search

grpc / grpc.io

Repository for the gRPC website and documentation
https://grpc.io
Other
415 stars 432 forks source link

grpc python client authentication throwing SSL_ERROR_SSL: error:1000007d:SSL routines:OPENSSL_internal:CERTIFICATE_VERIFY_FAILED #849

Closed gaurav36 closed 3 years ago

gaurav36 commented 3 years ago

I am building one grpc based application with secure authentication, is there any issue with grpc python client or i am missing anything ? because on documentation it don't see much things.

My environment is following:

OS: "Ubuntu 18.04.5 LTS"
python 3.7
openssl V 1.1.1-1ubuntu2.1~18.04.13
grpcio==1.39.0
grpcio-tools==1.39.0
protobuf==3.17.3

I am always getting SSL_ERROR_SSL: CERTIFICATE_VERIFY_FAILED

E0901 13:16:05.996420843   13512 ssl_transport_security.cc:1468] Handshake failed with fatal error SSL_ERROR_SSL: error:1000007d:SSL routines:OPENSSL_internal:CERTIFICATE_VERIFY_FAILED.
E0901 13:16:06.495380631   13512 ssl_transport_security.cc:1468] Handshake failed with fatal error SSL_ERROR_SSL: error:1000007d:SSL routines:OPENSSL_internal:CERTIFICATE_VERIFY_FAILED.
E0901 13:16:06.953751870   13512 ssl_transport_security.cc:1468] Handshake failed with fatal error SSL_ERROR_SSL: error:1000007d:SSL routines:OPENSSL_internal:CERTIFICATE_VERIFY_FAILED.
E0901 13:16:07.407166253   13512 ssl_transport_security.cc:1468] Handshake failed with fatal error SSL_ERROR_SSL: error:1000007d:SSL routines:OPENSSL_internal:CERTIFICATE_VERIFY_FAILED.
Traceback (most recent call last):
  File "grpc-client.py", line 21, in <module>
    main()
  File "grpc-client.py", line 11, in main
    response = stub.ApiEndpoint(request)
  File "/home/ggarg/.local/lib/python3.7/site-packages/grpc/_channel.py", line 946, in __call__
    return _end_unary_response_blocking(state, call, False, None)
  File "/home/ggarg/.local/lib/python3.7/site-packages/grpc/_channel.py", line 849, in _end_unary_response_blocking
    raise _InactiveRpcError(state)
grpc._channel._InactiveRpcError: <_InactiveRpcError of RPC that terminated with:
    status = StatusCode.UNAVAILABLE
    details = "failed to connect to all addresses"

my proto file is:

syntax = "proto3";

service Api{
    rpc ApiEndpoint(ApiRequest)  returns (ApiResponse);   
}

message ApiRequest{
    string name = 1;
    string message = 2;
}

message ApiResponse{
    string reply = 1;
}

server code is:

import grpc
from concurrent import futures
import time
import api_pb2
import api_pb2_grpc
import os

class ChatBox(api_pb2_grpc.ApiServicer):

    def ApiEndpoint(self, request, context):
        response = api_pb2.ApiResponse()
        response.reply = "Hi {}, myself {} , Thanks for this message : {}".format(
            request.name, os.getenv("POD_NAME"), request.message)
        return response

if __name__ == '__main__':
    # create a gRPC server
    server = grpc.server(futures.ThreadPoolExecutor(max_workers=10))
    with open('cert/server.key', 'rb') as f:
        private_key = f.read()
    with open('cert/server.crt', 'rb') as f:
        certificate_chain = f.read()
    server_credentials = grpc.ssl_server_credentials(
        ((private_key, certificate_chain), ))

    # add the servier created above tp the server
    api_pb2_grpc.add_ApiServicer_to_server(ChatBox(), server)

    # listen on port 50051
    print('Starting server. Listening on port 50051.')
    server.add_secure_port('[::]:50051', server_credentials)
    server.start()
    # since server.start() will not block,
    # a sleep-loop is added to keep alive
    try:
        while True:
            time.sleep(86400)
    except KeyboardInterrupt:
        server.stop(0)

and client code is:

import grpc
import api_pb2_grpc
import api_pb2
import time

def main():
    request = api_pb2.ApiRequest(
        name="timus",
        message="You are awesome")

    response = stub.ApiEndpoint(request)
    print(response)

if __name__ == '__main__':
    with open('cert/server.crt', 'rb') as f:
        creds = grpc.ssl_channel_credentials(f.read())
    #channel = grpc.secure_channel('www.timus.com:443', creds)
    channel = grpc.secure_channel('0.0.0.0:50051', creds)
    stub = api_pb2_grpc.ApiStub(channel)
    while True:
        main()
        time.sleep(2)

I used following openssl command to generate crt.

openssl req -newkey rsa:4096 -nodes -sha512 -x509 -days 3650 -nodes -out server.crt -keyout server.key

I pasted above code as a example. for simplicity i am using same certificate on client and server. Initially i used ca/server/client certificate differently but I was having this issue and just for testing i used server certificate on both client and server side. but still getting same issue ? did anyone encounter similar issue ? thanks in advance.

gaurav36 commented 3 years ago

Issue got fixed there was some problem with my certificate.

ZhenLian commented 3 years ago

I just noticed that this seemed the same issue you posted in https://stackoverflow.com/questions/69013587/grpc-python-client-authentication-throwing-ssl-error-ssl-error1000007dssl-rou/69037971#69037971? Glad to see you eventually solve the problem. Feel free to let us know anything we can help in the future. Thanks!