deprecations command crashes with unhandled SSL error behind corporate proxy (v0.19.0) #329
Description
deprecations command crashes with unhandled SSL error behind corporate proxy (v0.19.0)
Related
- Some people behind restricted corporate network/firewall/proxy can't download the JSON schema files #199 (closed) — same root cause, not fully resolved
- Add ability to disable HTTPX SSL verification when downloading schemas #200 (merged) — added
retries=3, but retries don't help when SSL handshake itself is terminated
Description
Running dbt-autofix deprecations in a corporate environment (self-hosted GitHub Actions runner behind an SSL-intercepting proxy) crashes with an unhandled httpx.ConnectError when fetching schemas from https://public.cdn.getdbt.com.
The fix in #200 added HTTPTransport(retries=3), but this does not address the root cause — all 3 retries fail identically because the SSL handshake is terminated by the proxy before any HTTP exchange occurs.
The hidden --disable-ssl-verification flag also does not resolve this, because the proxy terminates the TLS connection at the protocol level (UNEXPECTED_EOF_WHILE_READING), which occurs before httpx's verify parameter comes into play.
Environment
- dbt-autofix: 0.19.0 (latest on PyPI)
- Python: 3.12
- httpx: latest
- Runner: Self-hosted GitHub Actions (Ubuntu), behind corporate SSL-intercepting proxy
- Install method:
uv sync(also reproducible withpip install)
Command
Reproducible with both direct invocation and uv run:
dbt-autofix deprecations --path . --json --select src/
uv run dbt-autofix deprecations --path . --json --select src/Also tried with hidden flag — same result:
dbt-autofix deprecations --path . --json --disable-ssl-verification --select src/
uv run dbt-autofix deprecations --path . --json --disable-ssl-verification --select src/Error
Traceback (most recent call last):
...
File ".../dbt_autofix/retrieve_schemas.py", line 323, in get_fusion_latest_version
resp = client.get(latest_versions_url)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
...
httpx.ConnectError: [SSL: UNEXPECTED_EOF_WHILE_READING] EOF occurred in violation of protocol (_ssl.c:1000)
The crash originates in retrieve_schemas.py → get_fusion_latest_version() which makes an unconditional HTTPS request to https://public.cdn.getdbt.com/fs/versions.json on every invocation.
Root Cause
In corporate environments with SSL-intercepting proxies, the proxy terminates the TLS connection before the HTTP layer, causing [SSL: UNEXPECTED_EOF_WHILE_READING]. Neither retries nor verify=False help because the failure occurs at the TLS protocol level, not at certificate validation.
Suggested Fixes
- Bundle a fallback schema — ship a known-good schema version with the package so the tool can operate without network access. Use the CDN fetch as an upgrade check, not a hard requirement.
- Graceful error handling — catch
httpx.ConnectError/httpx.ConnectTimeoutin_get_specs()and either fall back to a bundled schema or exit with a clear message instead of a raw traceback. - Add
--offlinemode — allow users to skip the CDN fetch entirely and use a bundled or previously-cached schema. - Respect
HTTPS_PROXY/HTTP_PROXYenv vars — httpx supports proxy configuration, butSchemaSpecs.__init__creates the client without proxy settings. Passingproxy=os.environ.get("HTTPS_PROXY")tohttpx.Client()would allow users to route through their corporate proxy. - Surface
--disable-ssl-verification— even though it doesn't fix this specific issue, it's currentlyhidden=Trueand undiscoverable via--help.
Workaround
Currently no working workaround exists for environments where the proxy terminates TLS connections to public.cdn.getdbt.com. The tool is unusable in these environments.
Impact
This blocks adoption of dbt-autofix in CI pipelines for any organization using SSL-intercepting proxies (common in enterprise/financial sector environments).