Python "Peer name x.x.x.x is not in peer certificate"

Question

Python "Peer name x.x.x.x is not in peer certificate"

san213 opened this issue 4 years ago · 5 comments

I am trying to connect to nginx ingress remotely from my local through grpc python client. I am using self signed certificate. I want to use IP to connect to ingress. I do not have hostname or dns.

I generated the key and cert pair using the below command and attached the key and cert to ingress controller and using the same cert in the grpc client code.

Command to generate key and cert
openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout ${KEY_FILE} -out ${CERT_FILE} -subj "/CN=${HOST}/O=${HOST}"

grpc client code

def generate_and_send_message(self):
cert = None
key = None
cacert = None
cert = open('client.cert', 'rb').read()
cred = grpc.ssl_channel_credentials(root_certificates=cert, private_key=None, certificate_chain=None)

Output:

I0225 00:43:48.395631000 123145309118464 subchannel.cc:964] I0225 00:43:49.943328000 123145308581888 ssl_transport_security.cc:217] I0225 00:43:49.943381000 123145308581888 ssl_transport_security.cc:217] I0225 00:43:49.943393000 123145308581888 ssl_transport_security.cc:217] I0225 00:43:50.454432000 123145308581888 ssl_transport_security.cc:217] I0225 00:43:50.454500000 123145308581888 ssl_transport_security.cc:217] I0225 00:43:50.454508000 123145308581888 ssl_transport_security.cc:217] I0225 00:43:50.454539000 123145308581888 ssl_transport_security.cc:217] I0225 00:43:50.454664000 123145308581888 ssl_transport_security.cc:217] I0225 00:43:50.454676000 123145308581888 ssl_transport_security.cc:217] I0225 00:43:50.454680000 123145308581888 ssl_transport_security.cc:217] I0225 00:43:50.454684000 123145308581888 ssl_transport_security.cc:217] I0225 00:43:50.455099000 123145308581888 ssl_transport_security.cc:217] I0225 00:43:50.455113000 123145308581888 ssl_transport_security.cc:217] I0225 00:43:50.455196000 123145308581888 ssl_transport_security.cc:217] I0225 00:43:50.455217000 123145308581888 ssl_transport_security.cc:217] I0225 00:43:50.967219000 123145308581888 ssl_transport_security.cc:217] I0225 00:43:50.967272000 123145308581888 ssl_transport_security.cc:217] I0225 00:43:50.967312000 123145308581888 ssl_transport_security.cc:217] I0225 00:43:50.967338000 123145308581888 ssl_transport_security.cc:217] I0225 00:43:50.967349000 123145308581888 ssl_transport_security.cc:217] D0225 00:43:50.967464000 123145308581888 security_handshaker.cc:186] Failed to connect to channel, retrying
HANDSHAKE START - TLS client start_connect - !!!!!!
LOOP - TLS client enter_early_data - !!!!!!
LOOP - TLS client read_server_hello - !!!!!!
LOOP - TLS client read_server_certifi - !!!!!!
LOOP - TLS client read_certificate_st - !!!!!!
LOOP - TLS client verify_server_certi - !!!!!!
LOOP - TLS client read_server_key_exc - !!!!!!
LOOP - TLS client read_certificate_re - !!!!!!
LOOP - TLS client read_server_hello_d - !!!!!!
LOOP - TLS client send_client_certifi - !!!!!!
LOOP - TLS client send_client_key_exc - !!!!!!
LOOP - TLS client send_client_certifi - !!!!!!
LOOP - TLS client send_client_finishe - !!!!!!
LOOP - TLS client finish_flight - !!!!!!
LOOP - TLS client read_session_ticket - !!!!!!
LOOP - TLS client process_change_ciph - !!!!!!
LOOP - TLS client read_server_finishe - !!!!!!
LOOP - TLS client finish_client_hands - !!!!!!
LOOP - TLS client done - !!!!!!
HANDSHAKE DONE - TLS client done - !!!!!!
Security handshake failed: {"created":"@1582571630.967438000","description":"Peer name x.x.x.x is not in peer certificate","file":"src/core/lib/security/security_connector/ssl/ssl_security_connector.cc","file_line":55}

Can you please suggest how to make this work?

Answer 1 · 2020-02-24T19:16:34.000Z

I used this to generate key and cert
openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout ${KEY_FILE} -out ${CERT_FILE} -subj "/CN=x.x.x.x/subjectAltName=IP:x.x.x.x"

Answer 2 · 2020-02-24T20:43:16.000Z

The failure is due to hostname check.

There are two ways to address your issue

Use GRPC_SSL_TARGET_NAME_OVERRIDE_ARG as channel arg.
We have a new TLS credentials in gRPC (only in C++ for now). It has an option called GRPC_TLS_SKIP_HOSTNAME_VERIFICATION.

@ZhenLian or @yihuazhang can help you with details.

Answer 3 · 2020-02-25T06:30:05.000Z

Can you please ping the steps on using towards the first approach with an example? I could not find any example. @ZhenLian @yihuazhang

Answer 4 · 2020-02-25T12:14:15.000Z

I used the first approach - Use GRPC_SSL_TARGET_NAME_OVERRIDE_ARG as channel arg. This solved the issue.

I added localhost as CN and IP in the SAN and used the below in my python code to make it work.

cert_cn = "localhost" # or parse it out of the cert data
options = (('grpc.ssl_target_name_override', cert_cn,),)
grpc.secure_channel(self.opta_url, cred, options) as channel

Answer 5 · 2020-02-25T22:27:32.000Z

@san213
Thanks for letting us know and sharing the solution. Feel free to reach out if you have any other questions :-)