Secure Clickhouse connection with on premise [snuba]

Hi. I’m trying to install on premise sentry with remote DBaaS based on Yandex Cloud. Sentry supports SASL_SSL on Kafka cluster.

The problem is YC using their own CA certificates with clickhouse, without them it would not work. So is there any way to start Snuba and sentry (maybe) to work with clickhouse on ssl/ca certs

Here is YC documentation which is not working inside Snuba container:

mkdir -p ~/.clickhouse-client /usr/local/share/ca-certificates/Yandex && \
wget "" -O /usr/local/share/ca-certificates/Yandex/YandexInternalRootCA.crt && \
wget "" -O ~/.clickhouse-client/config.xml
clickhouse-client --host \
                  --secure \
                  --user <username> \
                  --database <databasename> \
                  --port 9440 \

Or here is python version:

def request():
    url = 'https://{host}:8443/?database={db}&query={query}'.format(
        query='SELECT now()')
    auth = {
        'X-ClickHouse-User': '<username>',
        'X-ClickHouse-Key': '<password>',

    res = requests.get(
    return res.text


YC docs Подключение к базе данных в кластере ClickHouse | Yandex.Cloud - Документация

We recently added support for custom CAs for Sentry on the onpremise repo:

You can check out the PR that added it and port its logic to Snuba images: feat: Support custom CA roots by Spice-King · Pull Request #1015 · getsentry/onpremise · GitHub

Unfortunately, this is not exactly what I mean. The problem is inside, I guess, mechanism how Snuba connecting to CH. Connection should be secure via --secure flag, here is example with ch-client:


➜  ./clickhouse client --host --user admin --secure --port 9440 --ask-password
ClickHouse client version (official build).
Connected to ClickHouse server version 21.3.15 revision 54447.

WITHOUT secure flag

./clickhouse client --host --user admin --port 9440 --ask-password 
Connecting to as user admin.
Code: 102. DB::NetException: Unexpected packet from server (expected Hello or Exception, got Unknown packet). (UNEXPECTED_PACKET_FROM_SERVER)

So here is the problem as I understand. And I receive this message - Unexpected packet inside Snuba container:

root@sentry:/usr/local/share/ca-certificates# env | grep CLICK
root@sentry:/usr/local# snuba migrations migrate
2021-08-19 16:17:33,507 Connection to Clickhouse cluster failed (attempt 0)
Traceback (most recent call last):
  File "/usr/src/snuba/snuba/clickhouse/", line 81, in execute
    result: Sequence[Any] = conn.execute(
  File "/usr/local/lib/python3.8/dist-packages/clickhouse_driver/", line 205, in execute
  File "/usr/local/lib/python3.8/dist-packages/clickhouse_driver/", line 180, in force_connect
  File "/usr/local/lib/python3.8/dist-packages/clickhouse_driver/", line 260, in connect
    return self._init_connection(host, port)
  File "/usr/local/lib/python3.8/dist-packages/clickhouse_driver/", line 238, in _init_connection
  File "/usr/local/lib/python3.8/dist-packages/clickhouse_driver/", line 376, in receive_hello
    raise errors.UnexpectedPacketFromServerError(message)
clickhouse_driver.errors.UnexpectedPacketFromServerError: Code: 102. Unexpected packet from server None:None (expected Hello or Exception, got Unknown packet)

I think File "/usr/src/snuba/snuba/clickhouse/", line 104, in execute uses not secure connection without secure flag.

I found this PR Add params for secure ClickHouse connections. by konstantin-popov · Pull Request #2018 · getsentry/snuba · GitHub</ which was reverted, maybe you can tell me what the problem why it reverted? Revert "Add params for secure ClickHouse connections." by evanh · Pull Request #2033 · getsentry/snuba · Or maybe you can tell me some instructions how to connect to CH with secure flag?

@BYK hi! maybe any news?

I guess you got your answer here: Revert "Add params for secure ClickHouse connections." by evanh · Pull Request #2033 · getsentry/snuba · :slightly_smiling_face:

I recommend following that issue/PR as you are already directly connected to the most relevant people there.

This topic was automatically closed 90 days after the last reply. New replies are no longer allowed.