Have you tried another gRPC language with same certs/keys to isolate this issue to gRPC-Go implementation? You can find examples in other languages here. https://grpc.io/docs/guides/auth/
On Wednesday, April 22, 2020 at 8:13:54 AM UTC-7 edward...@lacity.org wrote: > -- Golang app server TLS connections to mobile clients -- > > Everything is working except the FULL CHAIN of trust is not being sent. > > I created a pfx file (full identity file) converted it to PEM, loaded it > into a Go app (code below) and it works great except the INTERMEDIATE > certificates are not being sent as part of the chain of trust. > > I've tried all the examples I can find, but none have resolved my issue. > > I'm also using online TLS checker tools that mostly check web servers, I'm > not sure if better tools exist for testing pure gRPC connections besides > other one-off gRPC apps. > > Again, this is a pure gRPC, non-web related connection. Below is a > snippet of code that is 99% working with comodo TLS certs, I'm concerned > that my issue may be with the CertPool and how it gets passed to > tls.Config. I'm following the examples but something is not working; also, > it's not entirely obvious whether an event hook is required to fetch and > unwind the CertPool or if the TLS libs can unwind everything in the proper > order: host_key, [INTERMEDIATES], RootCA_key; I have to assume so. > > > // Load the certificates from disk > // > certificate, err := tls.LoadX509KeyPair(crt, key) > if err != nil { > return fmt.Errorf("could not load server key pair: %s", err) > } else { > log.Println("loaded key pair") > } > > // Read FullChain file from disk > // > CACert, err := ioutil.ReadFile(ca) > if err != nil { > return fmt.Errorf("could not read CACert certificate: %s", err) > } else { > log.Println("Found Cert Bundle") > } > > // Create a certificate pool to hold certificates from authorities > // > certPool, _ := x509.SystemCertPool() > > // Append the client certificates from the CA > // > if ok := certPool.AppendCertsFromPEM(CACert); !ok { > log.Println("----- Error: Not able to Append Certs to CertPool -----") > } else { > log.Println("Loaded PEM certs") > } > > // TLS configuration object > // > tlsConfig := &tls.Config{ > > RootCAs: certPool, > > Certificates: []tls.Certificate{certificate}, > > CipherSuites: []uint16{ > tls.TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, > tls.TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384, > tls.TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, > tls.TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384, > tls.TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305, > tls.TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305, > tls.TLS_RSA_WITH_AES_128_GCM_SHA256, > tls.TLS_RSA_WITH_AES_256_GCM_SHA384, > }, > > PreferServerCipherSuites: true, > > // Forbid all TLS below 1.2 > MinVersion: tls.VersionTLS12, > } > > s := grpc.NewServer( > grpc.Creds(credentials.NewTLS(tlsConfig)), > grpc.KeepaliveParams( > keepalive.ServerParameters{ > Time: (time.Duration((300) * time.Second)), > Timeout: (time.Duration(10) * time.Second), > }, > ), > grpc.KeepaliveEnforcementPolicy( > keepalive.EnforcementPolicy{ > MinTime: (time.Duration((300) * time.Second)), > PermitWithoutStream: true, > }, > ), > ) > > [... start listening boilerplate...] > > > > > -- You received this message because you are subscribed to the Google Groups "grpc.io" group. To unsubscribe from this group and stop receiving emails from it, send an email to grpc-io+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/grpc-io/26ae91c2-d639-48bd-8ad3-9f8dd2491410%40googlegroups.com.