Hi Lidi, Yep, that works too - eg. for the Python client:
with open('ca.crt', 'rb') as f: creds = grpc.ssl_channel_credentials(f.read()) channel = secure_channel(host, creds) Where ca.crt is the same certificate that I imported into the trust store. However, I don't want to distribute the client certificate with the application. In a corporate environment I'd expect a sysadmin to push the corporate CA root certificate to the trust store... right? Cheers, Mark On Monday, 29 October 2018 20:43:59 UTC+1, li...@google.com wrote: > > Hi Mark, > > Can you try to add the root certificates to the gRPC client, and see if > the warning go away? > API for client-side credentials: > https://grpc.io/grpc/python/grpc.html#grpc.ssl_channel_credentials > > Lidi > > On Monday, October 29, 2018 at 12:25:28 PM UTC-7, Mark Nuttall-Smith wrote: >> >> Hi, >> >> I have a gRPC client (C# and Python) using client-side SSL which is >> terminated in an Istio ingress gateway (envoy) before reaching the service. >> >> When using a genuine certificate from LetsEncrypt everything works fine. >> >> However, when the ingress gateway is configured with a self signed SSL >> certificate, generated from a root CA which has been added to the trust >> store (keychain/cert-manager) on the client machine, the connection fails: >> >> E1029 17:01:45.274918000 123145515409408 ssl_transport_security.cc:1229] >>> Handshake failed with fatal error SSL_ERROR_SSL: error:1000007d:SSL >>> routines:OPENSSL_internal:CERTIFICATE_VERIFY_FAILED. >> >> >> Chrome/curl etc will connect to the http services behind the same ingress >> gateway without SSL warnings (given that the root CA certificate has been >> added to the trust store). >> >> My question is: should gRPC also be using the trust store for client-side >> SSL? If so, any ideas what I might be doing wrong. >> >> Thanks, >> Mark >> >> -- You received this message because you are subscribed to the Google Groups "grpc.io" group. To unsubscribe from this group and stop receiving emails from it, send an email to grpc-io+unsubscr...@googlegroups.com. To post to this group, send email to grpc-io@googlegroups.com. Visit this group at https://groups.google.com/group/grpc-io. To view this discussion on the web visit https://groups.google.com/d/msgid/grpc-io/401d3d63-d873-4ca4-ad31-c84239d8c224%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.