Troubleshooting SSL Certificate Issue in PowerBI Report Server Connection

Original Slack Thread

<@U06TM7M40RK>, just trying to connect PowerBI Report Server to get all the information, but have a certificate issue apparently. Here is the code i’m running :

    type: powerbi-report-server
    config:
        username: '${PBI_RS_USN}'
        password: '${PBI_RS_PW}'
        workstation_name: srv****
        host_port: 'srv***.******-****.**:80'
        server_alias: powerbi-dev.****.fr
        env: DEV
        report_virtual_directory_name: reports
        report_server_virtual_directory_name: ReportServer
        extract_ownership: true
        ownership_type: TECHNICAL_OWNER```
Running on latest version.

Error returning is :

```&lt;class 'requests.exceptions.SSLError'&gt;: HTTPSConnectionPool(host='powerbi-dev.****.fr', port=443): Max retries exceeded with url: /reports/reports/api/v2.0/Reports (Caused by SSLError(SSLCertVerificationError(1, '[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: unable to get local issuer certificate (_ssl.c:1007)')))```

The error message you’re encountering indicates that there is an SSL certificate verification issue when trying to connect to your PowerBI Report Server. This is a common issue when using self-signed certificates or when the certificate chain is not recognized by the client.

Here are some steps to resolve this issue:

  1. Verify SSL Certificate: Ensure that the SSL certificate used by your PowerBI Report Server is valid and trusted by the client machine. If it’s a self-signed certificate, you may need to add it to the trusted certificates on your client machine.

  2. Set REQUESTS_CA_BUNDLE Environment Variable: You can set the REQUESTS_CA_BUNDLE environment variable to point to your CA certificate file. This ensures that the requests library used by DataHub can verify the SSL certificate.

    export REQUESTS_CA_BUNDLE=/path/to/ca_certificate.pem
    
  3. Disable SSL Verification (for Testing): If you are in a development environment, you can temporarily disable SSL verification to see if the issue is related to SSL/TLS. This is not recommended for production environments.

    Update your ingestion recipe to include the disable_ssl_verification parameter:

    sink:
      type: datahub-rest
      config:
        server: 'https://datahub-gms.trusted.visa.com'
        token: '${DATAHUB_GMS_TOKEN}'
        max_threads: 1
        disable_ssl_verification: true  # Temporarily disable SSL verification
    
  4. Check Server Configuration: Ensure that the PowerBI Report Server is correctly configured to accept HTTPS connections on the specified port (443 in this case).

  5. Review the Ingestion Recipe: Ensure that all other parameters in the ingestion recipe are correctly configured, including username, password, workstation_name, server_alias, and env.

Would you like more detailed steps or further assistance on any specific part of this configuration?

Sources:

<@U06TM7M40RK> how could I get the Datahub GMS Token ?

To obtain a DataHub GMS token, you need to generate a Personal Access Token (PAT) from the DataHub UI. Here are the steps to do so:

  1. Enable Metadata Service Authentication: Ensure that metadata service authentication is enabled in your DataHub deployment. This is a prerequisite for using Personal Access Tokens. You can enable it by setting the METADATA_SERVICE_AUTH_ENABLED environment variable to true in your GMS and frontend configurations. For Kubernetes deployments, you can set global.datahub.metadata_service_authentication.enabled to true in your Helm values file (https://datahubproject.io/docs/0.13.1/authentication/personal-access-tokens|source).

  2. Generate Personal Access Token:

  3. Use the Token: Once you have the token, you can use it to authenticate API requests to DataHub by including it in the Authorization header as a Bearer token:

    Authorization: Bearer <your-personal-access-token>
    
  4. Environment Variable: You can also set the token as an environment variable for use in CLI or scripts:

    export DATAHUB_GMS_TOKEN=<your-personal-access-token>
    

Would you like more detailed steps or further assistance on any specific part of this process?

Sources: