GRPC.STUB connect loops on this error: `CLIENT ALERT: Fatal - Unknown CA`

KoeusIss commented 8 months ago

Describe the bug After upgrade Elixir and Erlang to the latest version connecting to a GRPC channel produce: [notice] TLS :client: In state :wait_cert_cr at ssl_handshake.erl:2138 generated CLIENT ALERT: Fatal - Unknown CA.

To Reproduce Steps to reproduce the behavior:

Expected behavior A clear and concise description of what you expected to happen.

Logs If applicable, add logs to help explain your problem.

Protos If applicable, add protos to help explain your problem.

Versions:

OS: macOS Sonoma
Erlang: 26.1.2
Elixir: 1.15.7-otp-26

mix.lock(grpc, gun, cowboy, cowlib):

:grpc, "0.7.0"
:gun, "2.0.1"
:mint, "1.5.1"

Additional context Add any other context about the problem here.

KoeusIss commented 8 months ago

With more investigation the issue seems occur when verify: :verify_peer is enabled.

GRPC.Credential.new(ssl: [cacertfile: get_certificate(), verify: :verify_peer])

Nothing occur if I switch to :verify_none.

polvalente commented 8 months ago

Just so you know, this looks like a certificate chain issue. I think that if your certificate is self-signed or signed by an unknown/untrusted authority, then :verify_peer will error out

elixir-grpc / grpc

GRPC.STUB connect loops on this error: `CLIENT ALERT: Fatal - Unknown CA` #333