#1562 closed defect (invalid)

grpc with ssl self-signed certificates fail

Reported by: talkingtab@… Owned by:
Priority: minor Milestone:
Component: other Version: 1.14.x
Keywords: Cc:
uname -a: Linux toy 4.4.0-127-generic #153-Ubuntu SMP Sat May 19 10:58:46 UTC 2018 x86_64 x86_64 x86_64 GNU/Linux
nginx -V: nginx version: nginx/1.14.0

Description

I folllowed this article to enable grpc: https://www.nginx.com/blog/nginx-1-13-10-grpc/
WIthout ssl I can get grpc to work with nginx.
I can use self-signed certificates and grpc to work to the server directly instead of using nginx. So I know the certificates are good and I know the client is good. When I switch and use nginx, same client, I get an error:
Handshake failed with fatal error SSL_ERROR_SSL: error:1408F10B:SSL routines:SSL3_GET_RECORD:wrong version number.

--- nginx config
server {

listen 80;
listen [::]:80;
root /var/www/html;
index index.html index.htm index.nginx-debian.html;
server_name ootgroups.com www.ootgroups.com;
location / {

try_files $uri $uri/ =404;

}

}
server {

listen 50052 http2;
server_name ootgroups.com;
ssl_certificate /other/clones/grpc/certs/out/ootgroups.com.crt;
ssl_certificate_key /other/clones/grpc/certs/out/ootgroups.com.key;
location /helloworld.Greeter {

grpc_pass grpc://localhost:50051; #uses h2 with TLS

}

}
If I remove the ssl_certificate lines and run a client without ssl it works just fine.
--- client.js
'use strict';
const fs = require('fs');
const grpc = require('grpc');

var PROTO_PATH = dirname + '/helloworld.proto';
var hello_proto = grpc.load(PROTO_PATH).helloworld;
const PORT = 50052;
const cacert = fs.readFileSync('../certs/out/ootkey.com.crt'),

cert = fs.readFileSync('../certs/out/kbxclient.crt'),
key = fs.readFileSync('../certs/out/kbxclient.key'),
kvpair = {

'private_key': key,
'cert_chain': cert

};

const creds = grpc.credentials.createSsl(cacert, key, cert);
const client = new hello_proto.Greeter(ootgroups.com:${PORT}, creds);
console.log("secure connection established with gRPC server");
const client = new hello_proto.Greeter(ootgroups.com:${PORT}, grpc.credentials.createInsecure());

hello();

function printResponse(error, response) {

if (error)

console.log('Error: ', error);

else

console.log(response);

}

function hello() {

client.sayHello({name: "world"}, function(error, response) {

printResponse(error, response);
console.log('Greeting:', response.message);

});

}

Change History (2)

comment:1 Changed 18 months ago by pluknet

Make sure you've set the ssl parameter of the listen directive to enable SSL mode.
I do not see it in your config snippet.

comment:2 Changed 18 months ago by ru

  • Resolution set to invalid
  • Status changed from new to closed

Also note that to use TLS for backend connection you need to specify the grpcs scheme in grpc_pass.

Note: See TracTickets for help on using tickets.