0

I have a Golang GRPC running on computer A.

(Just for reference)

func main() {

//GRPC server setup.

certFile := "ssl/server.crt"
keyFile := "ssl/server.pem"

creds, err := credentials.NewServerTLSFromFile(certFile, keyFile)

opts := grpc.Creds(creds)

go func() {
    listen, err := net.Listen("tcp", ":50051")
    s := grpc.NewServer(opts)
    if err := s.Serve(listen); err != nil
}()

I have a Python client on computer B.

with open("ssl/server.crt", "rb") as fp:
    root_cert = fp.read()

creds = grpc.ssl_channel_credentials(
    root_certificates=root_cert,
)
channel = grpc.secure_channel("192.168.1.86:50051", creds)

I can connect insecurely. No issues there.

But while using SSL it is failing. (I lack knowledge on how SSL works).

Error: <_InactiveRpcError of RPC that terminated with:
    status = StatusCode.UNAVAILABLE
    details = "failed to connect to all addresses"
    debug_error_string = "{"created":"@1635930204.264242615","description":"Failed to pick subchannel","file":"src/core/ext/filters/client_channel/client_channel.cc","file_line":3008,"referenced_errors":[{"created":"@1635930204.264231254","description":"failed to connect to all addresses","file":"src/core/ext/filters/client_channel/lb_policy/pick_first/pick_first.cc","file_line":397,"grpc_status":14}]}"

This is the file (instructions.sh) I use to generate SSL certificates.

#!/bin/bash

SERVER_CN=localhost

openssl genrsa -passout pass:1111 -des3 -out ca.key 4096
openssl req -passin pass:1111 -new -x509 -days 3650 -key ca.key -out ca.crt -subj "/CN=${SERVER_CN}"
openssl genrsa -passout pass:1111 -des3 -out server.key 4096
openssl req -passin pass:1111 -new -key server.key -out server.csr -subj "/CN=${SERVER_CN}"
openssl x509 -req -passin pass:1111 -days 3650 -in server.csr -CA ca.crt -CAkey ca.key -set_serial 01 -out server.crt
openssl pkcs8 -topk8 -nocrypt -passin pass:1111 -in server.key -out server.pem

Also it would've been a huge help if some could point out if i'm using the certificate files appropriately.

Thank you.

Prince Leo
  • 5
  • 4
  • Does your local network support DNS? Can you use a name for Computer A rather than an IP address? It's possible just more complex to issue certificates for machines referenced by their IP address than it is to use domain names. You can hack (!) this, if you're using Linux but associating an IP address with a name (of your choosing) in Computer B (!) `/etc/hosts` **but** you'll need to manually change this every time the IP address of Computer A changes. – DazWilkin Nov 03 '21 at 16:09
  • You're issuing a certificate for Computer A and naming it `localhost` which is fine for self-signed certs (what you're doing) but it won't be the name for this machine as known by Computer B. Computer B calls itself `localhost`. If you give Computer B a name (see above), you could use that name as the `/CN=${NAME}`. – DazWilkin Nov 03 '21 at 16:11
  • If you want to use IP addresses, search for issuing self-signed certs using IP addresses. You'll need to create a Subject Alternate Name (SAN) section to use with openssl. – DazWilkin Nov 03 '21 at 16:11
  • For the `StatusCode.UNAVAILABLE`. Can you ping `192.168.1.86` from Computer B? Can you `tn 192.168.1.86 50051`? Even if you only get garbage? Those would help determine whether that IP and port are serving. Another useful tool is [gRPCurl](https://github.com/fullstorydev/grpcurl). You can use this to test a server **knowing** that the client works. – DazWilkin Nov 03 '21 at 16:13
  • To generate a crt|key pair for `localhost` (see above), you **should** be able to: `openssl req -x509 -newkey rsa:2048 -keyout ./localhost.key -out ./localhost.crt -nodes -days 365 -subj "/CN=localhost"` – DazWilkin Nov 03 '21 at 16:17
  • Hi DazWilkin, Thanks a lot for helping me out through those comments. It worked. I setup DNS proxy in my router but since I was connected though the repeater it wasn't working. Then I followed these steps (https://support.strongvpn.com/hc/en-us/articles/360038982774-How-to-Change-DNS-in-Linux) to expose the server to my system. And made changes to the instruction.sh file. – Prince Leo Nov 08 '21 at 15:30
  • Could you add this as the solution so I can accept this if that might give you points or help you in any way. – Prince Leo Nov 08 '21 at 15:33

0 Answers0