Oracle Cloud Infrastructure Documentation

SDK Troubleshooting

This section covers the most common errors that can occur with the OCI SDKs and how to troubleshoot them.

Timeout Errors

Timeout errors happens when a request doesn't get a response from the server within the configured timeout period. These errors can happen for a number of reasons, and are raised differently, depending on the SDK:
  • Java SDK: A BmcException is thrown with a status code of -1. This exception also has a timeout field with a true value.
  • Go SDK: The returned error message contains "(Client.Timeout exceeded while awaiting headers)."
  • .NET SDK: A System.Threading.Tasks.TaskCanceledException is thrown.
  • TypeScript SDK: The error contains "ETIMED".
  • Ruby SDK: A NetworkError is thrown with a status code of 0.
  • Python SDK: Either a ConnectTimeout exception is thrown with a message containing "ConnectTimeoutError", or a RequestException is thrown with a message containing "Read timed out".
Troubleshooting Suggestions
  1. Have you updated the SDK?
    • If so, try reverting back to the original version used when the code was working.
      • If the original version works, stay with the working version, and continue to Step 2 using the new (not working) version of the SDK.
      • If the original version of SDK does not work anymore, continue to Step 2.
    • If the SDK version did not change, check if there are other code changes since it worked last time.
      • If there have been code changes, try reverting those changes and re-try the original working code.
        • If the original working code stops working, continue to Step 2.
        • If the original working code works, the issue was caused by the code change.
      • If there have been no code changes since it worked last time, continue to Step 2.
  2. Does the timeout occur if you send the same request to a different OCI region from the same machine?
    • If not, then the timeout came from the service. Contact support and be ready to provide the opc-request-id for the failing request.
    • If the request still fails with a timeout, continue to Step 3.
  3. Try the same operation from another tool or SDK, such as the OCI CLI or curl. Does the timeout issue still occur?
    • If not, please contact support or create an issue on Github.
    • If so, the issue is either with the service or the network. Check network connectivity or contact support for help.
  4. Other possible causes:
    1. A timeout error might occur if your internet speed is not fast enough to send all of the content of the request body within the configured timeout period. Check your internet connection and timeout settings.
    2. Check your local network and proxy settings to make sure the hostname can be resolved.

SSL Errors

If you receive an SSL certificate error (often raised as a CERTIFICATE_VERIFY_FAILED error), you might be missing additional certificates that the operation requires.

Troubleshooting Suggestions

The OCI CLI and each OCI SDK have unique methods to specify certifications in code.

CLI

export REQUESTS_CA_BUNDLE=path_to_cert_bundle_file

Java

Import CA certificates to the Java Keystore:
  1. Import a certificate into the Apple Mac OS keychain:
    sudo security add-trusted-cert -d -r trustRoot -k "/Library/Keychains/System.keychain" ~/workspaces/trustroots/root-ca.crt
  2. Import a Certificate into the Java Runtime Environment (JRE) Truststore:
    export JAVA_HOME="$(/usr/libexec/java_home)"
                    sudo keytool -importcert -alias missioncontrol-root-ca -file ~/workspaces/trustroots/root-ca.crt -keystore $JAVA_HOME/jre/lib/security/cacerts -storepass changeit
Go
pool := x509.NewCertPool()
            //readCertPem reads the pem files to a []byte
            pool.AppendCertsFromPEM(readCertPem())
            //install the certificates to the client
            if h, ok := client.HTTPClient.(*http.Client); ok {
            tr := &http.Transport{TLSClientConfig: &tls.Config{RootCAs:pool}}
            h.Transport = tr
            } else {
            panic("the client dispatcher is not of http.Client type. can not patch the tls config")
            }
Python
# There are two ways of trusting certs
            
            # 1. Pass the certs directly to a client
            object_storage = oci.object_storage.ObjectStorageClient(config)
            object_storage.base_client.session.verify = 'path_to_cert_bundle_file'
            
            # 2. Set the environment variable "REQUESTS_CA_BUNDLE"
            export REQUESTS_CA_BUNDLE=path_to_cert_bundle_file
Ruby
# Take identity client as an example
            # Refer to this link: https://ruby-doc.org/stdlib-2.4.1/libdoc/net/http/rdoc/Net/HTTP.html for a complete list of variables to configure
            identity = OCI::Identity::IdentityClient.new
            identity.api_client.request_option_overrides = {
            # Sets path of a CA certification file in PEM format.
            # The file can contain several CA certificates.
            :ca_file => 'PATH_TO_CA_FILE',
            # Sets path of a CA certification directory containing certifications in PEM format.
            :ca_path => 'PATH_TO_CA_DIR',
            }
TypeScript
export NODE_EXTRA_CA_CERTS=<path_to_cert>

.NET

For the OCI .NET SDK, you need to trust the certificate file at the OS level:

Mac OS

  1. In the Keychain Access app on your Mac, select either the Login or System keychain.

  2. Drag the certificate file onto the Keychain Access app.

  3. If you're asked to provide a name and password, type the name and password for an administrator user on this computer.

Centos/RHEL/Oracle Linux

  1. Copy the .crt file to /etc/pki/ca-trust/source/anchors on your machine

  2. Run update-ca-trust extract

Debian/Ubuntu

  1. Copy the .crt file to /usr/local/share/ca-certificates/ on your machine

  2. Run update-ca-certificates

Windows

  1. Click the search box on the taskbar or in the Start Menu, and type "mmc" to launch the Microsoft Management Console.
  2. Click the File menu and then click Add/Remove Snap-In.
  3. Click Certificates under Available Snap-ins then click Add.
  4. Click OK
  5. Click Computer Account, then click the Next button.
  6. Click Local Computer
  7. Click Finish.
  8. Double-click Certificates (Local Computer) in the tree menu, then right-click Trusted Root Certification Authorities Store.
  9. Click All Tasks in the pop-up menu, then select Import.
  10. Follow the instructions to find and import your certificate.

Configuration or Authentication Errors

The OCI SDKs use a configuration file to authenticate on local machines. See SDK and CLI Configuration File for more information.

This is an example configuration file:
[DEFAULT]
            user=ocid1.user.oc1..<example>
            fingerprint=<example fingerprint>
            key_file=~/.oci/oci_api_key.pem
            tenancy=ocid1.tenancy.oc1..<example>
Troubleshooting Suggestions
  • If you get an error message similar to "did not find a proper configuration for user", ensure that you have a valid configuration file.
  • If you're using instance principal or resource principal authorization, check that you're running in the correct environment and that the IMDS service is enabled. For more information on authentication methods, see SDK Authentication Methods.