Hi Mark, Can you try to add the root certificates to the gRPC client, and see if the warning go away? API for client-side credentials: https://grpc.io/grpc/python/grpc.html#grpc.ssl_channel_credentials
Lidi On Monday, October 29, 2018 at 12:25:28 PM UTC-7, Mark Nuttall-Smith wrote: > > Hi, > > I have a gRPC client (C# and Python) using client-side SSL which is > terminated in an Istio ingress gateway (envoy) before reaching the service. > > When using a genuine certificate from LetsEncrypt everything works fine. > > However, when the ingress gateway is configured with a self signed SSL > certificate, generated from a root CA which has been added to the trust > store (keychain/cert-manager) on the client machine, the connection fails: > > E1029 17:01:45.274918000 123145515409408 ssl_transport_security.cc:1229] >> Handshake failed with fatal error SSL_ERROR_SSL: error:1000007d:SSL >> routines:OPENSSL_internal:CERTIFICATE_VERIFY_FAILED. > > > Chrome/curl etc will connect to the http services behind the same ingress > gateway without SSL warnings (given that the root CA certificate has been > added to the trust store). > > My question is: should gRPC also be using the trust store for client-side > SSL? If so, any ideas what I might be doing wrong. > > Thanks, > Mark > > -- You received this message because you are subscribed to the Google Groups "grpc.io" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To post to this group, send email to [email protected]. Visit this group at https://groups.google.com/group/grpc-io. To view this discussion on the web visit https://groups.google.com/d/msgid/grpc-io/6a660513-186e-4bbc-8721-83b4f4316110%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
