pythonsslopensslgrpc-python

I have a certificate and a private key on the client and on the server but gRPC secure connetion fails


I generated the certificate and the private key with openssl for the client and for the server, the code of both of them is in python and they have a communication gRPC for federated learning process. I tried to get the gRPC connection a secure connection but i got problems, gRPC secure connection is based on ssl security for this reason i generated certificate and private key for client and server with openssl. Checking the certificates(client and server are similar) openssl gave me this:

 openssl x509 -in /home/torino/Desktop/certificate.crt -text -noout
    
    Certificate:
        Data:
            Version: 3 (0x2)
            Serial Number:
                6f:12:4e:5c:8d:a4:d0:f3:ef:4e:14:73:bb:cc:b3:bf:0c:9b:e9:84
            Signature Algorithm: sha256WithRSAEncryption
            Issuer: C = IT, ST = Itali, O = Uni, CN = *
            Validity
                Not Before: Nov  8 16:01:13 2021 GMT
                Not After : Nov  8 16:01:13 2022 GMT
            Subject: C = IT, ST = Itali, O = Uni, CN = *
            Subject Public Key Info:
                Public Key Algorithm: rsaEncryption
                    RSA Public-Key: (2048 bit)
                    Modulus:
                        00:db:17:4a:18:29:cd:12:c8:77:89:4b:9e:21:f1:
                        d4:ca:0a:6d:7c:71:f9:a8:3c:31:11:d2:4b:48:5d:
                        ab:be:fa:9b:44:c0:e9:fb:26:c1:32:7f:a6:09:38:
                        73:e9:18:73:56:7a:5e:31:4c:74:2b:c6:66:fa:5f:
                        c2:ab:4a:84:72:86:16:fc:fd:a4:5e:1b:74:f5:b4:
                        57:33:d4:ae:0a:83:82:bb:66:29:ce:00:f8:5e:fc:
                        28:93:78:c2:f3:0c:3e:69:3f:4a:27:25:47:3a:6c:
                        01:63:07:58:a5:f4:8f:11:3e:29:cf:fc:19:ab:30:
                        9b:97:d7:d2:6f:a2:89:12:14:65:74:8b:bd:ef:dd:
                        c0:3b:30:6c:2d:be:48:1a:c0:46:41:ab:fa:a8:39:
                        b8:cb:bb:e0:63:89:e3:a6:4f:a3:4c:8e:52:5c:45:
                        ed:79:80:a7:8e:bd:cc:26:bb:cb:aa:3a:57:1f:8f:
                        e6:4b:09:3f:7a:9e:5e:47:ab:a0:2f:98:5a:b1:40:
                        8c:23:1c:5b:97:bc:43:eb:19:07:11:cf:a8:41:d2:
                        04:bc:11:e1:3b:44:58:1e:01:d1:ff:fe:4c:f8:69:
                        15:6b:ee:3a:21:47:a8:59:89:3b:e3:f4:61:5f:dd:
                        7f:1f:66:23:38:24:80:6f:4b:94:cf:c8:a7:a1:6f:
                        52:7f
                    Exponent: 65537 (0x10001)
            X509v3 extensions:
                X509v3 Subject Key Identifier: 
                    76:D6:DE:F8:A7:92:5E:1D:45:AE:AA:58:56:B3:36:72:44:E8:62:81
                X509v3 Authority Key Identifier: 
                    keyid:76:D6:DE:F8:A7:92:5E:1D:45:AE:AA:58:56:B3:36:72:44:E8:62:81
    
                X509v3 Basic Constraints: critical
                    CA:TRUE
        Signature Algorithm: sha256WithRSAEncryption
             85:e2:7f:5d:ce:91:e7:68:60:28:96:5d:76:26:f7:2d:64:dd:
             f7:6a:19:c9:b5:b8:4f:40:7a:c4:76:be:ef:cd:a0:66:03:69:
             61:45:e2:40:ba:75:ca:ec:78:e9:bb:ca:1b:89:44:0c:43:f3:
             15:a6:cc:9f:0d:d5:bf:f8:58:2b:18:94:7a:5b:7e:c2:24:01:
             4d:d2:d5:f1:6f:08:a1:9e:60:4c:4a:18:9a:a1:93:75:60:84:
             9d:af:54:6a:99:2c:94:e1:8f:58:5e:82:01:b8:c0:e7:2a:8e:
             13:0f:a5:a6:58:72:a2:1b:fa:c5:3f:fe:db:85:bd:0b:78:9b:
             60:f0:74:fc:ce:31:d0:08:cf:eb:0c:4b:14:ca:0d:96:26:15:
             b5:d2:f7:9b:f7:c6:f9:d2:24:e3:ef:2c:dc:fb:b0:43:ac:b4:
             70:2d:20:b5:22:6f:3e:ba:68:c2:f5:e3:bb:e2:75:59:0f:eb:
             fa:76:39:a6:24:d0:4d:6c:27:c0:a0:db:26:94:ff:39:f8:a2:
             fc:0e:5f:a8:d5:fe:da:15:5b:70:68:3c:e9:e6:0d:01:a7:bb:
             36:cd:2f:ef:1a:a7:f6:13:2c:01:ae:0e:24:d4:a2:1c:d0:3d:
             88:5b:6d:ec:77:99:aa:48:f7:26:8d:84:21:b6:74:26:89:a8:
             eb:e5:d7:fa

Checking of the private key openssl gave me this:

openssl rsa -in /home/torino/Desktop/privateKey.key -check
RSA key ok
writing RSA key
-----BEGIN RSA PRIVATE KEY-----
MIIEowIBAAKCAQEA2xdKGCnNEsh3iUueIfHUygptfHH5qDwxEdJLSF2rvvqbRMDp
+ybBMn+mCThz6RhzVnpeMUx0K8Zm+l/Cq0qEcoYW/P2kXht09bRXM9SuCoOCu2Yp
zgD4Xvwok3jC8ww+aT9KJyVHOmwBYwdYpfSPET4pz/wZqzCbl9fSb6KJEhRldIu9
793AOzBsLb5IGsBGQav6qDm4y7vgY4njpk+jTI5SXEXteYCnjr3MJrvLqjpXH4/m
Swk/ep5eR6ugL5hasUCMIxxbl7xD6xkHEc+oQdIEvBHhO0RYHgHR//5M+GkVa+46
IUeoWYk74/RhX91/H2YjOCSAb0uUz8inoW9SfwIDAQABAoIBAQDTk20ZYpzJK9DM
RLskOr7skh9jU0nunpoghL3w14y49JinT8lloepm0wDL3LmK+/K+K5P09ckmUQY3
eeyrsF2xny5qCKQHwWo0sYCY7CVav9+rC6EJcMRqLgcdSzywrD1FNDpvDT/4+j5o
nLqOIVtcInUMhn9fY6SOgXyWFBdc3Y3KPcW1ht2Cjp1cWRsqNUGR1tlSKhtcwNZR
pQPD5gma6/ky0cKIMxcTfZUgsdpcD4S6D99A6v70WFwg6HzUcgxTlnBEln0QESlF
dveY6bZpJ8MpObsiqcJBpgdYwVjl2IHf+4qYZeWLTe540GUE1jLlpDNQAl2AYGyV
BpLg1GK5AoGBAPZm1ujKUwJHNcPx7sDT6FrpXliK8b0YZYtdCxFWnJYHSCufi6Ta
4KSxZF9AdxFssYn5agXTZ1k6aW0VOW74TSyfZ8/AA9SH2jiDjC8F0wSDr+CBAw64
f88tI/6Q1JlsbaowaaDcr54SnqxO0gZjhnuWkj+U6SqiDnMbkMl78XStAoGBAOOg
Gj1HPfcEbewI9sMh50M9s7oQfD3dN7tdRzXH3Peswuq6NTU3WvR1UagXi0E6dOjC
7mtiKCbBCGCPqL1BijzGR7J6FYxB7hnkE53vByWleYf2c8EQO1Gg9zleFRXxcpy2
VCJMazsGmY7QpuWC/77Q0a9V81VOI5u3uXz3GF1bAoGAWBkc7c6pLz9WseBmhPs/
MIIQAYhsNjfq1pFFy8Uz51BjNXWt8BtyBnCGeqgJ6mj6cWKDzeFwKi8AUsgr6MlO
jo3QCC+XLv4DwAEItidW815CG/sEpNbCm8h//hy6ZsCl1RvKKIG/KL1vjhwAa9hZ
1QZY8/LCC0Q19mH8uo1eH2ECgYA4HDA7qMMakAn0pCUH5uSWC7CxDf1CVrS1SAIU
vMa4euq1Z99T1ehi2ESfteYK1zkYY2zYJaMWIoFJJECJHo3P+2STF0sWfu4Njc5U
ISbW3dp+bH8OOU0WCyLGDm4OMa15+ev1ZHcOXssdjEuHyen3BIybtwk7nv5iFUDx
EAv+fwKBgFFsB9YR+pn7w53ndam06V8kGe5iFLvuz4DVaCmKtjbCEXu0JEGmUzKD
AKB1QXIvAZZSM8QVZFd//OI5BAO97IPxNtE6PuQayaNN7Dq2tiO5L9LOCuXqxXBb
4JDlQJG8yfcMAiMBCFFKZqjWo6sRclieVkeOi87v06Wx926tTfkR
-----END RSA PRIVATE KEY-----

And this means that the certificate and the private key are correct. But when i try to have an gRPRC secure connection, I got this error on the client:

E1108 18:12:33.539123908 3109 ssl_transport_security.cc:1469] Handshake failed with fatal error SSL_ERROR_SSL: error:1000007d:SSL routines:OPENSSL_internal:CERTIFICATE_VERIFY_FAILED.

And the server gave me this error:

E1108 18:12:33.540418211 1963 ssl_transport_security.cc:1839] No match found for server name: 192.168.37.137.


Solution

  • Responding in case you're still having the issue or in case someone else finds this post. I've seen a similar error that was caused by missing SANs in the certificate used on the server. I believe you may need to add a SAN with value IP:192.168.37.137 to your certificate for it to work as expected.

    1.  openssl req  -nodes -new -x509  -keyout server.key
    2.  vi san.conf # add lines shown below 
        subjectKeyIdentifier   = hash
        authorityKeyIdentifier = keyid:always,issuer:always
        basicConstraints       = CA:TRUE
        keyUsage               = digitalSignature, nonRepudiation, 
        keyEncipherment, dataEncipherment, keyAgreement, keyCertSign
        subjectAltName         = IP:192.168.37.137
        issuerAltName          = issuer:copy
     
    3.  openssl req -new -key server.key -out server.csr
    4.  openssl x509 -req -in server.csr -signkey server.key -out server.cert -days 3650 -sha256 -extfile san.conf
    5.  openssl x509 -in server.cert -text