How to upload server certificate ?

[shikhach...@gmail.com]

Hi , 

A simple thing but somehow not working for me.Can somebody please share : 

My client & server are on linux & same machine.

(A)CLIENT : 

I am adding certificates to trusted CA stored in a file "roots.pem" & GRPC_DEFAULT_SSL_ROOTS_FILE_PATH points to this file 

(B) SERVER

- How to install the private key & certificate here? I tried a couple of permutation combination but nothing is working. I guess i am using wrong format.

> ./greeter_async_server

ssl_transport_security.c:576] Invalid cert chain file.

security_connector.c:770]   Handshaker factory creation failed with TSI_INVALID_ARGUMENT.

server_secure_chttp2.c:191] Unable to create secure server with credentials of type Ssl.

Stream Server listening on localhost:50052

[5]+  Segmentation fault      (core dumped) ./greeter_async_server

void StreamRun() {

    std::string server_address("localhost:50052");

    GreeterServiceImpl service;

    ServerBuilder builder;

         SslServerCredentialsOptions::PemKeyCertPair pkcp = {test_server1_key, test_server1_cert};

         SslServerCredentialsOptions ssl_opts;

         ssl_opts.pem_root_certs = "";

         ssl_opts.pem_key_cert_pairs.push_back(pkcp);

         builder.AddListeningPort(server_address, grpc::SslServerCredentials(ssl_opts));

   // builder.AddListeningPort(server_address, grpc::InsecureServerCredentials());

    builder.RegisterService(&service);

    builder.RegisterService(&stream_service_);

    server_ = builder.BuildAndStart();

    std::cout << "Stream Server listening on " << server_address << std::endl;

    server_->Wait();

  }

const char test_server1_cert[] = "-----BEGIN CERTIFICATE-----MIIC3DCCAkWgAwIBAgIJAPLZlUwceaH4MA0GCSqGSIb3DQEBBQUAMIGGMQswCQYDVQQGEwJJTjEQMA4GA1UECAwHZ3VyZ2FvbjEQMA4GA1UEBwwHaGFyeWFuYTEOMAwGA1UECgwFY2llbmExEjAQBgNVBAsMCXRyYW5zcG9ydDEOMAwGA1UEAwwFQ2llbmExHzAdBgkqhkiG9w0BCQEWEHNoaWtoYUBjaWVuYS5jb20wHhcNMTYwNTA0MDcxMjM4WhcNMTYxMjMwMDcxMjM4WjCBhjELMAkGA1UEBhMCSU4xEDAOBgNVBAgMB2d1cmdhb24xEDAOBgNVBAcMB2hhcnlhbmExDjAMBgNVBAoMBWNpZW5hMRIwEAYDVQQLDAl0cmFuc3BvcnQxDjAMBgNVBAMMBUNpZW5hMR8wHQYJKoZIhvcNAQkBFhBzaGlraGFAY2llbmEuY29tMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDY+O4RMx7A/vpX5FZ/+nB/hlZzVNrWzShFilHayHRWsstkMIqRI+9EWPG598PMwTwGGVOZYGLUJugnbqVnBwP7PQJdCxiYps9y6ZoF0XgvzsVZfuuSOIPdEzAJ4zPs3PjeLBjQH+hO3csG75vs9dbAlYHNPYvHM2GYiTAQtNhuWQIDAQABo1AwTjAdBgNVHQ4EFgQU4D+Gys71kQ2GVMxqIdcTCLXX8UQwHwYDVR0jBBgwFoAU4D+Gys71kQ2GVMxqIdcTCLXX8UQwDAYDVR0TBAUwAwEB/zANBgkqhkiG9w0BAQUFAAOBgQB7hZhkvOPBbINEmZj7cBiyba3WwVj1ovVn5VZNfw14kD3ph9tqQw9MkV4IJYVIz7puOAOjF2wzqwFT3FASrGK4gREAKtOgK+9oc6wzqU5izP/hZbm9PxQaDO5eS1nSh/WrBjiSUvCYGW7FDDdhIqHptANoiiUbUFUUj4Zanl42ng==-----END CERTIFICATE-----";

const char test_server1_key[] =  "-----BEGIN ENCRYPTED PRIVATE KEY-----MIICxjBABgkqhkiG9w0BBQ0wMzAbBgkqhkiG9w0BBQwwDgQIuZeYGUzvC+kCAggAMBQGCCqGSIb3DQMHBAhJ8kq6pzpYRASCAoBOXZ/h21D984+F8Mb4X8fwxPH76BV0BZH5KKNASPn2fdKax7GpNDioAmvDIPiDgSDwWzG6D/OMrFyXYWDH7JVYWHE5biUqW0lVemcTmWkjGlqYTKt8rA2zkl6BqpOZak04oA+CrTouXtYIC5i2ct7WwRb667HQLzWpvdVFbdqE0RWbXJ2z9fIz9vViJjkKOzEj5ymh8khk5Pm+aw1bDC9zr+1+qJpfzqSlQuCT/JFwHNCWikDxIiiantetCFuiRGzbp58yHcaWSFggzIs2Xl5Gi3sUGOWiq3zdDLHyZb6gE8Tvi54LT4Y39dTwc7Op0G3RIr3uar97wjXS59mGBPhxSDSJQgS49C6T5nQPPa37ygS6WDXp8x+X14LDToHIy7QWQBCnXX8y47KLjTP0dl8dzgv8TNGZh85oDA4nQNCHrcYxwHvbQOT+72nqbvq6lytE5jFilwx0njz//0rh+jvCpGxXfGar1jjJHfY1RjteGGdmJa6lGgZOQN/jKgKDnyTH5DLeABdDywzGMgXu/E5q++hcpOLKeKp+OVJqz5N4EradUHOSd82hgx5jUb3dZHWaH/GZOp09GZ02C9T4cvMvr105NXVpmRWOtIu6LvPPm6wi7Ai231md1+C/qdvRMfm2NuvlE02hXMT2/699XyQI7uqjou3dusEQRWjOXBclmrlL3kYGj3RG1ehQH3SLUWCzu6RUYrdlXHTkbu/ST9DWUmXKug/IZVBV5+s3CdNBZEv7DJrd7pM8WUIfBMpEaWjJGt1ZfZiHi8Ev3/WKAKE60RQ7S4u1f6mKq/7wSbOXLeSLKafAyLUdpTs/6vDvs4KTsBi060g8uZsWrl9UUdNI-----END ENCRYPTED PRIVATE KEY-----";

[shikhach...@gmail.com]

CLIENT CODE

SslCredentialsOptions ssl_opts = {"", "", ""};

HelloStreamClient hello_stream(grpc::CreateChannel("localhost:50052", grpc::SslCredentials(ssl_opts) ));

hello_stream.Run( );

[christop...@gmail.com]

I'm equally interested in getting this to work for C++...

I used the generate.sh script from this repo: https://github.com/codequest-eu/grpc-demo as far as generating root, server, and client certs and keys.

I've made server and client modifications in C++ analogous to the ruby client/server code in that repo.  This includes specifying the root cert as part of the SslServerCredentialOptions (server) and SslCredentialsOptions (client).

The server starts cleanly, but when the client sends requests I see this on the client side:

Enter code here...E0508 15:07:53.073293665   31677 ssl_transport_security.c:199] ssl_info_callback: error occured.

E0508 15:07:53.073373969   31677 ssl_transport_security.c:937] Handshake failed with fatal error SSL_ERROR_SSL: error:1000007d:SSL routines:OPENSSL_internal:CERTIFICATE_VERIFY_FAILED.

E0508 15:07:53.073382062   31677 handshake.c:241]            Handshake failed with error TSI_PROTOCOL_FAILURE

E0508 15:07:53.073388899   31677 secure_channel_create.c:99] Secure handshake failed with error 1.

Hello received: RPC failed

and this on the server side:

E0508 15:07:55.079777143   31666 handshake.c:215]            Read failed.

E0508 15:07:55.079829302   31666 server_secure_chttp2.c:121] Secure transport failed with error 1

My attempt at the secure client/server code is in the secure_hello directory of this repo: https://github.com/CJLove/grpc-playground

Any further suggestions/corrections would be appreciated :)

    Chris

[shikhach...@gmail.com]

Hi Chris , 

I checked https://github.com/CJLove/grpc-playground/blob/master/certs/create.sh to check how you are generating CA ,server & client certs.
- So , both your server & client certificates are signed by the root CA .
- Ideally you should store this CA's certificate at the client side in the list of root certs.

I faced this issue many times but storing the right root cert at client side always resolved the issue. Not sure whether you have executed that step, so just for your quick reference i am adding the steps that i flow in brief : 

1)  Set a path for certificate store :  export GRPC_DEFAULT_SSL_ROOTS_FILE_PATH=/home/shikha/roots.pem

2)  Save the CA certificate  in the path set in step1.

3) Run your client

Hopefully this resolves the issue.

-Thanks

Shikha

[shikhach...@gmail.com]

What to store in root cert store actually depends upon how we are generating the certificate.
- Do share whether this resolves your issue.


-Shikha