I'm trying to build 2 Google Cloud Run containers that will communicate via gRPC using Tonic. The problem I'm running into is the "error trying to connect: invalid peer certificate: UnknownIssuer" issue.
I found this exact issue and it says all I need to do is add the tls-roots (and tls) feature flag to tonic and it will all magically work... however, that doesn't seem to be the case for me. I have tried just calling connect with my endpoint defined as the HTTPS URI of the listening container, but that does not work:
let dac = DataAccessClient::connect(BACKEND_URI.as_str()).await?;
I have also tried following the example in the Tonic GitHub for GCP, and that does not work either (using the same roots.pem file):
let certs = std::fs::read_to_string("/roots.pem")
.context("Reading certificate")?;
let tls_config = ClientTlsConfig::new()
.ca_certificate(Certificate::from_pem(certs));
let channel = Channel::from_static(BACKEND_URI.as_str())
.tls_config(tls_config)?
.connect()
.await?;
let dac = DataAccessClient::new(channel);
The result is always the same error message: "error trying to connect: invalid peer certificate: UnknownIssuer"
Does anyone have a working example of 2 Cloud Run containers communicating via gRPC using Tonic? Or know where I might be going wrong with what I have?