ssl not working with test certs

Question

ssl not working with test certs

dougcooper opened this issue a year ago · 2 comments

Problem description

Im trying to validate a csharp grpc web backend using a simple node client and i get an error Error: unable to verify the first certificate. Im using grpc-node test certificate data. The code works fine in a browser after accepting the self signed warning. The backend is on a separate server.

Reproduction steps

load the server key and cert on the backend
verify existing functionality works so i know the keys are good
on the node client i load the ca and make the connection

const creds = grpc.credentials.createSsl(
    fs.readFileSync('./certs/ca.pem'),
  );

var fooClient= new FooClient("some_url",creds);

const fooRequest= new FooRequest();

fooClient.FooMethod(fooRequest,{},(err,resp)=>{
  if (err) {
    return; //ERROR
  }

});

Environment

OS -> windows 11
Node version ->16.19.1
Node installation method -> nvm
Package name and version -> "grpc": "^1.24.11", "grpc-web": "^1.5.0",

Additional context

Answer 1 · 2024-02-22T18:32:56.000Z

First, the grpc package is deprecated and at this point hasn't been updated in years. I strongly recommend switching to @grpc/grpc-js.

Second, test certificates like that are actually different from regular certificates in two ways that require additional code to handle. First, they do not use a standard certificate authority. That's why you need to pass the contents of the ca.pem file to the createSsl call. Second, certificates specify a subject domain name, and they are only considered valid if that domain name is the one the client is trying to connect to. It is unlikely that your "some_url" matches the subject domain name from our test certificates, so in order to make it work, you need to set two client options both with a value equal the subject domain name (or one of the subject alternative names): grpc.ssl_target_name_override and grpc.default_authority. You could probably figure out what value you need from looking around our test code, but you would be better off creating your own test certificates.

However, this Stack Overflow answer indicates that the error you are seeing is actually about a problem with the CA certificates. You should verify that the certificates and keys you are using on the server are the correct test certificates.

Answer 2 · 2024-02-22T18:47:07.000Z

I appreciate the detailed response. I'll will incorporate your feedback and continue testing. I hope this helps others with a naive understanding of certs xP ...closing.