kussberg
commented
1 week ago The issue is due to the use of an insecure SHA1-RSA certificate in a newer server version that enforces stricter security policies. The recommended solution is to upgrade to a more secure certificate. If immediate upgrading is not feasible, temporarily overriding the security settings using GODEBUG can be a workaround, though it's not advisable for long-term use due to security implications. Additionally, ensuring that the CA certificate is trusted can resolve issues with unknown authorities.
tls-full sample does not work with server version 1.16.x. It does start up with server versions < 1.16.0. Error:
{"level":"fatal","ts":"2022-04-25T15:44:33.343Z","msg":"error getting system sdk client","service":"worker","error":"unable to create SDK client: get system info failed: last connection error: connection error: desc = \"transport: authentication handshake failed: x509: certificate signed by unknown authority (possibly because of \\"x509: cannot verify signature: insecure algorithm SHA1-RSA (temporarily override with GODEBUG=x509sha1=1)\\" while trying to verify candidate authority certificate \\"cluster-x.contoso.com\\")\" - serviceerror.Unavailable","logging-call-at":"factory.go:98","stacktrace":"go.temporal.io/server/common/log.(zapLogger).Fatal\n\t/home/builder/temporal/common/log/zap_logger.go:150\ngo.temporal.io/server/common/sdk.(clientFactory).GetSystemClient.func1\n\t/home/builder/temporal/common/sdk/factory.go:98\nsync.(Once).doSlow\n\t/usr/local/go/src/sync/once.go:68\nsync.(Once).Do\n\t/usr/local/go/src/sync/once.go:59\ngo.temporal.io/server/common/sdk.(clientFactory).GetSystemClient\n\t/home/builder/temporal/common/sdk/factory.go:94\ngo.temporal.io/server/service/worker.(Service).startScanner\n\t/home/builder/temporal/service/worker/service.go:441\ngo.temporal.io/server/service/worker.(Service).Start\n\t/home/builder/temporal/service/worker/service.go:355\ngo.temporal.io/server/service/worker.ServiceLifetimeHooks.func1.1\n\t/home/builder/temporal/service/worker/fx.go:129"}