==24.3.1
leather==0.4.0
Logbook==1.5.3
markdown-it-py==3.0.0
MarkupSafe==2.0.1
mashumaro==3.13
mdurl==0.1.2
minimal-snowplow-tracker==0.0.2
monotonic==1.6
more-itertools==10.2.0
msgpack==1.0.8
mypy-extensions==1.0.0
networkx==2.8.8
nodeenv==1.9.0
numpy==1.24.4
packaging==23.1
pandas==2.0.3
parsedatetime==2.6
pathspec==0.12.1
pkgutil_resolve_name==1.3.10
platformdirs==4.2.2
pluggy==1.5.0
posthog==2.5.0
pre-commit==3.5.0
proto-plus==1.23.0
protobuf==4.25.3
pyasn1==0.6.0
pyasn1_modules==0.4.0
pycparser==2.22
pydantic==2.7.2
pydantic_core==2.18.3
pyfiglet==0.8.post1
Pygments==2.18.0
PyJWT==2.8.0
pymsteams==0.2.2
pyOpenSSL==24.1.0
pytest==8.2.1
pytest-parametrization==2022.2.1
python-dateutil==2.9.0.post0
python-slugify==4.0.1
pytimeparse==1.1.8
pytz==2024.1
PyYAML==6.0.1
ratelimit==2.2.1
referencing==0.35.1
regex==2024.5.15
requests==2.32.3
rich==13.7.1
rpds-py==0.18.1
rsa==4.9
ruamel.yaml==0.18.6
ruamel.yaml.clib==0.2.8
s3transfer==0.10.1
SecretStorage==3.3.3
shandy-sqlfmt==0.21.3
six==1.16.0
slack_sdk==3.27.2
snowflake-connector-python==3.10.1
sortedcontainers==2.4.0
soupsieve==2.5
sqlfluff==3.0.7
sqlfluff-templater-dbt==3.0.7
sqlparse==0.5.0
tableauserverclient==0.30
tabulate==0.9.0
tblib==3.0.0
text-unidecode==1.3
toml==0.10.2
tomli==2.0.1
tomlkit==0.12.5
tqdm==4.66.4
typing_extensions==4.12.0
tzdata==2024.1
urllib3==2.0.7
virtualenv==20.26.2
zipp==3.19.1

What did you do?

I am running my application in VsCode - Devcontainer i.e. a docker container. I started this morning and the connection with SSO via externalbrowser to Snowflake was good, albeit slow to auth from the container. On my machine (Mac), I have no issues authenticating with the same code. Nor do my colleagues. But for some reason, all of a sudden, it stopped working. It opens the URL in my browser, which goes from https://login.microsoftonline.com/ to Snowflake, to localhost:randomport/etc, at which I get an error saying: 

site can’t be reached
localhost refused to connect.
Try:

Checking the connection
Checking the proxy and the firewall
ERR_CONNECTION_REFUSED

PS: I can authenticate with user/password so it just seems an **externalbrowser issue** that is inconsistent.
PPS: we are using Azure for SSO

What did you expect to see?

That it just authenticates.

Can you set logging to DEBUG and collect the logs?

2024-11-08 15:16:06,902 - MainThread connection.py:399 - __init__() - INFO - Snowflake Connector for Python Version: 3.10.1, Python Version: 3.8.10, Platform: Linux-6.6.22-linuxkit-x86_64-with-glibc2.29
2024-11-08 15:16:06,903 - MainThread connection.py:705 - connect() - DEBUG - connect
2024-11-08 15:16:06,903 - MainThread connection.py:1088 - __config() - DEBUG - __config
2024-11-08 15:16:06,903 - MainThread connection.py:1239 - __config() - INFO - This connection is in OCSP Fail Open Mode. TLS Certificates would be checked for validity and revocation status. Any other Certificate Revocation related exceptions or OCSP Responder failures would be disregarded in favor of connectivity.
2024-11-08 15:16:06,903 - MainThread converter.py:159 - __init__() - DEBUG - use_numpy: False
2024-11-08 15:16:06,903 - MainThread connection.py:915 - __open_connection() - DEBUG - REST API object was created: jf91634.eu-central-1.snowflakecomputing.com:443
2024-11-08 15:16:06,903 - MainThread webbrowser.py:117 - prepare() - DEBUG - authenticating by Web Browser
2024-11-08 15:16:06,911 - MainThread webbrowser.py:150 - prepare() - DEBUG - step 1: query GS to obtain SSO url
2024-11-08 15:16:06,911 - MainThread webbrowser.py:471 - _get_sso_url() - DEBUG - account=jf91634, authenticator=EXTERNALBROWSER, [email protected]
2024-11-08 15:16:06,912 - MainThread retry.py:351 - from_int() - DEBUG - Converted retries value: 1 -> Retry(total=1, connect=None, read=None, redirect=None, status=None)
2024-11-08 15:16:06,913 - MainThread retry.py:351 - from_int() - DEBUG - Converted retries value: 1 -> Retry(total=1, connect=None, read=None, redirect=None, status=None)
2024-11-08 15:16:06,913 - MainThread network.py:1224 - _use_requests_session() - DEBUG - Session status for SessionPool 'jf91634.eu-central-1.snowflakecomputing.com', SessionPool 1/1 active sessions
2024-11-08 15:16:06,913 - MainThread network.py:875 - _request_exec_wrapper() - DEBUG - remaining request timeout: N/A ms, retry cnt: 1
2024-11-08 15:16:06,913 - MainThread network.py:857 - add_request_guid() - DEBUG - Request guid: 22dfa767-e998-4434-a0e2-f7e7ffff9a12
2024-11-08 15:16:06,913 - MainThread network.py:1065 - _request_exec() - DEBUG - socket timeout: 60
2024-11-08 15:16:06,916 - MainThread connectionpool.py:1019 - _new_conn() - DEBUG - Starting new HTTPS connection (1): jf91634.eu-central-1.snowflakecomputing.com:443
2024-11-08 15:16:07,215 - MainThread ssl_wrap_socket.py:79 - ssl_wrap_socket_with_ocsp() - DEBUG - OCSP Mode: FAIL_OPEN, OCSP response cache file name: None
2024-11-08 15:16:07,259 - MainThread ocsp_snowflake.py:492 - reset_cache_dir() - DEBUG - cache directory: /root/.cache/snowflake
2024-11-08 15:16:07,260 - MainThread ocsp_snowflake.py:530 - reset_ocsp_response_cache_uri() - DEBUG - ocsp_response_cache_uri: file:///root/.cache/snowflake/ocsp_response_cache.json
2024-11-08 15:16:07,260 - MainThread ocsp_snowflake.py:533 - reset_ocsp_response_cache_uri() - DEBUG - OCSP_VALIDATION_CACHE size: 304
2024-11-08 15:16:07,260 - MainThread ocsp_snowflake.py:332 - reset_ocsp_dynamic_cache_server_url() - DEBUG - OCSP response cache server is enabled: http://ocsp.snowflakecomputing.com/ocsp_response_cache.json
2024-11-08 15:16:07,260 - MainThread ocsp_snowflake.py:345 - reset_ocsp_dynamic_cache_server_url() - DEBUG - OCSP dynamic cache server RETRY URL: None
2024-11-08 15:16:07,260 - MainThread ocsp_snowflake.py:966 - validate() - DEBUG - validating certificate: jf91634.eu-central-1.snowflakecomputing.com
2024-11-08 15:16:07,261 - MainThread ocsp_asn1crypto.py:385 - extract_certificate_chain() - DEBUG - # of certificates: 4
2024-11-08 15:16:07,262 - MainThread ocsp_asn1crypto.py:390 - extract_certificate_chain() - DEBUG - subject: OrderedDict([('common_name', '*.eu-central-1.snowflakecomputing.com')]), issuer: OrderedDict([('country_name', 'US'), ('organization_name', 'Amazon'), ('common_name', 'Amazon RSA 2048 M03')])
2024-11-08 15:16:07,263 - MainThread ocsp_asn1crypto.py:390 - extract_certificate_chain() - DEBUG - subject: OrderedDict([('country_name', 'US'), ('organization_name', 'Amazon'), ('common_name', 'Amazon RSA 2048 M03')]), issuer: OrderedDict([('country_name', 'US'), ('organization_name', 'Amazon'), ('common_name', 'Amazon Root CA 1')])
2024-11-08 15:16:07,264 - MainThread ocsp_asn1crypto.py:390 - extract_certificate_chain() - DEBUG - subject: OrderedDict([('country_name', 'US'), ('organization_name', 'Amazon'), ('common_name', 'Amazon Root CA 1')]), issuer: OrderedDict([('country_name', 'US'), ('state_or_province_name', 'Arizona'), ('locality_name', 'Scottsdale'), ('organization_name', 'Starfield Technologies, Inc.'), ('common_name', 'Starfield Services Root Certificate Authority - G2')])
2024-11-08 15:16:07,264 - MainThread ocsp_asn1crypto.py:390 - extract_certificate_chain() - DEBUG - subject: OrderedDict([('country_name', 'US'), ('state_or_province_name', 'Arizona'), ('locality_name', 'Scottsdale'), ('organization_name', 'Starfield Technologies, Inc.'), ('common_name', 'Starfield Services Root Certificate Authority - G2')]), issuer: OrderedDict([('country_name', 'US'), ('organization_name', 'Starfield Technologies, Inc.'), ('organizational_unit_name', 'Starfield Class 2 Certification Authority')])
2024-11-08 15:16:07,266 - MainThread ocsp_asn1crypto.py:87 - read_cert_bundle() - DEBUG - reading certificate bundle: /usr/local/lib/python3.8/dist-packages/certifi/cacert.pem
2024-11-08 15:16:07,278 - MainThread ocsp_asn1crypto.py:413 - create_pair_issuer_subject() - DEBUG - not found issuer_der: OrderedDict([('country_name', 'US'), ('organization_name', 'Starfield Technologies, Inc.'), ('organizational_unit_name', 'Starfield Class 2 Certification Authority')])
2024-11-08 15:16:07,280 - MainThread ocsp_snowflake.py:730 - find_cache() - DEBUG - hit cache for subject: OrderedDict([('common_name', '*.eu-central-1.snowflakecomputing.com')])
2024-11-08 15:16:07,282 - MainThread ocsp_asn1crypto.py:205 - is_valid_time() - DEBUG - Verifying the attached certificate is signed by the issuer. Valid Not After: 2025-12-10 00:00:00+00:00
2024-11-08 15:16:07,283 - MainThread ocsp_snowflake.py:730 - find_cache() - DEBUG - hit cache for subject: OrderedDict([('country_name', 'US'), ('organization_name', 'Amazon'), ('common_name', 'Amazon RSA 2048 M03')])
2024-11-08 15:16:07,285 - MainThread ocsp_asn1crypto.py:205 - is_valid_time() - DEBUG - Verifying the attached certificate is signed by the issuer. Valid Not After: 2025-12-10 00:00:00+00:00
2024-11-08 15:16:07,285 - MainThread ocsp_snowflake.py:730 - find_cache() - DEBUG - hit cache for subject: OrderedDict([('country_name', 'US'), ('organization_name', 'Amazon'), ('common_name', 'Amazon Root CA 1')])
2024-11-08 15:16:07,287 - MainThread ocsp_asn1crypto.py:205 - is_valid_time() - DEBUG - Verifying the attached certificate is signed by the issuer. Valid Not After: 2025-05-07 12:00:00+00:00
2024-11-08 15:16:07,287 - MainThread ocsp_snowflake.py:730 - find_cache() - DEBUG - hit cache for subject: OrderedDict([('country_name', 'US'), ('state_or_province_name', 'Arizona'), ('locality_name', 'Scottsdale'), ('organization_name', 'Starfield Technologies, Inc.'), ('common_name', 'Starfield Services Root Certificate Authority - G2')])
2024-11-08 15:16:07,289 - MainThread ocsp_snowflake.py:1023 - _validate() - DEBUG - ok
2024-11-08 15:16:07,359 - MainThread connectionpool.py:474 - _make_request() - DEBUG - https://etc
snowflakecomputing.com:443 "POST /session/authenticator-request?request_guid=22dfa767-e998-4434-a0e2-f7e7ffff9a12 HTTP/1.1" 200 None
2024-11-08 15:16:07,360 - MainThread network.py:1092 - _request_exec() - DEBUG - SUCCESS
2024-11-08 15:16:07,360 - MainThread network.py:1229 - _use_requests_session() - DEBUG - Session status for SessionPool 'jf91634.eu-central-1.snowflakecomputing.com', SessionPool 0/1 active sessions
2024-11-08 15:16:07,360 - MainThread network.py:745 - _post_request() - DEBUG - ret[code] = None, after post request
2024-11-08 15:16:07,360 - MainThread webbrowser.py:158 - prepare() - DEBUG - Validate SSO URL
Initiating login request with your identity provider. A browser window should have opened for you to complete the login. If you can't see it, check existing browser windows, or your OS settings. Press CTRL+C to abort and try again...
2024-11-08 15:16:07,360 - MainThread webbrowser.py:176 - prepare() - DEBUG - step 2: open a browser
Going to open: https://login.microsoftonline.com/etc to authenticate...
2024-11-08 15:16:07,862 - MainThread webbrowser.py:201 - prepare() - DEBUG - step 3: accept SAML token

[sfc-gh-sghosh]

Hello @aleenprd ,

Thanks for raising the issue.
This is configuration issue actually.

Are you still facing the issue?
Are you using any self signed certificate ?

Could you please run the SnowCD command, which will confirm if there are any blockage
https://docs.snowflake.com/en/user-guide/snowcd.html

a) Obtain the whitelist in the Snowflake UI and copy into allowlist.json
SELECT SYSTEM$WHITELIST()

Run snowcd allowlist.json

Please provide the output of the above snowCD command. If there are issues noted with connectivity, we would need to resolve those with your network team. They need to whitelist all the Snowflake endpoints and ports at proxy/firewall, etc for the client machine.

b) echo QUIT | openssl s_client -msg -state -debug -connect .snowflakecomputing.com:443 -showcerts > certs.txt

c) Are you using any proxy server?

Regards,
Sujan

[aleenprd]

I had to add some settings to make it work:

 "runArgs": [
    "--network=host"
  ],
  "forwardPorts": [
    8000
  ],
        "settings": {
        "remote.autoForwardPorts": true,
        "requireLocalPort": true
      }

On some colleague's devices it just worked, on mine I had to jump these hoops

[sfc-gh-sghosh]

Hello @aleenprd ,

Thanks for the update and glad to hear configuration issue is resolved.
Yes, by using the Docker container's network with the host's and ensuring ports are properly forwarded, such issue can be avoided.

You can use the same code for consistent behavior

"runArgs": ["--network=host"],
"forwardPorts": [8000],
"settings": {
"remote.autoForwardPorts": true,
"requireLocalPort": true
}

Regards,
Sujan