skip to Main Content

I have a Debian GCP instance that I’m trying to run a Python gRPC server. My instance has a static IP and I’m trying to establish a secure channel between my remote instance (server) and a local client.

I have generated self-signed OpenSSL certificates on the server and I am using the same certificates on the client. To generate I’ve used:

openssl req -newkey rsa:2048 -nodes -keyout ML.key -x509 -days 365 -out ML.crt

My server is set up like so (the .key and .crt files are loaded with an open as 'rb'):

server_credentials = grpc.ssl_server_credentials(((private_key, certificate_chain,),))
self.server.add_secure_port('0.0.0.0:%d' % self.port, server_credentials)
self.server.start()

My client is set up as:

    host = '78.673.121.16' #this is the instance's static IP
    port = 9063

    certificate_chain = __load_ssl_certificate() #this loads the certificate file

    # create credentials
    credentials = grpc.ssl_channel_credentials(root_certificates=certificate_chain)

    # create channel using ssl credentials
    channel = grpc.secure_channel('{}:{}'.format(host, port), credentials)

and then I proceed to make a request.

At the server I am met with the following error, in response to my request:

E1017 17:21:22.964227087    1881 ssl_transport_security.cc:1807] No match found for server name: 78.673.121.16.

I have tried to change the Common Name (CN) of the certificate to localhost, 0.0.0.0 and 78.673.121.16 but to no avail.

Is there any suggestion?

3

Answers


  1. Chosen as BEST ANSWER

    I have failed to find how to solve this and have opted to set up a permanent DNS for my instance instead. I was using GCP which, as of the time of writing, doesn't staightforwardly provide a way to assign this to an instance.

    I switched to Azure, assigned the DNS to my instance and used that DNS and CN on my self-signed SSL certificate.

    After that I changed the client (the server remains as originally) as:

        host = 'myinstance.westus.azure.com' #this is the instance's DNS
        port = 9063
    

    This resolved my issue.


  2. try passing these options in secure_channel function call

    options = {
        'grpc.ssl_target_name_override' : 'localhost',
        'grpc.default_authority': 'localhost'
    }
    channel = grpc.secure_channel('{}:{}'.format(host, port), credentials, options)
    
    Login or Signup to reply.
  3. I just had a similar problem, and was able to get it resolved finally. In my case I was hosting the server in a kubernetes cluster with a static ip and port. The key components of the solution were (in the server certificate):

    1. Use the static IP address as the Common Name
    2. Add the static IP address as a DNSName within the SubjectAlternativeName extension of the certificate

    Step 2 turned out to be critical. In python (using grpc version 1.34.0) this was accomplished by:

    from cryptography import x509
    host = '78.673.121.16'
    builder = x509.CertificateBuilder()
    ...
    builder = builder.add_extension(x509.SubjectAlternativeName([x509.DNSName(host)]), critical=False)
    
    Login or Signup to reply.
Please signup or login to give your own answer.
Back To Top
Search