Certificate Authority Update for AWS Regions

Python Connector Update

As of April 29, we have released a new version (3.15.0) of the Snowflake Python connector: https://pypi.org/project/snowflake-connector-python/3.15.0/.

This update includes improved OCSP handling logic and permanently resolves the compatibility issue that previous versions of the Snowflake Python connector had after the recent certifi library change.

To ensure proper functionality, we recommend upgrading to the latest version of the Snowflake Python connector in order to resolve the issue. Additional details will be provided in a customer-facing RCA, which will be made available within seven business days.

We've received reports that some customers hosted in AWS regions are experiencing certificate errors when using the Snowflake Python or Spark connectors to interact with AWS S3 external stages, and you may need to apply a temporary solution to work around the issue.

What happened?

Our findings indicate that the Python certifi library, which is used in specific Snowflake connectors, has recently been updated to remove trust for a legacy certificate previously used in the validation chain for S3 endpoints. The new version of the certifi certificate library (2025.4.26) exposed a latent code issue in the way that the Snowflake connector handles chain validation. Additional details will be provided in the customer-facing RCA, which will be shared following the release of an updated version of the connector.

How will this affect my service?

Customers hosted in AWS regions may encounter the error "The certificate is revoked or could not be validated" and are unable to use the Python and Spark connectors to perform specific operations that require an external AWS S3 stage with certificate check enabled. This issue primarily affects users who have recently upgraded the certifi library to version 2025.4.26.

What action do I need to take?

Potential temporary workarounds for customers with AWS EMR jobs may include the following:

1. Reverting to the previous certifi library version (2025.1.31) to restore the recently removed certificate trust. Customers can revert to the previous version using “pip install certifi==2025.1.31”


2. Configuring your Snowflake connector (Python/Spark) to operate in insecure_mode. This bypasses the certificate validation check (OCSP). Please be aware of the security implications before enabling this mode. Consult the connector documentation for instructions on enabling insecure_mode: https://community.snowflake.com/s/article/How-to-turn-off-OCSP-checking-in-Snowflake-client-drivers


3. For customers running AWS Glue jobs, a possible workaround involves applying a Python environment change within your Glue job script or configuration, such as attempting to downgrade the certifi library manually.

As the permanent solution to this issue with the Snowflake connector, we’re planning to release an updated version by April 30. We’ll update this post should alternative solutions be identified or further relevant details emerge. For more information about the certifi library update, please see the change history: https://pypi.org/project/certifi/2025.4.26/. For more information about the certificate authority update, please see the related AWS blog post: https://aws.amazon.com/blogs/security/acm-will-no-longer-cross-sign-certificates-with-starfield-class-2-starting-august-2024/