OPENSSL_internal:CERTIFICATE_VERIFY_FAILED
409 views
Skip to first unread message
Leila Fathi
Jan 24, 2023, 9:30:10 AM1/24/23
to grpc.io
I am using self-signed certifcate for my client and generate RA-TLS certificate for server and get error: OPENSSL_internal:CERTIFICATE_VERIFY_FAILED when I want to connect to the server here is my server.py:
if __name__ == '__main__': # calling ra_tls_create_key_and_crt_der from library libra_tls_attest libra_tls_attest = ctypes.CDLL(os.path.abspath("/usr/local/lib/x86_64-linux-gnu/gramine/runtime/glibc/libra_tls_attest.so")) libra_tls_attest.ra_tls_create_key_and_crt_der.argtypes = (ctypes.POINTER(ctypes.POINTER(ctypes.c_uint8)), ctypes.POINTER(ctypes.c_size_t),ctypes.POINTER(ctypes.POINTER(ctypes.c_uint8)), ctypes.POINTER(ctypes.c_size_t)) libra_tls_attest.ra_tls_create_key_and_crt_der.restype = ctypes.c_int # Create the input and output variables der_key_size = ctypes.c_size_t() der_crt_size = ctypes.c_size_t() der_key = ctypes.POINTER(ctypes.c_uint8)() der_crt = ctypes.POINTER(ctypes.c_uint8)() # Call the function ret=libra_tls_attest.ra_tls_create_key_and_crt_der(ctypes.byref(der_key), ctypes.byref(der_key_size), ctypes.byref(der_crt), ctypes.byref(der_crt_size)) # Check the return value if ret != 0: print("Error: ra_tls_create_key_and_crt_der returned", ret) else: # convert der_cert and der_key to bytes cert_bytes = bytes(ctypes.string_at(der_crt, der_crt_size.value)) key_bytes = bytes(ctypes.string_at(der_key, der_key_size.value)) # Use the output variables cert = x509.load_der_x509_certificate(cert_bytes, backend=default_backend()) pem_cert = cert.public_bytes(encoding=serialization.Encoding.PEM) key = serialization.load_der_private_key(key_bytes, None, default_backend()) pem_key = key.private_bytes(encoding=serialization.Encoding.PEM,format=serialization.PrivateFormat.PKCS8,encryption_algorithm=serialization.NoEncryption()) # create a gRPC server server = grpc.server(futures.ThreadPoolExecutor(max_workers=10)) # create gRPC server credentials server_credentials = grpc.ssl_server_credentials( ((pem_key, pem_cert), )) # add the servicer created above to the server service_pb2_grpc.add_ExecserviceServicer_to_server(serviceExecutionImp(), server) # listen on port 50051 print('Starting gRPC server. Listening on port 50051.',flush=True) server.add_secure_port('localhost:50051', server_credentials) server.start() # since server.start() will not block, # a sleep-loop is added to keep alive try: while True: time.sleep(86400) except KeyboardInterrupt: server.stop(0)
and client.py:
if __name__ == '__main__': # calling ra_tls_create_key_and_crt_der from library libra_tls_attest libra_tls_attest = ctypes.CDLL(os.path.abspath("/usr/local/lib/x86_64-linux-gnu/gramine/runtime/glibc/libra_tls_attest.so")) libra_tls_attest.ra_tls_create_key_and_crt_der.argtypes = (ctypes.POINTER(ctypes.POINTER(ctypes.c_uint8)), ctypes.POINTER(ctypes.c_size_t),ctypes.POINTER(ctypes.POINTER(ctypes.c_uint8)), ctypes.POINTER(ctypes.c_size_t)) libra_tls_attest.ra_tls_create_key_and_crt_der.restype = ctypes.c_int # Create the input and output variables der_key_size = ctypes.c_size_t() der_crt_size = ctypes.c_size_t() der_key = ctypes.POINTER(ctypes.c_uint8)() der_crt = ctypes.POINTER(ctypes.c_uint8)() # Call the function ret=libra_tls_attest.ra_tls_create_key_and_crt_der(ctypes.byref(der_key), ctypes.byref(der_key_size), ctypes.byref(der_crt), ctypes.byref(der_crt_size)) # Check the return value if ret != 0: print("Error: ra_tls_create_key_and_crt_der returned", ret) else: # convert der_cert and der_key to bytes cert_bytes = bytes(ctypes.string_at(der_crt, der_crt_size.value)) key_bytes = bytes(ctypes.string_at(der_key, der_key_size.value)) # Use the output variables cert = x509.load_der_x509_certificate(cert_bytes, backend=default_backend()) pem_cert = cert.public_bytes(encoding=serialization.Encoding.PEM) key = serialization.load_der_private_key(key_bytes, None, default_backend()) pem_key = key.private_bytes(encoding=serialization.Encoding.PEM,format=serialization.PrivateFormat.PKCS8,encryption_algorithm=serialization.NoEncryption()) # create a gRPC server server = grpc.server(futures.ThreadPoolExecutor(max_workers=10)) # create gRPC server credentials server_credentials = grpc.ssl_server_credentials( ((pem_key, pem_cert), )) # add the servicer created above to the server service_pb2_grpc.add_ExecserviceServicer_to_server(serviceExecutionImp(), server) # listen on port 50051 print('Starting gRPC server. Listening on port 50051.',flush=True) server.add_secure_port('localhost:50051', server_credentials) server.start() # since server.start() will not block, # a sleep-loop is added to keep alive try: while True: time.sleep(86400) except KeyboardInterrupt: server.stop(0)
and client.py:
path_to_cert="keys/cert.pem"
with open(path_to_cert, 'rb') as f:
certificate = f.read()
cert_cn = "localhost"
options = (('grpc.ssl_target_name_override', cert_cn,),)
credentials = grpc.ssl_channel_credentials(certificate)
channel = grpc.secure_channel(server_address_str+":50051", credentials,options)
stub = datacontract_pb2_grpc.ExecDataContractStub(channel)
this is cert.pem:
-----BEGIN CERTIFICATE-----
MIIFCzCCAvOgAwIBAgIUVvHh3v24VTkjJAm+sHB5aS1lBCswDQYJKoZIhvcNAQEL
BQAwFDESMBAGA1UEAwwJbG9jYWxob3N0MCAXDTIzMDEyMzE2MjcyNVoYDzMwMjIw
NTI2MTYyNzI1WjAUMRIwEAYDVQQDDAlsb2NhbGhvc3QwggIiMA0GCSqGSIb3DQEB
AQUAA4ICDwAwggIKAoICAQCzIwz6/N/Xd5oyZuXtNZ7s+Sxmq9svpY6g87Mp/SSa
3vCaGTGGpUKA8/98HSmJZl2feqToF2hJHLK7JlczE+JxR2s+2ImRWv27/3/11MK4
Tp9xvx0rGnwY7eGvFHYdxUAobJZnwekrjFTgL4HEuWjZ6uagFKrPimmLnxAvRvaM
CaeD42WzidCaFbsCoMqKHoek+mUsb8Q5+npDcqB0hjflTpHFqAvEb9FdRILThzSf
wZlfE6rZIHUuHUV8k9nVLK+6ZnVYRK+xKKPHe+rOjaSWsCAnxidyuVWtpEJO79aL
IPhn0rS0zaTW/wx4sLnAJZ+Muvro79obsrNnVglM60uwqcL6SV9uT61HlhuxQQGS
UK/zAtthTYSupKZLz3fW8Rmge9KmOLmlWnmB6nM7Xja82dnv4MoALoWv94d/RauI
uxxV+V2ZNAsmdOZk85b6ixVn5ZlMRnnmOt9ABIuoVXxA2cnSL795SbWuJSRfsIVi
XXd5QKCjr14i2jBz997RONiVEglBzr6jvH6lxzrvs8tahA1GBa43xUf4AswfX1yR
DB7KndeHmlMtasAY+UxtL1OSr1gkwjlHS9dXRlOrmCT+EP3KOWgQITeXvUyqxsTz
ZMHT/1fNNr/YSf8uTvrWIdproR2eFwWX/0gDq0RBP7t1ytJ+eCDwo3rWTfh2oHus
VwIDAQABo1MwUTAdBgNVHQ4EFgQUy2HU43rtPu6CUWqtiv5h+sswONMwHwYDVR0j
BBgwFoAUy2HU43rtPu6CUWqtiv5h+sswONMwDwYDVR0TAQH/BAUwAwEB/zANBgkq
hkiG9w0BAQsFAAOCAgEARw4Dgc4MBtoYjqRtBH3dsMhmdhkqs+PyoJJ0jfyxlABq
BQcjaeAnJxEnwaVHYm68CaFQHArZA+l0qTCWAWSdxXSWUTLG3fW61khDM4VvqSDf
k0qXMj4x9wS6dR4uP5KstMgzLtLctrqpLhr73jn3jJzlnstJPDUCkzoYpwTVSA1F
HX65hOXjNdqYSM7rcuP1YU7kV3S7nF9egKU8KmKFnKYnPSwM3QzYTyud9Ka2Kf2F
AT/1+j+/Xlw7u7egVAqx/lExDYoZ8te3Th0h100a5sf8Pc6mEOh2vgPd38tiaXhe
XrzhQZGgLveCeM3DZpertkzAMf1UF4wA71saMv8+kcYENgtjWaNPafRRUbApLHxM
fxB7gRcDiMd/YraoE45K79x8KjWfzp4GcX5yqxAJo96WQxSZw1d6N5cpq2XelLDm
PMSuB73kb6vig+3Hf5APRcVAleuvaeeN8yCduB8gum0khbbNEDXnQi82YIAw1puI
TLMnNgxdxDUM0Bh3AIZCJWyAk1DbFNV/sIrBaiGN3Pq8mLbXlKomuKSL6wpMufpD
pFEBIkhFDzVN8Ix4Nt/A4zb9qb66c6z2ULyrsq53o30Lp83JsR25rQ3sMDhMXOGi
NrR0ZkbFYSPKGnVzsG5sr/8xcrkpXB/iYhiVDRM6upJAfsSx4ElXvc8vhTWvLvk=
-----END CERTIFICATE-----
I have no idea why is not working , server is listening and when I run clinet.py :
return _end_unary_response_blocking(state, call, False, None)
File "/home/sgx_user/.local/lib/python3.8/site-packages/grpc/_channel.py", line 849, in _end_unary_response_blocking
raise _InactiveRpcError(state)
grpc._channel._InactiveRpcError: <_InactiveRpcError of RPC that terminated with:
status = StatusCode.UNAVAILABLE
details = "failed to connect to all addresses; last error: UNKNOWN: ipv4:127.0.0.1:50051: Ssl handshake failed: SSL_ERROR_SSL: error:1000007d:SSL routines:OPENSSL_internal:CERTIFICATE_VERIFY_FAILED"
debug_error_string = "UNKNOWN:failed to connect to all addresses; last error: UNKNOWN: ipv4:127.0.0.1:50051: Ssl handshake failed: SSL_ERROR_SSL: error:1000007d:SSL routines:OPENSSL_internal:CERTIFICATE_VERIFY_FAILED {created_time:"2023-01-24T14:21:21.587798736+00:00", grpc_status:14}"
this is cert.pem:
-----BEGIN CERTIFICATE-----
MIIFCzCCAvOgAwIBAgIUVvHh3v24VTkjJAm+sHB5aS1lBCswDQYJKoZIhvcNAQEL
BQAwFDESMBAGA1UEAwwJbG9jYWxob3N0MCAXDTIzMDEyMzE2MjcyNVoYDzMwMjIw
NTI2MTYyNzI1WjAUMRIwEAYDVQQDDAlsb2NhbGhvc3QwggIiMA0GCSqGSIb3DQEB
AQUAA4ICDwAwggIKAoICAQCzIwz6/N/Xd5oyZuXtNZ7s+Sxmq9svpY6g87Mp/SSa
3vCaGTGGpUKA8/98HSmJZl2feqToF2hJHLK7JlczE+JxR2s+2ImRWv27/3/11MK4
Tp9xvx0rGnwY7eGvFHYdxUAobJZnwekrjFTgL4HEuWjZ6uagFKrPimmLnxAvRvaM
CaeD42WzidCaFbsCoMqKHoek+mUsb8Q5+npDcqB0hjflTpHFqAvEb9FdRILThzSf
wZlfE6rZIHUuHUV8k9nVLK+6ZnVYRK+xKKPHe+rOjaSWsCAnxidyuVWtpEJO79aL
IPhn0rS0zaTW/wx4sLnAJZ+Muvro79obsrNnVglM60uwqcL6SV9uT61HlhuxQQGS
UK/zAtthTYSupKZLz3fW8Rmge9KmOLmlWnmB6nM7Xja82dnv4MoALoWv94d/RauI
uxxV+V2ZNAsmdOZk85b6ixVn5ZlMRnnmOt9ABIuoVXxA2cnSL795SbWuJSRfsIVi
XXd5QKCjr14i2jBz997RONiVEglBzr6jvH6lxzrvs8tahA1GBa43xUf4AswfX1yR
DB7KndeHmlMtasAY+UxtL1OSr1gkwjlHS9dXRlOrmCT+EP3KOWgQITeXvUyqxsTz
ZMHT/1fNNr/YSf8uTvrWIdproR2eFwWX/0gDq0RBP7t1ytJ+eCDwo3rWTfh2oHus
VwIDAQABo1MwUTAdBgNVHQ4EFgQUy2HU43rtPu6CUWqtiv5h+sswONMwHwYDVR0j
BBgwFoAUy2HU43rtPu6CUWqtiv5h+sswONMwDwYDVR0TAQH/BAUwAwEB/zANBgkq
hkiG9w0BAQsFAAOCAgEARw4Dgc4MBtoYjqRtBH3dsMhmdhkqs+PyoJJ0jfyxlABq
BQcjaeAnJxEnwaVHYm68CaFQHArZA+l0qTCWAWSdxXSWUTLG3fW61khDM4VvqSDf
k0qXMj4x9wS6dR4uP5KstMgzLtLctrqpLhr73jn3jJzlnstJPDUCkzoYpwTVSA1F
HX65hOXjNdqYSM7rcuP1YU7kV3S7nF9egKU8KmKFnKYnPSwM3QzYTyud9Ka2Kf2F
AT/1+j+/Xlw7u7egVAqx/lExDYoZ8te3Th0h100a5sf8Pc6mEOh2vgPd38tiaXhe
XrzhQZGgLveCeM3DZpertkzAMf1UF4wA71saMv8+kcYENgtjWaNPafRRUbApLHxM
fxB7gRcDiMd/YraoE45K79x8KjWfzp4GcX5yqxAJo96WQxSZw1d6N5cpq2XelLDm
PMSuB73kb6vig+3Hf5APRcVAleuvaeeN8yCduB8gum0khbbNEDXnQi82YIAw1puI
TLMnNgxdxDUM0Bh3AIZCJWyAk1DbFNV/sIrBaiGN3Pq8mLbXlKomuKSL6wpMufpD
pFEBIkhFDzVN8Ix4Nt/A4zb9qb66c6z2ULyrsq53o30Lp83JsR25rQ3sMDhMXOGi
NrR0ZkbFYSPKGnVzsG5sr/8xcrkpXB/iYhiVDRM6upJAfsSx4ElXvc8vhTWvLvk=
-----END CERTIFICATE-----
I have no idea why is not working , server is listening and when I run clinet.py :
return _end_unary_response_blocking(state, call, False, None)
File "/home/sgx_user/.local/lib/python3.8/site-packages/grpc/_channel.py", line 849, in _end_unary_response_blocking
raise _InactiveRpcError(state)
grpc._channel._InactiveRpcError: <_InactiveRpcError of RPC that terminated with:
status = StatusCode.UNAVAILABLE
details = "failed to connect to all addresses; last error: UNKNOWN: ipv4:127.0.0.1:50051: Ssl handshake failed: SSL_ERROR_SSL: error:1000007d:SSL routines:OPENSSL_internal:CERTIFICATE_VERIFY_FAILED"
debug_error_string = "UNKNOWN:failed to connect to all addresses; last error: UNKNOWN: ipv4:127.0.0.1:50051: Ssl handshake failed: SSL_ERROR_SSL: error:1000007d:SSL routines:OPENSSL_internal:CERTIFICATE_VERIFY_FAILED {created_time:"2023-01-24T14:21:21.587798736+00:00", grpc_status:14}"
Reply all
Reply to author
Forward
Message has been deleted
0 new messages