Opened 6 years ago

Closed 6 years ago

#1562 closed defect (invalid)

grpc with ssl self-signed certificates fail

Reported by: talkingtab@… Owned by:
Priority: minor Milestone:
Component: other Version: 1.14.x
Keywords: Cc:
uname -a: Linux toy 4.4.0-127-generic #153-Ubuntu SMP Sat May 19 10:58:46 UTC 2018 x86_64 x86_64 x86_64 GNU/Linux
nginx -V: nginx version: nginx/1.14.0


I folllowed this article to enable grpc:
WIthout ssl I can get grpc to work with nginx.
I can use self-signed certificates and grpc to work to the server directly instead of using nginx. So I know the certificates are good and I know the client is good. When I switch and use nginx, same client, I get an error:
Handshake failed with fatal error SSL_ERROR_SSL: error:1408F10B:SSL routines:SSL3_GET_RECORD:wrong version number.

--- nginx config
server {

listen 80;
listen [::]:80;
root /var/www/html;
index index.html index.htm index.nginx-debian.html;
location / {

try_files $uri $uri/ =404;


server {

listen 50052 http2;
ssl_certificate /other/clones/grpc/certs/out/;
ssl_certificate_key /other/clones/grpc/certs/out/;
location /helloworld.Greeter {

grpc_pass grpc://localhost:50051; #uses h2 with TLS


If I remove the ssl_certificate lines and run a client without ssl it works just fine.
--- client.js
'use strict';
const fs = require('fs');
const grpc = require('grpc');

var PROTO_PATH = dirname + '/helloworld.proto';
var hello_proto = grpc.load(PROTO_PATH).helloworld;
const PORT = 50052;
const cacert = fs.readFileSync('../certs/out/'),

cert = fs.readFileSync('../certs/out/kbxclient.crt'),
key = fs.readFileSync('../certs/out/kbxclient.key'),
kvpair = {

'private_key': key,
'cert_chain': cert


const creds = grpc.credentials.createSsl(cacert, key, cert);
const client = new hello_proto.Greeter(${PORT}, creds);
console.log("secure connection established with gRPC server");
const client = new hello_proto.Greeter(${PORT}, grpc.credentials.createInsecure());


function printResponse(error, response) {

if (error)

console.log('Error: ', error);




function hello() {

client.sayHello({name: "world"}, function(error, response) {

printResponse(error, response);
console.log('Greeting:', response.message);



Change History (2)

comment:1 by Sergey Kandaurov, 6 years ago

Make sure you've set the ssl parameter of the listen directive to enable SSL mode.
I do not see it in your config snippet.

comment:2 by Ruslan Ermilov, 6 years ago

Resolution: invalid
Status: newclosed

Also note that to use TLS for backend connection you need to specify the grpcs scheme in grpc_pass.

Note: See TracTickets for help on using tickets.