TLS not working for GRPC

Hello,

I created a dn record and enabled proxy for it. I selected ssl/tls full strict mode and I created origin cert and private key and added them to my server side code. and client side I am using a cert from origin and I am getting error rpc error: code = Unavailable desc = connection error: desc = “transport: authentication handshake failed: x509: certificate signed by unknown authority”

Can any one help me what ssl/tls certs to be used for correct GRPC handshake ??

How to enable tls for grpc client to cloudflare and then cloudflare to our origin grpc server ??

1 Like

Yes, Full (Strict) SSL is the best and recommended, no issues with it at all and secure for everyone:

Nevertheless, gRPC should be working over SSL/TLS connection. And, HTTPS (443 port) with HTTP/2 support too.

Just to make sure, may I ask if the gRPC option is enabled at your Cloudflare Dashboard → Network tab for your domain name?

Hi,

Yes I enabled the grpc. I want to know what certs need to be added at the client side configuration as I am getting error rpc error: code = Unavailable desc = connection error: desc = “transport: authentication handshake failed: x509: certificate signed by unknown authority”

in the ssl/tls what should be the process for tls setup for GRPC. I already followed the process in documentation but still failing ??

I am having the same issue. grpc is working when turning turning off the proxy from dns setting.
I have tried using the Origin combination as well Cleint + Origin setup but both are not working and getting resulted in certificate signed by unknown authority error

Okay got this working by putting the origin cert,key to my grpc server and using the system’s CA pool for client.

the go code for client

	roots, err := x509.SystemCertPool()
	if err != nil {
		log.Fatal("failed to get system certificate pool")
	}
	tlsConfig := &tls.Config{
		InsecureSkipVerify: false,
		RootCAs:            roots,
	}
	return grpc.Dial(observeConfig.ArenaServer, grpc.WithTransportCredentials(credentials.NewTLS(tlsConfig)))

for server

creds, err := credentials.NewServerTLSFromFile(certPath, keyPath)
	if err != nil {
		return nil, err
	}

	s := grpc.NewServer(grpc.Creds(creds))

take a look at GitHub - Qv2ray/gun: Toy gRPC Tunnel over CloudFlare (Proof of Concept) for more details

1 Like

This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.