Which platform does your client run? Looks like MacOS.
For Linux, we support read from grpc system root store. For MacOS, it is
not support yet -- grpc only reads default root from root pem certificates
shipped with grpc.
However, there are a few other ways to load root certificates. E.g., you
can pass root certificate file through env var
"GRPC_DEFAULT_SSL_ROOTS_FILE_PATH". Or you can
specify grpc_set_ssl_roots_override_callback().
On Monday, October 29, 2018 at 2:02:41 PM UTC-7, Mark Nuttall-Smith wrote:
>
> Hi Lidi,
>
> Yep, that works too - eg. for the Python client:
>
> with open('ca.crt', 'rb') as f:
> creds = grpc.ssl_channel_credentials(f.read())
> channel = secure_channel(host, creds)
>
> Where ca.crt is the same certificate that I imported into the trust store.
>
> However, I don't want to distribute the client certificate with the
> application. In a corporate environment I'd expect a sysadmin to push the
> corporate CA root certificate to the trust store... right?
>
> Cheers, Mark
>
> On Monday, 29 October 2018 20:43:59 UTC+1, [email protected] wrote:
>>
>> Hi Mark,
>>
>> Can you try to add the root certificates to the gRPC client, and see if
>> the warning go away?
>> API for client-side credentials:
>> https://grpc.io/grpc/python/grpc.html#grpc.ssl_channel_credentials
>>
>> Lidi
>>
>> On Monday, October 29, 2018 at 12:25:28 PM UTC-7, Mark Nuttall-Smith
>> wrote:
>>>
>>> Hi,
>>>
>>> I have a gRPC client (C# and Python) using client-side SSL which is
>>> terminated in an Istio ingress gateway (envoy) before reaching the service.
>>>
>>> When using a genuine certificate from LetsEncrypt everything works fine.
>>>
>>> However, when the ingress gateway is configured with a self signed SSL
>>> certificate, generated from a root CA which has been added to the trust
>>> store (keychain/cert-manager) on the client machine, the connection fails:
>>>
>>> E1029 17:01:45.274918000 123145515409408 ssl_transport_security.cc:1229]
>>>> Handshake failed with fatal error SSL_ERROR_SSL: error:1000007d:SSL
>>>> routines:OPENSSL_internal:CERTIFICATE_VERIFY_FAILED.
>>>
>>>
>>> Chrome/curl etc will connect to the http services behind the same
>>> ingress gateway without SSL warnings (given that the root CA certificate
>>> has been added to the trust store).
>>>
>>> My question is: should gRPC also be using the trust store for
>>> client-side SSL? If so, any ideas what I might be doing wrong.
>>>
>>> Thanks,
>>> Mark
>>>
>>>
--
You received this message because you are subscribed to the Google Groups
"grpc.io" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
To post to this group, send email to [email protected].
Visit this group at https://groups.google.com/group/grpc-io.
To view this discussion on the web visit
https://groups.google.com/d/msgid/grpc-io/2f088a10-21a4-459d-bf80-a749f120d22a%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
