Hi Eric you were correct! That fixed my problem. I was also using the wrong
files when loading the certs. It works now.
this.serverCertFile = this.loadCert("server.crt");
this.serverPrivateKeyFile = this.loadCert("server.pem");
this.serverTrustedCaCerts = new
X509Certificate[]{this.loadX509Cert("GRPC.pem")};
Also I was lazy with pasting in my example which is why it did not work for
you. If you replaced server with the sdl domain it would have worked. But
thanks to you everything is good now.
I appreciate it!
On Friday, November 3, 2017 at 6:39:13 PM UTC-7, [email protected] wrote:
>
> Hi Eric, thank you for the reply. I will take a look at that link. That
> may be my problem. I will post back after I try this out.
>
> On Friday, November 3, 2017 at 4:08:47 PM UTC-7, Eric Anderson wrote:
>>
>> Have you looked at
>> http://netty.io/wiki/sslcontextbuilder-and-private-key.html ?
>>
>> I wasn't able to completely follow your directions (the last certstrap
>> command failed), but comparing the keys
>> in grpc-java/testing/src/main/resources/certs to those in certstrap
>> generated I see:
>> -----BEGIN PRIVATE KEY-----
>> vs
>> -----BEGIN RSA PRIVATE KEY-----
>>
>> Running openssl to convert the format as suggested by the netty
>> documentation yielded BEGIN PRIVATE KEY. I didn't try running with it, but
>> that looked promising.
>>
>> On Fri, Nov 3, 2017 at 8:23 AM, <[email protected]> wrote:
>>
>>> I have been at this for the better part of a couple of days and am at
>>> the end of my rope. I am trying to generate readable keys for a JAVA grpc
>>> server. I am using certstrap to generate the keys. Here is what I am doing:
>>>
>>>
>>> certstrap init --common-name "GRPC"
>>> certstrap request-cert --common-name server.com
>>> certstrap sign sdl10236.labs.teradata.com --CA "GRPC"
>>> I get the following output:
>>> GRPC.crl, GRPC.crt, GRPC.key server.crt, server.csr, and server.key
>>> Now the problem here is when I go to load the certificates and keys. The
>>> source for reading the key in netty keeps saying that I do not have a valid
>>> private key.
>>> Exception in thread "main" java.lang.IllegalArgumentException: File does
>>> not contain valid private key: /tmp/server.com.key5252344955683539009
>>> at
>>> io.netty.handler.ssl.SslContextBuilder.keyManager(SslContextBuilder.java:267)
>>> at
>>> io.netty.handler.ssl.SslContextBuilder.keyManager(SslContextBuilder.java:222)
>>> at
>>> io.netty.handler.ssl.SslContextBuilder.forServer(SslContextBuilder.java:54)
>>> at com.teradata.grpc.GrpcServer.serverBuilder(GrpcServer.java:152)
>>> at com.teradata.grpc.GrpcServer.start(GrpcServer.java:69)
>>> at com.teradata.grpc.GrpcServer.main(GrpcServer.java:111)
>>> Caused by: java.security.KeyException: could not find a PKCS #8 private
>>> key in input stream (see
>>> http://netty.io/wiki/sslcontextbuilder-and-private-key.html for more
>>> information)
>>> at io.netty.handler.ssl.PemReader.readPrivateKey(PemReader.java:128)
>>> at io.netty.handler.ssl.PemReader.readPrivateKey(PemReader.java:109)
>>> at io.netty.handler.ssl.SslContext.toPrivateKey(SslContext.java:1014)
>>> at
>>> io.netty.handler.ssl.SslContextBuilder.keyManager(SslContextBuilder.java:265)
>>> ... 5 more
>>> Here is the code I am running:
>>> this.clientContextBuilder =
>>> GrpcSslContexts.configure(SslContextBuilder.forClient(), this.sslProvider);
>>> try {
>>> this.serverCertFile =
>>> this.loadCert("sdt03134.labs.teradata.com.crt");
>>>
>>> this.serverPrivateKeyFile =
>>> this.loadCert("sdt03134.labs.teradata.com.key");
>>>
>>> this.serverTrustedCaCerts = new
>>> X509Certificate[]{this.loadX509Cert("grpc.crt")}; <-- the barfing happens
>>> here.
>>> } catch (IOException ex) {
>>> The following methods I borrowed from the java unit tests to create the
>>> server:
>>> private File loadCert(String name) throws IOException {
>>> InputStream in = new
>>> BufferedInputStream(GrpcServer.class.getResourceAsStream("/certs/" + name));
>>> File tmpFile = File.createTempFile(name, "");
>>> tmpFile.deleteOnExit();
>>>
>>> OutputStream os = new BufferedOutputStream(new
>>> FileOutputStream(tmpFile));
>>> try {
>>> int b;
>>> while ((b = in.read()) != -1) {
>>> os.write(b);
>>> }
>>>
>>> os.flush();
>>> } finally {
>>> in.close();
>>> os.close();
>>> }
>>>
>>> return tmpFile;
>>> }
>>>
>>> private X509Certificate loadX509Cert(String fileName) throws
>>> CertificateException, IOException {
>>> CertificateFactory cf = CertificateFactory.getInstance("X.509");
>>> logger.info("" + fileName);
>>> InputStream in = GrpcServer.class.getResourceAsStream("/certs/"
>>> + fileName);
>>> if (in != null) {
>>> logger.info("Inputstream is defined.");
>>> }
>>> try {
>>> return (X509Certificate) cf.generateCertificate(in);
>>> } finally {
>>> in.close();
>>> }
>>> }
>>>
>>> private ServerBuilder<?> serverBuilder(int port, File
>>> serverCertChainFile,
>>> File serverPrivateKeyFile, X509Certificate[]
>>> serverTrustedCaCerts) throws IOException {
>>> SslContextBuilder sslContextBuilder =
>>> SslContextBuilder.forServer(serverCertChainFile, serverPrivateKeyFile);
>>> GrpcSslContexts.configure(sslContextBuilder, sslProvider);
>>>
>>> sslContextBuilder.trustManager(serverTrustedCaCerts).clientAuth(ClientAuth.REQUIRE);
>>>
>>> return
>>> NettyServerBuilder.forPort(port).sslContext(sslContextBuilder.build());
>>> }
>>>
>>> Any help would be appreciated here. Please do not reply with read the
>>> docs. I have been there many times and they just do not provide enough
>>> information to solve this problem.
>>>
>>> --
>>> You received this message because you are subscribed to the Google
>>> Groups "grpc.io" group.
>>> To unsubscribe from this group and stop receiving emails from it, send
>>> an email to [email protected].
>>> To post to this group, send email to [email protected].
>>> Visit this group at https://groups.google.com/group/grpc-io.
>>> To view this discussion on the web visit
>>> https://groups.google.com/d/msgid/grpc-io/be8e5ca0-b3d7-4088-bdaf-7c414b0da06e%40googlegroups.com
>>>
>>> <https://groups.google.com/d/msgid/grpc-io/be8e5ca0-b3d7-4088-bdaf-7c414b0da06e%40googlegroups.com?utm_medium=email&utm_source=footer>
>>> .
>>> For more options, visit https://groups.google.com/d/optout.
>>>
>>
>>
--
You received this message because you are subscribed to the Google Groups
"grpc.io" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
To post to this group, send email to [email protected].
Visit this group at https://groups.google.com/group/grpc-io.
To view this discussion on the web visit
https://groups.google.com/d/msgid/grpc-io/e737cf0f-84c4-4910-9fc4-df01cabbf889%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
