[TOC]
The OpenSSL certificate is generated
This article has participated in the weekend learning program, click the link to see more details: juejin.cn/post/696572…
The problem
On Golang 1.15+, a certificate error is reported when using gRPC to encrypt data over TLS
rpc error: code = Unavailable desc = connection error: desc = "transport: authentication ha ndshake failed: x509: certificate is valid for www.eline.com, not xxx" panic: rpc error: code = Unavailable desc = connection error: desc = "transport: authentication handshake failed: x509: certificate is valid for www.eline.com, not xxx"
This is because the certificate we use is generated without SAN extension enabled (by default, SAN extension is disabled).
The client and server cannot be connected
Start solving problems
Use the certificate that enables the extended SAN
What is a SAN
SAN(Subject Alternative Name) is an extension defined in SSL standard X509. SSL certificates that use SAN fields can extend the domain names supported by the certificate so that one certificate can support the resolution of multiple domain names.
The CA root certificate is generated
New ca. Conf
vim ca.conf
Write as follows:
[ req ] default_bits = 4096 distinguished_name = req_distinguished_name [ req_distinguished_name ] countryName = Country Name (2 letter code) countryName_default = CN stateOrProvinceName = State or Province Name (full name) stateOrProvinceName_default = JiangSu localityName = Locality Name (eg, city) localityName_default = NanJing organizationName = Organization Name (eg, company) organizationName_default = Sheld commonName = Common Name (e.g. server FQDN or YOUR name) commonName_max = 64 commonName_default = Ted CA TestCopy the codeGenerate the CA secret key to obtain ca.key
openssl genrsa -out ca.key 4096
Generate a CA certificate issuing request and obtain ca.csr
openssl req \
-new \
-sha256 \
-out ca.csr \
-key ca.key \
-config ca.conf
Copy the codeWhen the shell interacts, press enter
The CA root certificate is generated to obtain ca.crt
openssl x509 \
-req \
-days 3650 \
-in ca.csr \
-signkey ca.key \
-out ca.crt
Copy the codeGenerate the end user certificate
Prepare the configuration file and get server.conf
The new server. Conf
vim server.conf
Write as follows:
[ req ] default_bits = 2048 distinguished_name = req_distinguished_name req_extensions = req_ext [ req_distinguished_name ] countryName = Country Name (2 letter code) countryName_default = CN stateOrProvinceName = State or Province Name (full name) stateOrProvinceName_default = JiangSu localityName = Locality Name (eg, city) localityName_default = NanJing organizationName = Organization Name (eg, company) organizationName_default = Sheld commonName = Common Name (e.g. server FQDN or YOUR name) commonName_max = 64 commonName_default = xiamotongIt is important to fill in the client code with the service name[req_ext] subjectAltName = @alt_names [alt_names] dnS. 1 = www.xiaomotong.com IP = 127.0.0.1Copy the codeGenerate the secret key and get server.key
openssl genrsa -out server.key 2048
Generate a certificate issue request and get server.csr
openssl req \
-new \
-sha256 \
-out server.csr \
-key server.key \
-config server.conf
Copy the codeWhen the shell interacts, press enter
Use the CA certificate to generate the end user certificate and obtain server.crt
openssl x509 \
-req \
-days 3650 \
-CA ca.crt \
-CAkey ca.key \
-CAcreateserial \
-in server.csr \
-out server.pem\
-extensions req_ext \
-extfile server.conf
Copy the codeNow that the certificate has been generated, server.pem and server.key are the certificates and keys we need
Server code:
creds, err := credentials.NewServerTLSFromFile("./keys/server.pem"."./keys/server.key")
Copy the codeClient code:
creds, err := credentials.NewClientTLSFromFile("./keys/server.pem"."xiaomotong")
Copy the codeWell, I’ll stop here and share the gRPC interceptor next time
Technology is open, our mentality, should be more open. Embrace change, live in the sun, and strive to move forward.
I am Nezha, welcome to like, see you next time ~