If you're using a VPN or a proxy, you may encounter issues when running Qwak commands. This section provides guidance on how to resolve common errors related to SSL certificate verification when behind a VPN or proxy.
If your Proxy is filtering network traffic you might be experiencing this issue if you see the following error message when running
qwak configure --api-key "xxx":
ProxyError: HTTPSConnectionPool(host='dev-qwak.us.auth0.com', port=443): Max retries exceeded with url: /.well-known/jwks.json (Caused by ProxyError('Cannot connect to proxy.', OSError('Tunnel connection failed: 403 Forbidden')))
Ensure that your VPN or proxy allows traffic to and from Qwak's following domains:
dev-qwak.us.auth0.com:443 grpc.qwak.ai grpc.<ENVIRONMENT_NAME>.qwak.ai models.<ENVIRONMENT_NAME>.qwak.ai
The Qwak Environment name can be found in your Qwak Dashboard, on the lower-left side: in the following example the environment name is
If your VPN/Proxy encrypts traffic from with additional certificates, they should be added to the CA certificate file. Typical certificate issues are appearing when configuring your Qwak CLI:
Caused by SSLError(SSLCertVerificationError(1, '[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: unable to get local issuer certificate (\_ssl.c:1129)')
Qwak SDK relies on Python's
certifi library for server certificate validation. To identify the location of your certificate validation file, run the following Python snippet:
import certifi print(certifi.where())
This will output the path to your certificate validation file.
Next, append your VPN's or Proxy's CA certificate to this
cacert.pem file. Open the file in a text editor with administrative privileges and add the certificate at the end.
After adding your custom certificate, you can validate the connection using OpenSSL with the following command:
openssl s_client -connect dev-qwak.us.auth0.com:443 -CAfile /path/to/your/cacert.pem
Check the output for a line that says
Verify return code: 0 (ok). This indicates that the certificate has been successfully verified. If the verification fails, you will see a different return code along with a description of the failure.
When your cloud resources are behind a private network or VPC, you may need to whitelist specific IP addresses to allow Qwak's platform to access them. For example when connecting to a new BigQuery or S3 based Data Source you might get a timeout error.
You might be facing this issue if:
- You receive timeout errors when Qwak tries to access your cloud resources.
- Your cloud resource logs show unauthorized or blocked access attempts from Qwak's IP addresses.
- Data transfers or API calls between Qwak and your cloud resources are failing without a clear error message.
To ensure seamless connectivity, please add the following range of Qwak IP addresses to your network's whitelist:
For more information and questions, feel free to reach out to Qwak support using the in-platform chat.
Updated 3 days ago