5

I am trying to spin up the GRPC server with TLS enabled in docker container on pods but getting below error during server start up

I am trying referring https://github.com/grpc/grpc-java/blob/master/SECURITY.md#transport-security-tls

Java : jdk1.8.0_131 OpenSSL version: OpenSSL 1.0.1e-fips

Exception:

*Exception in thread "main" java.lang.IllegalArgumentException: Jetty ALPN/NPN has not been properly configured.
        at io.grpc.netty.GrpcSslContexts.selectApplicationProtocolConfig(GrpcSslContexts.java:174)
        at io.grpc.netty.GrpcSslContexts.configure(GrpcSslContexts.java:151)
        at io.grpc.netty.GrpcSslContexts.configure(GrpcSslContexts.java:139)
        at io.grpc.netty.GrpcSslContexts.forServer(GrpcSslContexts.java:119)
        at io.grpc.netty.NettyServerBuilder.useTransportSecurity(NettyServerBuilder.java:377)
        at io.grpc.netty.NettyServerBuilder.useTransportSecurity(NettyServerBuilder.java:63)*

also want to know how I can test openssl approach locally ?

this is how I am trying to run the jar: java -jar -Denv=e1 app.jar

Below are the additional GRPC related POM dependencies specific to GRPC -I have in my POM: -- extension --

   <extensions>
        <extension>
            <groupId>kr.motd.maven</groupId>
            <artifactId>os-maven-plugin</artifactId>
            <version>1.4.0.Final</version>
        </extension>
    </extensions>

--- plugin ---- 

<plugin>
       <groupId>org.xolstice.maven.plugins</groupId>
       <artifactId>protobuf-maven-plugin</artifactId>
       <version>0.5.0</version>
       <configuration>
      <protocArtifact>com.google.protobuf:protoc:3.2.0:exe:${os.detected.classifier}</protocArtifact>
                    <pluginId>grpc-java</pluginId>
                    <pluginArtifact>io.grpc:protoc-gen-grpc-java:1.3.0:exe:${os.detected.classifier}</pluginArtifact>
      </configuration>
                <executions>
                    <execution>
                        <goals>
                            <goal>compile</goal>
                            <goal>compile-custom</goal>
                        </goals>
                    </execution>
                </executions>
            </plugin>

--- dependencies ---

<dependency>
            <groupId>io.grpc</groupId>
            <artifactId>grpc-netty</artifactId>
            <version>1.3.0</version>
</dependency>
<dependency>
            <groupId>io.grpc</groupId>
            <artifactId>grpc-protobuf</artifactId>
            <version>1.3.0</version>
</dependency>
<dependency>
            <groupId>io.grpc</groupId>
            <artifactId>grpc-stub</artifactId>
            <version>1.3.0</version>
</dependency>
<dependency>
            <groupId>io.netty</groupId>
            <artifactId>netty-tcnative-boringssl-static</artifactId>
            <version>2.0.1.Final</version>
</dependency>

Can Openssl / jdk version be the problem ?

Nitin Lodhe
  • 235
  • 1
  • 6
  • 14

2 Answers2

1

You need to add a dependency on Netty TCNative in order to get a correct security dependecy. From the SECURITY.md file for gRPC, you need to add the following:

<project>
  <dependencies>
    <dependency>
      <groupId>io.netty</groupId>
      <artifactId>netty-tcnative-boringssl-static</artifactId>
      <version>1.1.33.Fork26</version>
    </dependency>
  </dependencies>
</project>

Note that this will change in the upcoming 1.4 release of gRPC to point to netty-tcnative-parent-2.0.1.Final

Carl Mastrangelo
  • 5,970
  • 1
  • 28
  • 37
  • Thanks Carl, it worked. I was trying to use latest version of netty-tcnative-boringssl-static I am trying to create node js client for this server but getting errors: ssl_transport_security.c:628] Invalid cert chain file ssl_transport_security.c:601] Could not load any root certificate. Please point me to a good example to build node js client – Nitin Lodhe May 17 '17 at 23:48
  • That should probably go into it's own separate question. – Carl Mastrangelo May 18 '17 at 00:41
0

Although this question has been answered. I was in similar situation till today as i was not able to start the jetty server (Embedded).

This solution might help some who is using spring boot application with embedded jetty server.

Following should be the entries in pom.xml file.

<dependency>
        <groupId>io.netty</groupId>
        <artifactId>netty-tcnative</artifactId>
        <version>2.0.6.Final</version>
        <classifier>${os.detected.classifier}</classifier>
    </dependency>
    <dependency>
        <groupId>io.netty</groupId>
        <artifactId>netty-tcnative-boringssl-static</artifactId>
        <version>2.0.6.Final</version>
        <classifier>${os.detected.classifier}</classifier>
    </dependency>

    <dependency>
        <groupId>org.springframework.boot</groupId>
        <artifactId>spring-boot-starter-web</artifactId>
        <exclusions>
            <exclusion>
                <groupId>org.springframework.boot</groupId>
                <artifactId>spring-boot-starter-tomcat</artifactId>
            </exclusion>
        </exclusions>
    </dependency>

    <dependency>
        <groupId>org.mortbay.jetty.alpn</groupId>
        <artifactId>alpn-boot</artifactId>
        <version>8.1.11.v20170118</version>
    </dependency>
   <dependency>
        <groupId>org.eclipse.jetty.alpn</groupId>
        <artifactId>alpn-api</artifactId>
        <version>1.1.3.v20160715</version>
    </dependency>

    <dependency>
        <groupId>org.springframework.boot</groupId>
        <artifactId>spring-boot-starter-jetty</artifactId>
    </dependency>

The version of alpn-boot should be dependent on the JDK that you use. Please refer following link for checking the version: http://www.eclipse.org/jetty/documentation/current/alpn-chapter.html#alpn-versions

Once this done rebuild your project and add the following entry to your JVM arguments if you are using STS to start the spring boot application.

java -Xbootclasspath/p:%path_to_alpn_boot_jar%

And then start the server and it should work.

Thanks.

Nayan
  • 578
  • 7
  • 13