Hi all,
I have a pretty simple client-server architecture using *grpc 1.66*, where
the client uses SslCredentialOptions to take in the root_ca, private_key,
and cert_chain in string format. It uses the SslCredentialOptions to create
the SslCredentials, and we use the credentials to create a CustomChannel to
the server.
On the server side too, we do the same. We input the certificates as string
in SslServerCredentialOptions, use it to create SslCredentials, and we use
them to build the server and listen.
Now I want to migrate my SslCredentials to
grpc::experimental::TlsCredentials, since it supports CRL that I want to
implement on the client side. It keeps posing two main challenges:
1. First I tried only making changes on the client side, since my use case
only requires checking CRLs at the client. I used the following code to do
so:
grpc::experimental::IdentityKeyCertPair key_cert_pair;
key_cert_pair.private_key = certificate.pem_private_key;
key_cert_pair.certificate_chain = certificate.pem_cert_chain;
vector<grpc::experimental::IdentityKeyCertPair> key_cert_pairs = {
key_cert_pair};
auto cert_provider = std::make_shared<StaticDataCertificateProvider>(
certificate.pem_root_certs, key_cert_pairs);
auto tls_opts = std::make_shared<TlsChannelCredentialsOptions>();
tls_opts->set_certificate_provider(cert_provider);
auto tls_cred = grpc::experimental::TlsCredentials(*tls_opts);
auto channel = grpc::CreateCustomChannel(
host_and_port, tls_cred, args);
This did not work, the connection was going through, but it keeping showing
*SSL_ERROR_SSL:
certificate verify failed: self-signed certificate in certificate chain*
even when the same root_cert is presented by both client and server.
2. Then I tried to make changes on the server side using the following code:
grpc::experimental::IdentityKeyCertPair key_cert_pair;
key_cert_pair.private_key = key_pem;
key_cert_pair.certificate_chain = cert;
vector<grpc::experimental::IdentityKeyCertPair> key_cert_pairs = {
key_cert_pair};
auto cert_provider =
std::make_shared<grpc::experimental::StaticDataCertificateProvider>(root_cert,
key_cert_pairs);
auto tls_opts =
make_shared<grpc::experimental::TlsServerCredentialsOptions>(
cert_provider);
tls_opts->set_root_cert_name("default");
auto tls_creds = grpc::experimental::TlsServerCredentials(*tls_opts);
builder->AddListeningPort(
server_address, tls_creds, &selected_port);
This makes the server go into a crashloop with signature
F0627 06:01:34.788973 177282 grpc_tls_certificate_distributor.cc:179]
[absl] Check failed: root_cert_name.has_value() ||
identity_cert_name.has_value()
even after giving the root_cert_name.
Please help me with this. Thanks in advance.
--
You received this message because you are subscribed to the Google Groups
"grpc.io" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
To view this discussion visit
https://groups.google.com/d/msgid/grpc-io/cff846c0-b8f1-47ad-9d17-b708cc48ed40n%40googlegroups.com.
