Open cavator opened 1 year ago
jhump
commented
1 year ago What is the error you are getting? Is your server requiring client certificates? If not, does grpcurl work when using the -insecure flag? If not, what error are you getting with -insecure?
Those openssl commands look correct. Is it possible the server is not correctly configure to use the given server.key and server.pem?
cavator
commented
1 year ago this is how my .py server is
conn: Connection = await db_connect()
interceptors = [AsyncExceptionToStatusInterceptor()]
server = grpc.aio.server(futures.ThreadPoolExecutor(max_workers=10), interceptors=interceptors)
add_UserServicer_to_server(UserService(conn), server)
srv_key = os.getenvb(b'SERVER-KEY')
srv_cert = os.getenvb(b'SERVER-CERT')
creds = grpc.ssl_server_credentials([(srv_key, srv_cert)])
listen_addr = '[::]:443'
server.add_secure_port(listen_addr, creds)
logging.info('Starting server on %s', listen_addr)
await server.start()
await server.wait_for_termination()
await conn.close()
and when i try to reach the server i got this error
Handshake failed with fatal error SSL_ERROR_SSL: error:100000f7:SSL routines:OPENSSL_internal:WRONG_VERSION_NUMBER.idk what could possible be, if the certs code are outdated idk but this is the certs generated
ca.pem
-----BEGIN CERTIFICATE----- MIIE+zCCAuOgAwIBAgIUGdKokRE8LLXfzBKaKYqmi7KpYDowDQYJKoZIhvcNAQEL BQAwDTELMAkGA1UECgwCbWUwHhcNMjMwMTExMTIwNTQ0WhcNMjMwMjEwMTIwNTQ0 WjANMQswCQYDVQQKDAJtZTCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIB AKbL2N1nRKMSfNYzySQtUlDKoYV4Ic8ZlE3sq+JA8fhawiJf6/3T0W1dUK/zwvEK 04eOPx+bw7kephI4cPPmVwS+Rglw+MS8s+nDLDzeISgFJTHzVGTSgtTGVBLcSiZq Q/son96/77rGWGNMnlSyYw2BpY3uCU5xTK6gCrLr6FX0TiCxtTgrhR6mFePYEEst uvcB9PPzt7nBalytkFqZRwPKobzUeX14xOSn4iwe0h8JWDGLyrjDlMozFCuPUbZU RFivQxsvFvCp2FJ/T2JdT3xumywe/zW31XbH0QSI209Znh6UiHlE/pPo4az6DwMa u/HX//U9MTgu6i7zSPW1Lc7+feDOdUxzl7EC1i2BqZTghKPuiJyhjz3j2XKuqUgW IYEUzMbDmIAXKjbK9bo8wuBYM6uTF+MkVGMaT3q3YcYMC1vZ0HEewBmHscyBh2XY EczTMcFcBqtcGN0MhiRUoA/kexOwVQa+HI9+A5Mrz+RcOKsAnwAqHylea31OuAE7 wtY5QM7SJ8hiNefVC9parXE1bKrVxtc/62RqK6d6qza7Yb6k8B+ta1+bP0f12OgD w6N3Yh7cv7yxn3yHInKfjfT4biyOuiPNpBdDG2z83A2WeUAWCTCbWn1Xy0UGYJsu xEAixlEt6m2KBWNHItO1VS/7JywyOP3f6mcQsV1jNyjtAgMBAAGjUzBRMB0GA1Ud DgQWBBR+ILm2St7SlmPQOBzl3rWO/qdNwTAfBgNVHSMEGDAWgBR+ILm2St7SlmPQ OBzl3rWO/qdNwTAPBgNVHRMBAf8EBTADAQH/MA0GCSqGSIb3DQEBCwUAA4ICAQBA 6M7AnaSkJUc/zgAMN83iAa7sztjwZ/uw0mAvmr8vT1ZAhVn0NFoC5ZYfJXb8DW6R xQFQE4OnfQpB4J6f2zoALS1/ddXX+0ItR80dI+2F/T2warMBxOWmrNTyEAZQS7jC cOzsXdjVYl9CxW8rWeqRIrBsOe3mu5/wQbLw78Ta7X+RG1tUbmplShi+v+tSlIxj 1ROLqOZNS6hozkxrVgQR8gDkFjbhjBnYWIrtIsmtKw3he0wY5xejx3qtD7G0AkG4 Fi6GxliKB3xxdsO2N6hshlNUH2rp3YpnZYO1tJYCWAedEGSpjD3++jLeJxRU5kOA dF1YUjESRhltLkAUrFfHqSZvwEoeaE+duqzzY8BZE0p9qeluHhS6zwFCLphZ/qF+ ThI3hK6thGNoeSqei1BMh40JUy4qRbhlLVVMyxVf0oiMDL1woJGvle3TX6/knhCo qGdXm2qJz3jP/wGCjhwc2OquaBuCVu0xpMEWohG1FHlBvqu7c0qmR1y02mvDxD3m HFLFTdQGauboZW7Ek9n9s+7f8Ei7jfgFjZmjkq3PmGqxpY4IrPxT/4ZDzQysp5i+ yJN20z7/qVLFiVvJL9YXwWEWBPVeovLHD9EPkg8Fw1NKSFh8xhCCX22xHBFNYs69 iuI3M/7mfpDQ4dk88bZCnnLWMm8UEoY4U2DLPD1Xag== -----END CERTIFICATE-----
server.pem
-----BEGIN CERTIFICATE----- MIIEkDCCAngCAQEwDQYJKoZIhvcNAQELBQAwDTELMAkGA1UECgwCbWUwHhcNMjMw MTExMTIwNzU5WhcNMjMwMjEwMTIwNzU5WjAPMQ0wCwYDVQQDDAR1c2VyMIICIjAN BgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAtCPNqAIJZJN5tAZdcpXAPGNbv3E3 B0dP3ZpxuAWHfpTF4MQF34TwDKN5s6SDxxx8SjwPLgsYPUpc+2cKk4RyAh399tYY dSE+17xMIrSs8yZEuAJsmPAqQCn+g48MFu6VQK+4VTtUgKzJLSbcokI5rDaCV+2A UBM0LgZ1GqB9S3AvsdnvxZt/gYJneOhNtGbk7/r1R+kEIqii+srzCAyDZnSZtATW 5HeMw5uyfqlqv7e/mP7Cy0KCbkAFauZ0myg1j/gcXDQNa8Ni1f4fU8vwoznRe/so a0K9k2O4M2i+CVtWgRm3kg3swpnZ+cu4jJK9ESx0MUsYLizcuVqH2W5M35wUqWQR 7dmGn9kG2UAlvEDI6cleMh8NAp2D/8wFakM1Yc/JOWoK62v7TNZmx2vql4ydQGyS SHUfpAXYDGahDISk3GRKTtkWoBP9xHvQ//49GYQADaNNKNo2+lwTsq1XoqP5biyv kBjC6Jv/TYPhkXquEAEZo3ZwNtm6QiY6P8kS+iicq420q5Pr7D+YBu2yQ2AfqCbi LKenmE8TVWZItlHcnuR2Dpd4PplTlwUj4HCXvCX0VVkChsSmX32YnsgwPyvmFosq 3Qj0nVpUkX8z3Gqv6vH6zt3AZEuYRs95IBXmHTyauT+0RzaTa+FXNdnJnI2/AATM COVQYiGDZh/AUDECAwEAATANBgkqhkiG9w0BAQsFAAOCAgEAXvZMi09vGlxs3g8n UD90nPCsQA7GH8QNT09XDobsx/41wG4mQvL9EbrYO7o1UEGdBXipO+sUpka1zpZf 7jbYgPiuM3/eAXKW2ucS4oxYs2nrKbd0ecTCJ1XK8Bpsom7Q2To7ovH9zW/4zQQw pBwD8XV5PatzamYHu9Emtg9/nElblzICqQiWP2qD79He+RYeHIlh9D7TCcHB/tLQ GN6qeFzmFL6dFqbb7RI8sn6XpX3sS3X/k70BddHXfFc0GCYU1nK6zQS/bYLGRwv4 OuyUUbfw+lhjx8VtMpWaQa5Lz1Ov6nObDevb93egMkJUmSFvOmPzehsLFeHiAZwa alLqw7ApwLM8VyXFXQNoH9BBADCIOdzZGXjajEMIrVJ1h/nPx/z1bUuUPROcgdcK FHNWl2iituPzZR/pHeoYGMwECwB4EaJM5+eNQIMLa1d13s1LWG12TKmueyUuUd2C ZWVB7nS5pGwvU5HHhcHI2YS3VquaUrFj93coi13jNgCMy8MUiKX9KfKx3RsI8x1F w+/iohE7SCYWXcbgEIkFYgKPBNTeIs7m8C5xe9cJFKF4OGPOWf3wekDUKRyX1cW4 m2KTuT15HATu14cUXGfjNEWFePQvnvVGc1eCbfoYc0zfpiNvi1qlxDY7XsEOJD/F K2DT7LQe9hEeJS+Fp23aIF28Jfk= -----END CERTIFICATE-----
server.key
-----BEGIN PRIVATE KEY----- MIIJQwIBADANBgkqhkiG9w0BAQEFAASCCS0wggkpAgEAAoICAQC0I82oAglkk3m0 Bl1ylcA8Y1u/cTcHR0/dmnG4BYd+lMXgxAXfhPAMo3mzpIPHHHxKPA8uCxg9Slz7 ZwqThHICHf321hh1IT7XvEwitKzzJkS4AmyY8CpAKf6DjwwW7pVAr7hVO1SArMkt JtyiQjmsNoJX7YBQEzQuBnUaoH1LcC+x2e/Fm3+Bgmd46E20ZuTv+vVH6QQiqKL6 yvMIDINmdJm0BNbkd4zDm7J+qWq/t7+Y/sLLQoJuQAVq5nSbKDWP+BxcNA1rw2LV /h9Ty/CjOdF7+yhrQr2TY7gzaL4JW1aBGbeSDezCmdn5y7iMkr0RLHQxSxguLNy5 WofZbkzfnBSpZBHt2Yaf2QbZQCW8QMjpyV4yHw0CnYP/zAVqQzVhz8k5agrra/tM 1mbHa+qXjJ1AbJJIdR+kBdgMZqEMhKTcZEpO2RagE/3Ee9D//j0ZhAANo00o2jb6 XBOyrVeio/luLK+QGMLom/9Ng+GReq4QARmjdnA22bpCJjo/yRL6KJyrjbSrk+vs P5gG7bJDYB+oJuIsp6eYTxNVZki2Udye5HYOl3g+mVOXBSPgcJe8JfRVWQKGxKZf fZieyDA/K+YWiyrdCPSdWlSRfzPcaq/q8frO3cBkS5hGz3kgFeYdPJq5P7RHNpNr 4Vc12cmcjb8ABMwI5VBiIYNmH8BQMQIDAQABAoICAAJvYndlMack/DXus8LZsIvQ bwbR5bkeNxTrN818RlDee3n2mbq5XhJZql/p4dMmTi17DYclOhUSr9pBJ2oyQI/z 7laGHeCwIUdCzHJX/WeFtVOZysnaze4TSJVoMLUQUWmwBmlL4EWjWvkr3OXU8y53 XSs0SBys/x1T09pB4E0NrZi1S2cL21J5nA2icZx2RfLS3Q/KtVYvmpESfxcKg5iL YSGHGDg7P9FMG0KtkRvEL4hGrK+ZN6X8YmZdH6c886kSz5//ycz9YD+9dphyzw8H Is8O0y93VenhD6DNnMCydfiloO7jQSJUo0GbxflL1Cz1gXZCH4f47hyTqKGhOqjx rz7vn/lelLVNBDSjHFk57Ht4Ib5R5/8lbHsZVW699694GcAQpA2kJgJpKPLT0+kW QXsjE/v3TG5cQ8m/y32eKph2t99QMCj5A8wF0nAClOBeQO6/m6qDMZSjlyXlbVU9 8457FMGQSG9l/b+uPMd2zq0SYbaBAjiwe4QO0w6G2M9/ncHga1DYh9B1LDQzbwBP ez7A9l2mBKSGB7WaYG+dkk8JbOggopWHBZpc58PqXKE41g2Nmvd0ScG76xtNmY7N O0hQxZHUVVO3x8JUmBahSlF7Z7BSwPw9zmwSMCF4yuwb1oOkdE7J5OtZodmGXW/F DNk6zDA2A65OqfB2NT9NAoIBAQDjRnsdRqG8lxI3A++ZRwACL9YjLbPis39wZyls egkxP+HaEXoZOhxfjneC7aiok/9r93F3gMPG7ebJPIC93gZLtTpFoIJZ5dyYmByH nM84eUIyEd/ETR4W5fUGV7DwDfEUhMAWnj/j+XBKjzCmTilamMsVOI302h/chRL4 lBrN8gCTko4lEs82A2G65Xm5ncdEUS4hhCWTsmqNvLaBBvJQFsNOH0nsYtfIAPp8 2mpWTatPsvXlqAgLDduE2KcmZSsYxBG+6Jr2XP4RxY0s1oQZ/f0Gp5FUZaHXnF3j UGOF0x9v+LAdXH0NDViUKMHBL+s45PljUjuWewhncipgkLWdAoIBAQDK6D/L3W57 717mX8VeDgEbvchErJHj7kpxAc//T0CXHwJF8FY8Vk1K5Qawur5DyYf4OI/fk+Ci bLDHVzmd89xZYhMQJFXiACWPQgGMF1eoM+0lxq+/6a8/1YMVBPNXdRYDrayT2A5i ArSEQOOtpKNpIIBoXZCvrvrgWR/1GVEBANkYOn6knAFBIlBLoMrn+a9VOPcJBF4v yGzSActxlj4LeaK83Ci19HwZKlV+EFiRO+gBl9Rvqdjhjn3aT1nYTbg4Ypz4maQh 6RJhohSqqtHJz5cRiiyf4IEP+oAdx2ezeqNsFSuaOutPlUWXPlly/FXzH3EAFnek o7MomQ80FaqlAoIBAQDL0YhVT+N58m1GY0Q7TH4IeAftEm5xDxJppkpy2tpljWmp G+VIvGF3nJc3FpUbYWY91/Gs/xAT1YQT0iuOmo9A0+zHRlO/9TEos7laMNlxRuWD a54mOBaU6HMd1gR6s7YQ9aAiaJbZhvgaFWHGsu/JLJ9rj4VXIUpThA/oV0HWkYHM 1jCdtMmZId1CM8s/F+z9KmRZcF4Wn3mJVMTC34ztIAzUgaDU2iuzVJVO5L1aWlsY pWB6LX/REgNclsMH3tCQbD2R3J4j9G9xVp3tqQ9dE/cXQa1GZ8KFTtiwI4atHBHk Y7zlB+2ph995NzfTXXrwUgAI/1Uq9Xkq9Cpm4T/NAoIBAQC4aUqKE071zsEWaZZs fBffyaV5XMofORRpDreml7XhYypivCL0JY+L8QkamC6SV1h/bZC9J54yoMwt8AWK m/b5OZyPwCZaB74bLGdRlmlxkvgGrERRDKbdQkUnVl9/bge7Ah5mJCg2RbUgugTz bT2jLwnlUJxOP579RaM41HB9k/K7BXbSToMJWpFVmuau3IvQzbwfctvTW7ojR8RK EL2FGmCgewt5C6G6EXKv51VHcgXTZNWLQve9UA7r2dCTOVejz2RQwPqeY0D0gSV9 U1DltQjcxRL3n0hNaGMGLZP/WAetFLSTMNdqdgVQhzcuvU20cC/4X3MPrEQJMsrR kJuNAoIBAGJVP2EdiWKBkMhYADKczKPgCmb32MCShGPx7bFY12sZrlBedLltI/NB ewyA4pNqnDGA39fnSAa8feyXI8t02HQalznGXtDk+CPJsG6jL3iwPauXCV2lFYwf f1y6MUY8lJcbZ39bO56NYSmhXwlWhSTPjhqWDB6QCeEBJkANN0TIGBXtBf2166OU ECTKfX7FXLmy1jPur/cqk/8OWXxI0tA/IGcR34lXwC3SGXBwpymedbStoi03hAzL ErLKYLYoCxxFhz1lUkck4fO5mRDKxHJPKUDDtuE9kyRJ62gYJ6EqBqpW5PIupoW8 mXlei+sR2F5GwKBkqy3m4t7vR8nwSfk= -----END PRIVATE KEY-----
and here it's how i was requesting the server
grpcurl -insecure -cacert=ca.pem -d='{"id":""}' -proto=../proto/user.proto user-service-ip app.derole.User/GetUseri don't think insecure it's the right way to call it, but it was the way to not get the unknown authority error that's what i can do, i'm a noob in this topic, i'm just trying to do things work.
PS: my server is a gcloud run service, this is the Dockerfile
FROM gcr.io/google_appengine/python
RUN virtualenv -p python3.7 /env
ENV VIRTUAL_ENV /env
ENV PATH /env/bin:$PATH
RUN mkdir /user
COPY grpc/py/user/ /user/
WORKDIR /user
RUN pip install -r requirements.txt
RUN apt-get install -y libpq5
EXPOSE 443
ENTRYPOINT ["python", "-u", "./user.py"]
if needed i can send all the required things to reproduce this scenario, even a step by step in how upload the cloud run service
jhump
commented
1 year ago This does not look like an error from grpcurl since grpcurl is implemented in Go, which does not use openssl:
Handshake failed with fatal error SSL_ERROR_SSL: error:100000f7:SSL routines:OPENSSL_internal:WRONG_VERSION_NUMBER.I'm guessing this is an error printed from your server? Does this happen when your server starts up or when you issue the grpcurl command?
I found this error for gRPC Python about this message: https://github.com/grpc/grpc/issues/9538 The comments in there suggest this could happen if the client is somehow connecting via plaintext. Is it possible you are using a proxy or something in between the client and server that could cause this?
i don't think insecure it's the right way to call it, but it was the way to not get the unknown authority error
Indeed, that is not the way to call it since it is not secure. I suggested using it for troubleshooting reasons. If that works, then the issue isn't related to client certs. So the issue is because the server is not actually using a cert signed by the given -cacert, which makes me again wonder if there is some sort of proxy in between.
cavator
commented
1 year ago i have no idea about proxy, how i said i'm really stupid in this topic, i'm just trying to upload my service in the cloud run, put it in port 443 so be TLS and do my calls, if u know any tutorial to set the TLS right
jhump
commented
1 year ago I think you need to investigate more regarding TLS and Cloud Run. IIUC, it does setup a proxy, in the form of an HTTP load balancer in front of your service. So the load balancer may be using plaintext to communicate with your backend server and the load balancer would need to be configured separately for what TLS certificates it should use. So I don't think this is a grpcurl issue.
cavator
commented
1 year ago i dont think it's a grpcurl issue either, i'm just trying places to see if someone could help me with this, like here everyone work with gRPC, probably someone have some simple solution, or have and gcloud run example running well to tell me what possible i'm missing
i follow this commands from real-python
` openssl req -x509 -nodes -newkey rsa:4096 -keyout ca.key -out ca.pem -subj /O=me
openssl req -nodes -newkey rsa:4096 -keyout server.key -out server.csr -subj /CN=recommendations
openssl x509 -req -in server.csr -CA ca.pem -CAkey ca.key -set_serial 1 -out server.pem `
and i cant connect to the server
grpcurl -cacert=ca.pem -d='{"id":""}' user-service:443 app.xis.User/GetUser i even tried
grpcurl -cacert=ca.pem -cert=./user/server.pem -key=./user/server.key -d='{"id":""}' user-service:443 app.xis.User/GetUser
idk what's happening, anyone could help me?