You are very likely running into this issue <https://github.com/grpc/grpc/pull/17868>. This fix will be available in gRPC release 1.19.0. You can try nightly pkgs from https://packages.grpc.io/ or wait for 1.19 RC coming out early next week.
On Wednesday, February 6, 2019 at 10:52:41 AM UTC-8, [email protected] wrote: > > Yes, we have tried to use that option but does not change anything. Here > are the grpc version we are using. > > For PHP we are using the packages php56-php-pecl-grpc (version 1.17.0) and > php56-php-pecl-protobuf (version 3.6.1) and openssl (version 1.0.2k-fips). > The Java dropwizard-grpc version for the server is 1.1.3-1. The Java > grpc-netty, grpc-protobuf, and grpc-stub versions for the Java client is > 1.13.1. > > On Tuesday, February 5, 2019 at 6:03:02 PM UTC-8, Stanley Cheung wrote: >> >> Did you try supplying the "grpc.ssl_target_name_override" key to the >> options? >> >> On Tue, Feb 5, 2019 at 4:01 PM jisooh via grpc.io < >> [email protected]> wrote: >> >>> Hello, >>> >>> >>> We are currently facing an issue with trying to connect our PHP gRPC >>> client with SSL to our Java gRPC server. The gRPC service we are trying to >>> connect to is running on a service mesh (linkerd/namerd), and the call >>> first hits a linkerd instance that routes to the service. >>> >>> >>> When we run a Java client using the trusted certificate, it is able to >>> connect to the server; however, with a Python and PHP client, the SSL >>> connection fails even with the same cert. >>> >>> >>> Java client code: >>> >>> >>> ManagedChannel channel = NettyChannelBuilder.forAddress(host, port) >>> .overrideAuthority(‘cert- >>> common-name’) >>> .sslContext(GrpcSslContexts. >>> forClient().trustManager(new File(‘path/to/cert’)).build()) >>> .build(); >>> >>> >>> >>> Python code: >>> >>> >>> credentials = grpc.ssl_channel_credentials(open(‘path/to/cert’).read()) >>> channel = grpc.secure_channel(host + str(port), credentials, options=(( >>> 'grpc.default_authority', ‘cert-common-name’,),)) >>> >>> >>> >>> PHP code: >>> >>> >>> >>> $channel_credentials = \Grpc\ChannelCredentials::createSsl( >>> file_get_contents(‘path/to/cert’)); >>> $channel = new \Grpc\Channel($hostname, >>> [ >>> 'grpc_target_persist_bound' => 2, >>> 'grpc.default_authority' => ‘cert-common-name’, >>> 'credentials' => $channel_credentials >>> ]); >>> >>> >>> >>> We are interested in fixing the problem for PHP at the moment. Our PHP >>> client runs in a CentOS 7 docker container with nginx + php-fpm. >>> >>> >>> We have tried to make the OS trust the certificate by using >>> update-ca-trust. Running *openssl s_client -connect host:port* returns: >>> >>>> >>>> verify error:num=2:unable to get issuer certificate >>> >>> >>> We receive the following error when calling the server with the created >>> client for PHP: >>> >>> >>> ssl_transport_security.cc:1229] Handshake failed with fatal error >>>> SSL_ERROR_SSL: error:1000007d:SSL >>>> routines:OPENSSL_internal:CERTIFICATE_VERIFY_FAILED >>> >>> >>> With the gRPC logs, we can see that the connection fails when it tries >>> to call the security handshake. >>> >>> >>> We are not sure why the Java client is able to connect to the server >>> while the PHP and Python clients cannot with the same cert. >>> >>> >>> Has anyone ran into these issues before? It would be helpful if anyone >>> has some information on this as this is currently a high priority blocker >>> for us. >>> >>> >>> Thank you. >>> >>> -- >>> You received this message because you are subscribed to the Google >>> Groups "grpc.io" group. >>> To unsubscribe from this group and stop receiving emails from it, send >>> an email to [email protected]. >>> To post to this group, send email to [email protected]. >>> Visit this group at https://groups.google.com/group/grpc-io. >>> To view this discussion on the web visit >>> https://groups.google.com/d/msgid/grpc-io/ce0546a9-8a0e-41b1-9f0d-25ff2a415d8b%40googlegroups.com >>> >>> <https://groups.google.com/d/msgid/grpc-io/ce0546a9-8a0e-41b1-9f0d-25ff2a415d8b%40googlegroups.com?utm_medium=email&utm_source=footer> >>> . >>> For more options, visit https://groups.google.com/d/optout. >>> >> -- You received this message because you are subscribed to the Google Groups "grpc.io" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To post to this group, send email to [email protected]. Visit this group at https://groups.google.com/group/grpc-io. To view this discussion on the web visit https://groups.google.com/d/msgid/grpc-io/e3a4daf7-ff15-4765-95d1-33d1a6c2e5a3%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
