An SSL-inspecting proxy (corporate firewall, Zscaler, Netskope) is replacing the Snowflake certificate. The Java truststore (cacerts) does not include the corporate proxy's root CA certificate. The JRE being used has an outdated truststore that lacks Snowflake's CA. The JDBC driver's bundled certificate chain is incompatible with a custom PKI setup. Account URL mismatch causing the driver to receive a certificate for a different hostname

Import the corporate proxy CA certificate into the Java truststore: keytool -importcert -alias proxy-ca -file proxy-ca.crt -keystore $JAVA_HOME/lib/security/cacerts.. Run: openssl s_client -connect .snowflakecomputing.com:443 to inspect the certificate chain and identify the substituting CA.. Update the JRE to the latest version — newer JREs include more up-to-date root CAs.. If the proxy CA cannot be trusted, add the insecure connection option to the JDBC URL: ?insecureMode=true (not for production).. Work with the network team to exclude Snowflake traffic from SSL inspection.

High severityconnectionSnowflake →

Power BI Refresh Error:
JDBC 2

What does this error mean?

The JDBC driver cannot verify Snowflake's TLS certificate because no trusted root CA is found for the certificate chain. This is typically caused by SSL inspection by a proxy or firewall that substitutes its own certificate.

Common causes

1An SSL-inspecting proxy (corporate firewall, Zscaler, Netskope) is replacing the Snowflake certificate
2The Java truststore (cacerts) does not include the corporate proxy's root CA certificate
3The JRE being used has an outdated truststore that lacks Snowflake's CA
4The JDBC driver's bundled certificate chain is incompatible with a custom PKI setup
5Account URL mismatch causing the driver to receive a certificate for a different hostname

How to fix it

1Import the corporate proxy CA certificate into the Java truststore: keytool -importcert -alias proxy-ca -file proxy-ca.crt -keystore $JAVA_HOME/lib/security/cacerts.
2Run: openssl s_client -connect <account>.snowflakecomputing.com:443 to inspect the certificate chain and identify the substituting CA.
3Update the JRE to the latest version — newer JREs include more up-to-date root CAs.
4If the proxy CA cannot be trusted, add the insecure connection option to the JDBC URL: ?insecureMode=true (not for production).
5Work with the network team to exclude Snowflake traffic from SSL inspection.

Frequently asked questions

How do I find the Java truststore location?

It is typically at $JAVA_HOME/lib/security/cacerts (Java 8) or $JAVA_HOME/lib/security/cacerts (Java 11+). Use keytool -list -keystore <path> to inspect its contents.

Should I use insecureMode=true as a permanent fix?

No — insecureMode disables all certificate validation, making connections vulnerable to MITM attacks. It is only for debugging. Fix the certificate trust issue and remove insecureMode.

Official documentation: https://docs.snowflake.com/en/user-guide/client-connectivity-troubleshooting/error-messages