Did you try supplying the "grpc.ssl_target_name_override" key to the options?
On Tue, Feb 5, 2019 at 4:01 PM jisooh via grpc.io <grpc-io@googlegroups.com> wrote: > Hello, > > > We are currently facing an issue with trying to connect our PHP gRPC > client with SSL to our Java gRPC server. The gRPC service we are trying to > connect to is running on a service mesh (linkerd/namerd), and the call > first hits a linkerd instance that routes to the service. > > > When we run a Java client using the trusted certificate, it is able to > connect to the server; however, with a Python and PHP client, the SSL > connection fails even with the same cert. > > > Java client code: > > > ManagedChannel channel = NettyChannelBuilder.forAddress(host, port) > .overrideAuthority(‘cert- > common-name’) > .sslContext(GrpcSslContexts. > forClient().trustManager(new File(‘path/to/cert’)).build()) > .build(); > > > > Python code: > > > credentials = grpc.ssl_channel_credentials(open(‘path/to/cert’).read()) > channel = grpc.secure_channel(host + str(port), credentials, options=(( > 'grpc.default_authority', ‘cert-common-name’,),)) > > > > PHP code: > > > > $channel_credentials = \Grpc\ChannelCredentials::createSsl( > file_get_contents(‘path/to/cert’)); > $channel = new \Grpc\Channel($hostname, > [ > 'grpc_target_persist_bound' => 2, > 'grpc.default_authority' => ‘cert-common-name’, > 'credentials' => $channel_credentials > ]); > > > > We are interested in fixing the problem for PHP at the moment. Our PHP > client runs in a CentOS 7 docker container with nginx + php-fpm. > > > We have tried to make the OS trust the certificate by using > update-ca-trust. Running *openssl s_client -connect host:port* returns: > >> >> verify error:num=2:unable to get issuer certificate > > > We receive the following error when calling the server with the created > client for PHP: > > > ssl_transport_security.cc:1229] Handshake failed with fatal error >> SSL_ERROR_SSL: error:1000007d:SSL >> routines:OPENSSL_internal:CERTIFICATE_VERIFY_FAILED > > > With the gRPC logs, we can see that the connection fails when it tries to > call the security handshake. > > > We are not sure why the Java client is able to connect to the server while > the PHP and Python clients cannot with the same cert. > > > Has anyone ran into these issues before? It would be helpful if anyone has > some information on this as this is currently a high priority blocker for > us. > > > Thank you. > > -- > You received this message because you are subscribed to the Google Groups " > grpc.io" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to grpc-io+unsubscr...@googlegroups.com. > To post to this group, send email to grpc-io@googlegroups.com. > Visit this group at https://groups.google.com/group/grpc-io. > To view this discussion on the web visit > https://groups.google.com/d/msgid/grpc-io/ce0546a9-8a0e-41b1-9f0d-25ff2a415d8b%40googlegroups.com > <https://groups.google.com/d/msgid/grpc-io/ce0546a9-8a0e-41b1-9f0d-25ff2a415d8b%40googlegroups.com?utm_medium=email&utm_source=footer> > . > For more options, visit https://groups.google.com/d/optout. > -- You received this message because you are subscribed to the Google Groups "grpc.io" group. To unsubscribe from this group and stop receiving emails from it, send an email to grpc-io+unsubscr...@googlegroups.com. To post to this group, send email to grpc-io@googlegroups.com. Visit this group at https://groups.google.com/group/grpc-io. To view this discussion on the web visit https://groups.google.com/d/msgid/grpc-io/CAEteGX0Y6SbhtADMNmi%2BepTzGY9ZR3fR%3DBUQWOg8bpMBs%3DmGqg%40mail.gmail.com. For more options, visit https://groups.google.com/d/optout.