What causes SSL/TLS Connection Error?

A corporate SSL inspection proxy is intercepting and re-signing Snowflake's TLS certificate, causing validation to fail. The client machine's CA certificate bundle is outdated and does not include Snowflake's issuing CA. A firewall or network appliance is performing deep packet inspection on port 443. The Snowflake Python connector's verify SSL setting is misconfigured. Operating system or container image missing root CA certificates (common in minimal Docker images). Snowflake account URL mismatch — connecting to the wrong region endpoint

How do I fix SSL/TLS Connection Error?

Test TLS connectivity: openssl s_client -connect myaccount.snowflakecomputing.com:443 — look for 'Verify return code: 0 (ok)'. If a proxy is intercepting, add its CA certificate to the system trust store or set the SNOWFLAKE_CONNECTOR_PARAMS env var with the custom CA bundle path. For Python connector: set ocsp_response_cache_filename or disable OCSP checking temporarily for diagnosis (do not leave disabled in production). Update the OS CA bundle: sudo update-ca-certificates (Ubuntu/Debian) or update-ca-trust (RHEL/CentOS). For Docker containers, ensure the base image includes ca-certificates: RUN apt-get install -y ca-certificates. Verify the account identifier includes the correct region: e.g., myaccount.us-east-1

High severityconnectivity

Power BI Refresh Error:
SSL/TLS Connection Error

What does this error mean?

The client cannot establish a secure TLS connection to Snowflake. This blocks all queries and API calls from the affected environment and is often caused by certificate validation failures, proxy interception, or network configuration issues.

Common causes

1A corporate SSL inspection proxy is intercepting and re-signing Snowflake's TLS certificate, causing validation to fail
2The client machine's CA certificate bundle is outdated and does not include Snowflake's issuing CA
3A firewall or network appliance is performing deep packet inspection on port 443
4The Snowflake Python connector's verify SSL setting is misconfigured
5Operating system or container image missing root CA certificates (common in minimal Docker images)
6Snowflake account URL mismatch — connecting to the wrong region endpoint

How to fix it

1Test TLS connectivity: openssl s_client -connect myaccount.snowflakecomputing.com:443 — look for 'Verify return code: 0 (ok)'
2If a proxy is intercepting, add its CA certificate to the system trust store or set the SNOWFLAKE_CONNECTOR_PARAMS env var with the custom CA bundle path
3For Python connector: set ocsp_response_cache_filename or disable OCSP checking temporarily for diagnosis (do not leave disabled in production)
4Update the OS CA bundle: sudo update-ca-certificates (Ubuntu/Debian) or update-ca-trust (RHEL/CentOS)
5For Docker containers, ensure the base image includes ca-certificates: RUN apt-get install -y ca-certificates
6Verify the account identifier includes the correct region: e.g., myaccount.us-east-1

Frequently asked questions

What is OCSP and why does Snowflake use it?

OCSP (Online Certificate Status Protocol) allows Snowflake's connector to verify that the server's TLS certificate has not been revoked. Some corporate proxies block OCSP traffic, causing spurious certificate errors. Snowflake provides a fail-open mode for OCSP when the OCSP responder is unreachable.

Is it safe to disable SSL verification for Snowflake connections?

No — disabling SSL verification exposes credentials and query data to man-in-the-middle attacks. Only use it temporarily during diagnosis in an isolated environment, never in production. Fix the underlying certificate or proxy issue instead.