Opened 7 years ago
Closed 7 years ago
#1562 closed defect (invalid)
grpc with ssl self-signed certificates fail
Reported by: | Owned by: | ||
---|---|---|---|
Priority: | minor | Milestone: | |
Component: | other | Version: | 1.14.x |
Keywords: | Cc: | ||
uname -a: | Linux toy 4.4.0-127-generic #153-Ubuntu SMP Sat May 19 10:58:46 UTC 2018 x86_64 x86_64 x86_64 GNU/Linux | ||
nginx -V: | nginx version: nginx/1.14.0 |
Description
I folllowed this article to enable grpc: https://www.nginx.com/blog/nginx-1-13-10-grpc/
WIthout ssl I can get grpc to work with nginx.
I can use self-signed certificates and grpc to work to the server directly instead of using nginx. So I know the certificates are good and I know the client is good. When I switch and use nginx, same client, I get an error:
Handshake failed with fatal error SSL_ERROR_SSL: error:1408F10B:SSL routines:SSL3_GET_RECORD:wrong version number.
--- nginx config
server {
listen 80;
listen [::]:80;
root /var/www/html;
index index.html index.htm index.nginx-debian.html;
server_name ootgroups.com www.ootgroups.com;
location / {
try_files $uri $uri/ =404;
}
}
server {
listen 50052 http2;
server_name ootgroups.com;
ssl_certificate /other/clones/grpc/certs/out/ootgroups.com.crt;
ssl_certificate_key /other/clones/grpc/certs/out/ootgroups.com.key;
location /helloworld.Greeter {
grpc_pass grpc://localhost:50051; #uses h2 with TLS
}
}
If I remove the ssl_certificate lines and run a client without ssl it works just fine.
--- client.js
'use strict';
const fs = require('fs');
const grpc = require('grpc');
var PROTO_PATH = dirname + '/helloworld.proto';
var hello_proto = grpc.load(PROTO_PATH).helloworld;
const PORT = 50052;
const cacert = fs.readFileSync('../certs/out/ootkey.com.crt'),
cert = fs.readFileSync('../certs/out/kbxclient.crt'),
key = fs.readFileSync('../certs/out/kbxclient.key'),
kvpair = {
'private_key': key,
'cert_chain': cert
};
const creds = grpc.credentials.createSsl(cacert, key, cert);
const client = new hello_proto.Greeter(ootgroups.com:${PORT}
, creds);
console.log("secure connection established with gRPC server");
const client = new hello_proto.Greeter(ootgroups.com:${PORT}
, grpc.credentials.createInsecure());
hello();
function printResponse(error, response) {
if (error)
console.log('Error: ', error);
else
console.log(response);
}
function hello() {
client.sayHello({name: "world"}, function(error, response) {
printResponse(error, response);
console.log('Greeting:', response.message);
});
}
Change History (2)
comment:1 by , 7 years ago
comment:2 by , 7 years ago
Resolution: | → invalid |
---|---|
Status: | new → closed |
Also note that to use TLS for backend connection you need to specify the grpcs
scheme in grpc_pass
.
Make sure you've set the ssl parameter of the listen directive to enable SSL mode.
I do not see it in your config snippet.