Intermediate Certificates not sending

[edward...@lacity.org]

-- Golang app server TLS connections to mobile clients --

Everything is working except the FULL CHAIN of trust is not being sent.

I created a pfx file (full identity file) converted it to PEM, loaded it into a Go app (code below) and it works great except the INTERMEDIATE certificates are not being sent as part of the chain of trust.

I've tried all the examples I can find, but none have resolved my issue.

I'm also using online TLS checker tools that mostly check web servers, I'm not sure if better tools exist for testing pure gRPC connections besides other one-off gRPC apps.

Again, this is a pure gRPC, non-web related connection.  Below is a snippet of code that is 99% working with comodo TLS certs, I'm concerned that my issue may be with the CertPool and how it gets passed to tls.Config.  I'm following the examples but something is not working; also, it's not entirely obvious whether an event hook is required to fetch and unwind the CertPool or if the TLS libs can unwind everything in the proper order: host_key, [INTERMEDIATES], RootCA_key; I have to assume so.

// Load the certificates from disk
//
certificate, err := tls.LoadX509KeyPair(crt, key)
if err != nil {
   return fmt.Errorf("could not load server key pair: %s", err)
} else {
   log.Println("loaded key pair")
}

// Read FullChain file from disk
//
CACert, err := ioutil.ReadFile(ca)
if err != nil {
   return fmt.Errorf("could not read CACert certificate: %s", err)
} else {
   log.Println("Found Cert Bundle")
}

// Create a certificate pool to hold certificates from authorities
//
certPool, _ := x509.SystemCertPool()

// Append the client certificates from the CA
//
if ok := certPool.AppendCertsFromPEM(CACert); !ok {
   log.Println("----- Error: Not able to Append Certs to CertPool -----")
} else {
   log.Println("Loaded PEM certs")
}

// TLS configuration object
//
tlsConfig := &tls.Config{

   RootCAs: certPool,

   Certificates: []tls.Certificate{certificate},

   CipherSuites: []uint16{
      tls.TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
      tls.TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,
      tls.TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
      tls.TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,
      tls.TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305,
      tls.TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,
      tls.TLS_RSA_WITH_AES_128_GCM_SHA256,
      tls.TLS_RSA_WITH_AES_256_GCM_SHA384,
   },

   PreferServerCipherSuites: true,

   // Forbid all TLS below 1.2
   MinVersion: tls.VersionTLS12,
}

s := grpc.NewServer(
   grpc.Creds(credentials.NewTLS(tlsConfig)),
   grpc.KeepaliveParams(
      keepalive.ServerParameters{
         Time:    (time.Duration((300) * time.Second)),
         Timeout: (time.Duration(10) * time.Second),
      },
   ),
   grpc.KeepaliveEnforcementPolicy(
      keepalive.EnforcementPolicy{
         MinTime:             (time.Duration((300) * time.Second)),
         PermitWithoutStream: true,
      },
   ),
)

[... start listening boilerplate...]

[Srini Polavarapu]

Have you tried another gRPC language with same certs/keys to isolate this issue to gRPC-Go implementation? You can find examples in other languages here. https://grpc.io/docs/guides/auth/