[TOC]
OpenSSL certificate generation
The problem
On Golang 1.15+, when using GRPC to encrypt data transfer via TLS, an error certificate was reported
rpc error: code = Unavailable desc = connection error: desc = "transport: authentication handshake failed: x509: certificate is valid for www.eline.com, not xxx"panic: rpc error: code = Unavailable desc = connection error: desc = "transport: authentication handshake failed: x509: certificate is valid for www.eline.com, not xxx"
The reason for this is that we are using a certificate that is not generated by enabling SAN extensions (by default, SAN extensions are not enabled).
The connection between the client and the server cannot be established
Start to solve the problem
Use the certificate that enables the extended SAN
What is a SAN
SAN(Subject Alternative Name) is an extension defined in SSL standard X509. SSL certificates that use SAN fields can extend the domain names supported by the certificate so that a single certificate can support resolution of multiple different domain names.
Generate the CA root certificate
New ca. Conf
vim ca.conf
Write as follows:
[ req ] default_bits = 4096 distinguished_name = req_distinguished_name [ req_distinguished_name ] countryName = Country Name (2 letter code) countryName_default = CN stateOrProvinceName = State or Province Name (full name) stateOrProvinceName_default = JiangSu localityName = Locality Name (eg, city) localityName_default = NanJing organizationName = Organization Name (eg, company) organizationName_default = Sheld commonName = Common Name (e.g. server FQDN or YOUR name) commonName_max = 64 commonName_default = Ted CA TestCreate the CA secret key and get the CA. Key
openssl genrsa -out ca.key 4096
Create a CA certificate issue request and get CA.CSR
openssl req \
-new \
-sha256 \
-out ca.csr \
-key ca.key \
-config ca.confJust press Enter all the way to shell interaction
Generate the CA root certificate to obtain CA.CRT
openssl x509 \
-req \
-days 3650 \
-in ca.csr \
-signkey ca.key \
-out ca.crtGenerate end-user certificates
Prepare the configuration file and get the server.conf
The new server. Conf
vim server.conf
Write as follows:
[ req ] default_bits = 2048 distinguished_name = req_distinguished_name req_extensions = req_ext [ req_distinguished_name ] countryName = Country Name (2 letter code) countryName_default = CN stateOrProvinceName = State or Province Name (full name) stateOrProvinceName_default = JiangSu localityName = Locality Name (eg, city) localityName_default = NanJing organizationName = Organization Name (eg, company) organizationName_default = Sheld commonName = Common Name (e.g. server FQDN or YOUR name) commonName_max = 64 CommonName_Default = xiamotong # This is important, The service name needs to be filled in the client code with [req_ext] subjectAltName = @ALT_NAMES [ALT_NAMES] DNS.1 = www.eline.com IP = 127.0.0.1Generate the secret key and get the server.key
openssl genrsa -out server.key 2048
Generate a certificate issuance request to get Server.CSR
openssl req \
-new \
-sha256 \
-out server.csr \
-key server.key \
-config server.confJust press Enter all the way to shell interaction
Generate the end-user certificate with the CA certificate to get the server.crt
openssl x509 \
-req \
-days 3650 \
-CA ca.crt \
-CAkey ca.key \
-CAcreateserial \
-in server.csr \
-out server.pem\
-extensions req_ext \
-extfile server.confNow that the certificate has been generated, the server.pem and server.key are the certificates and keys we need
Server code:
creds, err := credentials.NewServerTLSFromFile("./keys/server.pem", "./keys/server.key")Client code:
creds, err := credentials.NewClientTLSFromFile("./keys/server.pem", "xiaomotong")Okay, that’s it for this time, next time share GRPC Interceptor
Technology is open, our mentality, should be open. Embrace change, live up to the sun, and strive to move forward.
I am Nezha, welcome thumb up to collect, see you next time