[FIXED] SSL/TLS Connection Closed Unexpectedly When Accessing Pinecone from GCP Flask App

Hello Pinecone Community, I’m experiencing a persistent issue with SSL/TLS connections when attempting to access Pinecone from my Flask application hosted on Google Cloud Run – the connection is unexpectedly closed, resulting in an SSLZeroReturnError.

Error Message: SSLError: TLS/SSL connection has been closed (EOF) (_ssl.c:1129)

My application and Pinecone are hosted in GCP’s Iowa (us-central1) region.

Here’s a summary of my setup and what I’ve tried so far:

  • Application Stack: Flask (python), hosted on GCP Cloud Run, using Gunicorn as the WSGI server
  • Pinecone Version: pinecone-client==2.2.4
  • SSL/TLS Verification: Originally enabled (default), but disabled for testing purposes with no resolution to the issue
  • Flask Development Server: I considered reverting to Flask’s development server for testing, but I stuck with Gunicorn for its production readiness.
  • Gunicorn Timeout: Increased to 3600 seconds
  • Requests to Pinecone: Made within a ThreadPoolExecutor in Flask to avoid blocking the main thread, but the SSL/TLS connection still closes unexpectedly. I’ve reviewed my GCP networking and firewall settings, and there are no obvious VPC service controls that could be interfering with the connection.
  • Moved my application Docker image from python 3.9:slim to python 3.9, to 3.10 but no chance.
  • Added certs download in Dockerfile apt-get install -y --no-install-recommends ca-certificates && \
  • Performing curl calls to my app locally with and without the Docker image works as expected
  • I tried varying the Cloud Run instance’s memory from 8 GB to 32 GB but to no avail.
  • I just rotated my Pinecone API key, works locally, still doesn’t work on Cloud Run
  • I am still on the free version, using gcp-starter. To the best of my knowledge, this is not a limitation of the free version.
  • I downgraded from urllib3==1.26.18 to urllib3==1.26.12 (seen on a github issue)
  • Set number of workers in multi-threading to 1
  • Disabled SSL checks with os.environ['PYTHONHTTPSVERIFY'] = '0'

Here’s the traceback:

Traceback (most recent call last):
  File "/app/src/Llama_index_sandbox/custom_react_agent/tools/query_engine.py", line 13, in call
    response = self._query_engine.query(query_str)
  File "/usr/local/lib/python3.9/site-packages/llama_index/indices/query/base.py", line 23, in query
    return self._query(str_or_query_bundle)
  File "/usr/local/lib/python3.9/site-packages/llama_index/query_engine/retriever_query_engine.py", line 171, in _query
    nodes = self.retrieve(query_bundle)
  File "/usr/local/lib/python3.9/site-packages/llama_index/query_engine/retriever_query_engine.py", line 123, in retrieve
    nodes = self._retriever.retrieve(query_bundle)
  File "/usr/local/lib/python3.9/site-packages/llama_index/indices/base_retriever.py", line 22, in retrieve
    return self._retrieve(str_or_query_bundle)
  File "/usr/local/lib/python3.9/site-packages/llama_index/indices/vector_store/retrievers/retriever.py", line 87, in _retrieve
    return self._get_nodes_with_embeddings(query_bundle)
  File "/usr/local/lib/python3.9/site-packages/llama_index/indices/vector_store/retrievers/retriever.py", line 164, in _get_nodes_with_embeddings
    query_result = self._vector_store.query(query, **self._kwargs)
  File "/usr/local/lib/python3.9/site-packages/llama_index/vector_stores/pinecone.py", line 327, in query
    response = self._pinecone_index.query(
  File "/usr/local/lib/python3.9/site-packages/pinecone/core/utils/error_handling.py", line 17, in inner_func
    return func(*args, **kwargs)
  File "/usr/local/lib/python3.9/site-packages/pinecone/index.py", line 455, in query
    response = self._vector_api.query(
  File "/usr/local/lib/python3.9/site-packages/pinecone/core/client/api_client.py", line 776, in __call__
    return self.callable(self, *args, **kwargs)
  File "/usr/local/lib/python3.9/site-packages/pinecone/core/client/api/vector_operations_api.py", line 716, in __query
    return self.call_with_http_info(**kwargs)
  File "/usr/local/lib/python3.9/site-packages/pinecone/core/client/api_client.py", line 838, in call_with_http_info
    return self.api_client.call_api(
  File "/usr/local/lib/python3.9/site-packages/pinecone/core/client/api_client.py", line 413, in call_api
    return self.__call_api(resource_path, method,
  File "/usr/local/lib/python3.9/site-packages/pinecone/core/client/api_client.py", line 200, in __call_api
    response_data = self.request(
  File "/usr/local/lib/python3.9/site-packages/pinecone/core/client/api_client.py", line 459, in request
    return self.rest_client.POST(url,
  File "/usr/local/lib/python3.9/site-packages/pinecone/core/client/rest.py", line 271, in POST
    return self.request("POST", url,
  File "/usr/local/lib/python3.9/site-packages/pinecone/core/client/rest.py", line 157, in request
    r = self.pool_manager.request(
  File "/usr/local/lib/python3.9/site-packages/urllib3/request.py", line 78, in request
    return self.request_encode_body(
  File "/usr/local/lib/python3.9/site-packages/urllib3/request.py", line 170, in request_encode_body
    return self.urlopen(method, url, **extra_kw)
  File "/usr/local/lib/python3.9/site-packages/urllib3/poolmanager.py", line 376, in urlopen
    response = conn.urlopen(method, u.request_uri, **kw)
  File "/usr/local/lib/python3.9/site-packages/urllib3/connectionpool.py", line 815, in urlopen
    return self.urlopen(
  File "/usr/local/lib/python3.9/site-packages/urllib3/connectionpool.py", line 815, in urlopen
    return self.urlopen(
  File "/usr/local/lib/python3.9/site-packages/urllib3/connectionpool.py", line 815, in urlopen
    return self.urlopen(
  File "/usr/local/lib/python3.9/site-packages/urllib3/connectionpool.py", line 787, in urlopen
    retries = retries.increment(
  File "/usr/local/lib/python3.9/site-packages/urllib3/util/retry.py", line 592, in increment
    raise MaxRetryError(_pool, url, error or ResponseError(cause))
urllib3.exceptions.MaxRetryError: HTTPSConnectionPool(host='quickstart-377ec93.svc.gcp-starter.pinecone.io', port=443): Max retries exceeded with url: /query (Caused by SSLError(SSLZeroReturnError(6, 'TLS/SSL connection has been closed (EOF) (_ssl.c:1129)')))

Some sources:

These kinds of issues can be maddening to debug, but in my experience your best shot is if you’re able to obtain a packet capture to see what’s happening at the TCP level. There should be a way to enable that in your GCP or VPC settings, but I’m not familiar enough with GCP to show you where.

Once you have the packet capture you can use Wireshark to trace the SSL handshake/connection and see where it might be getting tripped up. If you haven’t used Wireshark it can take some time to learn just that part.

Daunting, but I guarantee you’ll learn a ton along the way.

2 Likes

Ah, I just fixed it. The fix was to remove multi-threading within my app backend. The purpose of multi-threading there was to quickly send a response to the front-end and schedule a job to be picked up by another worker.

1 Like

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.