Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

SNOW-974846: Connection fails with error:0308010C with node 20 & v.1.9.1 #703

Closed
smallTrogdor opened this issue Nov 20, 2023 · 8 comments
Closed
Assignees

Comments

@smallTrogdor
Copy link

smallTrogdor commented Nov 20, 2023

  1. What version of NodeJS driver are you using?

latest version (v.1.9.1) of snowflake-connector-nodejs

  1. What operating system and processor architecture are you using?

linux amd64 (docker engine)

  1. What version of NodeJS are you using?
    (node --version and npm --version)

Node.js v20.9.0
npm v10.1.0

  1. What are the component versions in the environment (npm list)?

5.Server version:

7.41.0

  1. What did you do?

    In your release notes you state that with v1.9.1 you support nodeJs v20. However, when trying to connect, I receive the error:

Error: error:0308010C:digital envelope routines::unsupported
at Object.createPrivateKey (node:internal/crypto/keys:632:12)
at loadPrivateKey (/app/node_modules/snowflake-sdk/lib/authentication/auth_keypair.js:80:35)
at auth_keypair.authenticate (/app/node_modules/snowflake-sdk/lib/authentication/auth_keypair.js:169:20)
at Connection.connect (/app/node_modules/snowflake-sdk/lib/connection/connection.js:253:12)

I use the Key Pair Authentication & Key Pair Rotation auth flow.

  1. What did you expect to see?

    I expected to sucessfully connect to the snowflake db through my connector.

  2. Can you set logging to DEBUG and collect the logs?

report-exporter-67-8g452-repair-and-clean-report-exporter.log

  1. What is your Snowflake account identifier, if any? (Optional)

SBB.EAP

@smallTrogdor smallTrogdor added the bug Something isn't working label Nov 20, 2023
@github-actions github-actions bot changed the title Connection fails with error:0308010C with node 20 & v.1.9.1 SNOW-974846: Connection fails with error:0308010C with node 20 & v.1.9.1 Nov 20, 2023
@sfc-gh-dszmolka sfc-gh-dszmolka self-assigned this Nov 21, 2023
@sfc-gh-dszmolka sfc-gh-dszmolka added the status-triage Issue is under initial triage label Nov 21, 2023
@sfc-gh-dszmolka
Copy link
Collaborator

hi and thank you for raising this with us, we're going to take a look

@smallTrogdor
Copy link
Author

smallTrogdor commented Nov 21, 2023

I have noticed that this also occurs in node 18 - it seems to be related to this webpack/webpack#14532 (comment). However I have not yet really figured out, whether the problem is on your side or on our side. I do not have a problem in other projects using node 18 though.

Maybe it is also worth noting that we use the SNOWFLAKE_JWT authenticator in the createConnection method, like below:

this.connection = snowflake.createConnection({
            account: process.env.SNOWFLAKE_ACCOUNT,
            username: process.env.SNOWFLAKE_USERNAME,
            privateKeyPath: process.env.SNOWFLAKE_PRIVATE_KEY_PATH,
            privateKeyPass: process.env.SNOWFLAKE_PRIVATE_KEY_PW,
            authenticator: "SNOWFLAKE_JWT",
            warehouse: process.env.SNOWFLAKE_WAREHOUSE,
            role: process.env.SNOWFLAKE_ROLE,
            clientSessionKeepAlive: true,
            database: process.env.SNOWFLAKE_DB
        })
        snowflake.configure({ ocspFailOpen: false })

@sfc-gh-dszmolka
Copy link
Collaborator

using the following simplistic repro program on a Debian 12 (bookworm) container:

root@2b91bc5b9fdc:/node# cat node702.js 
var snowflake = require('snowflake-sdk');

console.log(`\nNode.js process version is: ${process.version}\n`);
//snowflake.configure({ logLevel: "TRACE" });

var connection = snowflake.createConnection({
    account: process.env.SFACCOUNT,
    username: process.env.SFUSER,
    authenticator: 'SNOWFLAKE_JWT',
    privateKeyPath: '/node/rsa_key.p8',
    application: __filename.slice(__dirname.length + 1)
});
connection.connect(function(err, conn) {
    if (err) {
        console.error('Unable to connect: ' + err.message);
    } else {
        console.log('Successfully connected as id: ' + connection.getId());
var statement = connection.execute({
    sqlText: 'select \'Query run successfully on Snowflake with keypair auth\' as result;',
    complete: function(err, stmt, rows) {
        if (err) {
            console.error('Failed to execute statement due to the following error: ' + err.message);
        } else {
            console.log('[queryID ' + statement.getStatementId() + ', requestId ' + statement.getRequestId() + '] Number of rows produced: ' + rows.length);
        }
    }
});
    }
});

could not reproduce the issue yet:

root@2b91bc5b9fdc:/node# node node702.js 

Node.js process version is: v20.9.0

Successfully connected as id: f680292c-b3e2-4d00-80b8-ce94914172d7
[queryID 01b078fb-0202-1ce4-0002-4776000b480e, requestId 08e5a0e3-6cb0-4795-96fe-d1f22d745e6d] Number of rows produced: 1

started putting this repro together before reading your update which indicates you use encrypted private key, so I'll also test with that. i used unencrypted PK above.

@sfc-gh-dszmolka
Copy link
Collaborator

sfc-gh-dszmolka commented Nov 21, 2023

so using the encrypted private key resulted the same successful result; so can confirm that using the snowflake-sdk 1.9.1 on a repro environment where no other libraries are installed (to narrow down the issue to snowflake-sdk), with Debian 12 with node:20.9 works correctly

since your comment points to using

export NODE_OPTIONS=--openssl-legacy-provider

seems to be related to node itself https://github.com/nodejs/node/blob/b6b05d92f0166cbdba68230d25eea205ef0bea56/doc/changelogs/CHANGELOG_V17.md#openssl-30

If you hit an ERR_OSSL_EVP_UNSUPPORTED error in your application with Node.js 17, it’s likely that your application or a module you’re using is attempting to use an algorithm or key size which is no longer allowed by default with OpenSSL 3.0. A command-line option, --openssl-legacy-provider, has been added to revert to the legacy provider as a temporary workaround for these tightened restrictions.

For details about all the features in OpenSSL 3.0 please see the OpenSSL 3.0 release blog.

which suggests this issue has more like something to do with openssl and how they private key was generated; rather than the snowflake-sdk library.

with that said; here's how I generated the key per the Snowflake documenation:

$ openssl genrsa 2048 | openssl pkcs8 -topk8 -v2 des3 -inform PEM -out rsa_key.p8

edit: since Snowflake allows two keys for the same user, as a test could you please try

  1. generating a new private key and public key with the above or similar command re: the algorithm and/or the key size
  2. if you're not already using both key slots for the Snowflake user, specify the second, newly generated public key:
$ grep -v KEY rsa_newkey.pub | tr -d [:space:] ; echo  # get the public key in one line
--snowflake
alter user <username> set rsa_public_key_2 = 'MII....<rest_of_the_one_liner_public_key>';
--this will leave the original, first public key intact, so both can be used for authentication for the same user

then retry authenticating with the new private key.

@sfc-gh-dszmolka sfc-gh-dszmolka removed the bug Something isn't working label Nov 21, 2023
@smallTrogdor
Copy link
Author

Thanks, I will give it a shot as soon as possible. I am currently in the process of getting the correct grants to add the public key to the user, since it was not me who originally created it.

@sfc-gh-dszmolka
Copy link
Collaborator

for the time being, I'm going to close this issue out as it looks like the behaviour is tied to node rather than snowflake-sdk and the explanation is above. but I'm curious how adding the second key went or if you hit any other issues so please feel free to update this thread (still can reopen if necessary)

@sfc-gh-dszmolka sfc-gh-dszmolka closed this as not planned Won't fix, can't repro, duplicate, stale Nov 21, 2023
@sfc-gh-dszmolka sfc-gh-dszmolka removed the status-triage Issue is under initial triage label Nov 21, 2023
@smallTrogdor
Copy link
Author

Dear @sfc-gh-dszmolka,

thank you for your effort. The problem was indeed resolved with a new key generated with OpenSSL >3.0.

Unfortunately, it took a while to get the grants on the user. Sorry for opening this here then in the end.

Greetings from Switzerland!

@sfc-gh-dszmolka
Copy link
Collaborator

Dear @smallTrogdor thank you so much for taking the time to give feedback on the solution offered, it's great to hear it indeed helped you !

ovr added a commit to cube-js/cube that referenced this issue Sep 16, 2024
…20+ crash) (#8713)

This upgrade is required to fix a compatibility issue for Snowflake SDK and Node.js 20+. 

References:

- snowflakedb/snowflake-connector-nodejs#588
- snowflakedb/snowflake-connector-nodejs#703
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

2 participants