Python secure channel gRPC 'ssl_transport_security.cc:1807] No match found for server name' on remote instance

2.9k views Asked by At

I have a Debian GCP instance that I'm trying to run a Python gRPC server. My instance has a static IP and I'm trying to establish a secure channel between my remote instance (server) and a local client.

I have generated self-signed OpenSSL certificates on the server and I am using the same certificates on the client. To generate I've used:

openssl req -newkey rsa:2048 -nodes -keyout ML.key -x509 -days 365 -out ML.crt

My server is set up like so (the .key and .crt files are loaded with an open as 'rb'):

server_credentials = grpc.ssl_server_credentials(((private_key, certificate_chain,),))
self.server.add_secure_port('0.0.0.0:%d' % self.port, server_credentials)
self.server.start()

My client is set up as:

    host = '78.673.121.16' #this is the instance's static IP
    port = 9063

    certificate_chain = __load_ssl_certificate() #this loads the certificate file

    # create credentials
    credentials = grpc.ssl_channel_credentials(root_certificates=certificate_chain)

    # create channel using ssl credentials
    channel = grpc.secure_channel('{}:{}'.format(host, port), credentials)

and then I proceed to make a request.

At the server I am met with the following error, in response to my request:

E1017 17:21:22.964227087    1881 ssl_transport_security.cc:1807] No match found for server name: 78.673.121.16.

I have tried to change the Common Name (CN) of the certificate to localhost, 0.0.0.0 and 78.673.121.16 but to no avail.

Is there any suggestion?

3

There are 3 answers

0
Panos Filianos On BEST ANSWER

I have failed to find how to solve this and have opted to set up a permanent DNS for my instance instead. I was using GCP which, as of the time of writing, doesn't staightforwardly provide a way to assign this to an instance.

I switched to Azure, assigned the DNS to my instance and used that DNS and CN on my self-signed SSL certificate.

After that I changed the client (the server remains as originally) as:

    host = 'myinstance.westus.azure.com' #this is the instance's DNS
    port = 9063

This resolved my issue.

0
Michael Potter On

I just had a similar problem, and was able to get it resolved finally. In my case I was hosting the server in a kubernetes cluster with a static ip and port. The key components of the solution were (in the server certificate):

  1. Use the static IP address as the Common Name
  2. Add the static IP address as a DNSName within the SubjectAlternativeName extension of the certificate

Step 2 turned out to be critical. In python (using grpc version 1.34.0) this was accomplished by:

from cryptography import x509
host = '78.673.121.16'
builder = x509.CertificateBuilder()
...
builder = builder.add_extension(x509.SubjectAlternativeName([x509.DNSName(host)]), critical=False)
1
Chandan On

try passing these options in secure_channel function call

options = {
    'grpc.ssl_target_name_override' : 'localhost',
    'grpc.default_authority': 'localhost'
}
channel = grpc.secure_channel('{}:{}'.format(host, port), credentials, options)