Hello,
We are currently facing an issue with trying to connect our PHP gRPC client
with SSL to our Java gRPC server. The gRPC service we are trying to connect
to is running on a service mesh (linkerd/namerd), and the call first hits a
linkerd instance that routes to the service.
When we run a Java client using the trusted certificate, it is able to
connect to the server; however, with a Python and PHP client, the SSL
connection fails even with the same cert.
Java client code:
ManagedChannel channel = NettyChannelBuilder.forAddress(host, port)
.overrideAuthority(‘cert-common-
name’)
.sslContext(GrpcSslContexts.
forClient().trustManager(new File(‘path/to/cert’)).build())
.build();
Python code:
credentials = grpc.ssl_channel_credentials(open(‘path/to/cert’).read())
channel = grpc.secure_channel(host + str(port), credentials, options=((
'grpc.default_authority', ‘cert-common-name’,),))
PHP code:
$channel_credentials = \Grpc\ChannelCredentials::createSsl(file_get_contents
(‘path/to/cert’));
$channel = new \Grpc\Channel($hostname,
[
'grpc_target_persist_bound' => 2,
'grpc.default_authority' => ‘cert-common-name’,
'credentials' => $channel_credentials
]);
We are interested in fixing the problem for PHP at the moment. Our PHP
client runs in a CentOS 7 docker container with nginx + php-fpm.
We have tried to make the OS trust the certificate by using
update-ca-trust. Running *openssl s_client -connect host:port* returns:
>
> verify error:num=2:unable to get issuer certificate
We receive the following error when calling the server with the created
client for PHP:
ssl_transport_security.cc:1229] Handshake failed with fatal error
> SSL_ERROR_SSL: error:1000007d:SSL
> routines:OPENSSL_internal:CERTIFICATE_VERIFY_FAILED
With the gRPC logs, we can see that the connection fails when it tries to
call the security handshake.
We are not sure why the Java client is able to connect to the server while
the PHP and Python clients cannot with the same cert.
Has anyone ran into these issues before? It would be helpful if anyone has
some information on this as this is currently a high priority blocker for
us.
Thank you.
--
You received this message because you are subscribed to the Google Groups
"grpc.io" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to grpc-io+unsubscr...@googlegroups.com.
To post to this group, send email to grpc-io@googlegroups.com.
Visit this group at https://groups.google.com/group/grpc-io.
To view this discussion on the web visit
https://groups.google.com/d/msgid/grpc-io/ce0546a9-8a0e-41b1-9f0d-25ff2a415d8b%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
