simplesteph / grpc-go-course Goto Github PK

Issue

Summary

If GO 1.15 is used and TLS is enabled in the gRPC server, then an error will occur.

Which version of Go are you using (go version)?

$ go version

go version go1.15.2 darwin/amd64

Does this issue reproduce with the latest release?

Yes

What did you do?

1. Run the server and client without TLS (No Error will occur)

$ go run greet/greet_server/server.go

Hello world

$ go run greet/greet_client/client.go

Hello I'm a client
Starting to do a Unary RPC...
2020/12/05 18:51:36 Response from Greet: Hello Stephane

2. Enabled TLS in the server and client

greet/greet_server/server.go

func main() {
	fmt.Println("Hello world")
        ...
	
	tls := true // This was false
        ...
	if tls {
		...
	}

       ...
	
}

greet/greet_client/client.go

func main() {

	fmt.Println("Hello I'm a client")
        
	tls := true // This was false
	...
	if tls {
               ...
		
		}
		...
	}
       ...
}

3. Run the server and the client now with TLS enabled (Error will occur)

$ go run greet/greet_server/server.go

Hello world

$ go run greet/greet_client/client.go

Hello I'm a client
Starting to do a Unary RPC...
2020/12/05 18:56:47 error while calling Greet RPC: rpc error: code = Unavailable desc = connection error: desc = "transport: authentication handshake failed: x509: certificate relies on legacy Common Name field, use SANs or temporarily enable Common Name matching with GODEBUG=x509ignoreCN=0"
exit status 1

What did you expect to see?

I expected to see the same result regardless if TLS is disabled or enabled

$ go run greet/greet_client/client.go

Hello I'm a client
Starting to do a Unary RPC...
2020/12/05 18:51:36 Response from Greet: Hello Stephane

What did you see instead?

$ go run greet/greet_client/client.go

Hello I'm a client
Starting to do a Unary RPC...
2020/12/05 18:56:47 error while calling Greet RPC: rpc error: code = Unavailable desc = connection error: desc = "transport: authentication handshake failed: x509: certificate relies on legacy Common Name field, use SANs or temporarily enable Common Name matching with GODEBUG=x509ignoreCN=0"
exit status 1

Why did this issue occur?

In Go 1.15 the server name should be found in the subject alternative names and not just in the common name. The current server.crt generated does not have that as shown below:

openssl x509 -in ssl/server.crt -noout -text
Certificate:
    Data:
        Version: 1 (0x0)
        Serial Number: 1 (0x1)
    Signature Algorithm: sha1WithRSAEncryption
        Issuer: CN=localhost
        Validity
            Not Before: Jul 13 07:18:01 2018 GMT
            Not After : Jul 10 07:18:01 2028 GMT
        Subject: CN=localhost
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (4096 bit)
                Modulus:
                    00:9c:09:c7:2e:57:58:c3:00:24:af:2f:77:60:c9:
                    ec:d9:a8:44:d2:c4:1e:c2:39:6b:8a:8f:f5:04:4e:
                    ba:cc:92:56:f2:07:02:9d:8e:92:58:98:af:06:a6:
                    31:08:94:96:0b:e2:9f:33:4a:87:f6:73:04:d7:97:
                    db:2b:c9:19:7b:01:2c:cf:b3:d0:63:d6:af:34:cf:
                    b0:0b:6d:6c:5c:42:22:4e:92:07:97:8b:f6:8e:ae:
                    ba:d8:42:f7:26:96:e7:00:86:cd:3d:e4:ca:cb:52:
                    da:69:b5:6b:cd:96:9e:c2:8b:10:11:6b:de:51:c6:
                    42:46:9d:aa:c6:f3:f4:89:44:3b:31:8f:f3:40:c8:
                    6f:14:f5:69:e5:28:65:cd:36:95:e9:ed:ce:38:5b:
                    79:93:58:48:45:7b:67:17:bd:f3:3c:73:d8:93:05:
                    bc:7a:a2:fd:e5:f6:88:e7:d5:79:f6:81:4a:a9:bd:
                    8d:66:dc:bf:0f:5f:4e:dc:4b:0d:96:29:a3:3f:15:
                    6a:cf:02:af:3c:a2:8d:d5:00:d4:dc:38:75:f0:0b:
                    3b:01:c7:f8:45:0b:d9:a8:c4:12:e3:af:fb:67:98:
                    25:78:72:60:a3:1f:cd:9b:dd:83:ca:78:f8:be:65:
                    4f:76:19:31:9b:d7:b5:89:2f:a8:36:72:9a:8c:cd:
                    47:a4:c6:20:14:97:c8:7e:b0:bc:1e:b9:69:61:3f:
                    b0:2c:b5:db:d1:9d:fd:4e:28:0d:1d:6b:81:f8:98:
                    d8:b8:ba:86:fb:0b:c0:d8:75:5b:c6:b2:19:9f:a8:
                    90:71:fe:b7:b7:fe:81:69:15:ed:7b:8c:a7:ec:7c:
                    a1:6c:fa:19:a1:d7:9a:d4:d7:17:c5:b2:42:5e:0d:
                    af:15:94:e6:95:6c:5f:f8:fe:f2:96:29:43:4b:33:
                    e4:a2:46:e3:a3:48:f1:8b:ec:57:07:9f:af:d5:ee:
                    42:65:d9:fd:cb:c5:a6:1e:ed:b4:49:9c:ff:f6:8d:
                    c7:43:43:c0:3b:5c:18:81:f3:61:8c:b7:4c:71:11:
                    0c:85:16:34:44:2e:c5:a1:b5:51:11:f0:6e:cd:41:
                    ab:d2:ea:26:11:93:3c:ee:0e:30:02:0b:41:51:0f:
                    1d:c8:1f:ad:c5:77:79:2d:54:1f:7c:0e:b6:4e:36:
                    bb:d6:fe:3b:f6:bd:b1:5b:e1:15:30:cd:26:03:4c:
                    47:70:01:07:db:d2:11:ef:a9:03:9b:ac:87:52:1f:
                    a4:b8:f1:71:1a:c9:c1:04:f9:14:4b:83:63:da:be:
                    ad:51:a4:01:62:e0:43:49:c5:f2:1e:b5:30:87:61:
                    e5:92:04:5b:13:f2:e8:2b:0c:1f:36:3b:43:ae:9a:
                    d5:07:71
                Exponent: 65537 (0x10001)
    Signature Algorithm: sha1WithRSAEncryption
         34:81:dc:bc:5f:5a:a9:f3:c9:95:8e:db:88:54:14:d8:07:45:
         4e:95:90:ee:28:54:13:15:4a:dd:eb:0c:1c:f0:ac:36:7d:e8:
         98:06:1e:ad:97:37:bf:6c:ac:6c:7e:57:a9:e0:d1:41:2b:a7:
         4a:95:4e:8a:7e:e3:fe:2c:c1:94:75:62:fa:33:38:ba:1d:84:
         4b:1f:d5:5b:ad:cc:ad:94:b4:ae:b2:f9:e7:b6:71:d8:89:bb:
         d5:0e:07:59:04:bc:63:45:1b:f0:88:c8:0c:01:9f:d9:6d:f5:
         0a:ea:20:c4:2b:ce:bf:f8:31:f6:62:ce:b4:fa:69:69:a9:72:
         d0:07:a6:58:51:77:58:b5:b6:8a:85:c9:71:4a:d7:ae:5b:58:
         a9:b4:ef:e9:59:61:ac:56:63:5c:2f:2c:1d:81:8b:33:e3:dd:
         52:0e:cc:16:b0:13:39:65:bf:83:51:45:5d:93:0a:b8:d9:0e:
         c5:1b:3a:cd:72:62:cc:42:85:7d:d3:c1:82:cf:32:c6:fd:2c:
         de:4d:43:00:6e:c1:90:f0:ed:bd:4f:8d:1a:bf:62:61:24:42:
         ab:41:43:f8:11:bf:c8:e4:83:de:00:d6:1e:b1:d9:36:c6:db:
         92:c4:46:7e:10:43:02:95:66:b8:58:3c:e7:86:c8:dc:06:9d:
         ef:2e:a1:87:71:36:da:7e:76:06:05:c7:32:90:80:b1:c0:96:
         56:b4:2c:59:4b:e7:ba:ef:a6:b2:e2:bf:18:a2:f5:5d:0d:17:
         44:ef:80:ff:85:16:3f:bd:bd:3b:68:3e:05:6c:a7:72:94:4a:
         45:db:3d:98:82:68:0d:05:55:b0:42:92:b3:ad:17:3c:3f:d6:
         73:95:a2:e4:86:98:a9:8d:fd:28:2a:36:f9:b1:c9:b9:94:d6:
         0d:f5:df:b9:ec:5a:54:55:97:c3:48:b7:05:b2:33:7d:bf:be:
         3c:23:5d:bb:e2:9b:b9:25:ba:77:15:39:c8:28:5e:69:4f:fe:
         f0:a9:1b:1e:71:06:46:a7:28:0e:bf:43:31:02:05:93:ed:2f:
         28:f6:e2:99:cb:0f:a5:cc:dd:63:6a:e9:11:d1:35:f1:88:e1:
         ca:aa:de:6a:5d:a5:3f:f3:78:11:f9:80:e3:fc:ca:2e:df:d7:
         b8:30:8a:ad:ab:51:92:71:e1:56:e0:a7:ec:9d:ca:62:5a:2c:
         c3:52:bb:53:93:47:91:99:30:e2:3a:de:8a:e3:7c:bd:52:66:
         62:4c:6e:56:56:ca:25:f8:a1:e9:3b:57:f6:85:a9:2d:d7:e9:
         c9:fd:96:10:3f:ec:2e:5c:72:22:6d:c2:13:49:0a:b4:65:05:
         77:f9:7c:47:d1:13:9b:1e

Solution

So we just need to change the instructions.sh to generate a server.crt with localhost in the SAN

In the example for deadline, the server should check for DeadlineExceeded instead of cancelled, otherwise the if block will not be entered.
Instead of
if ctx.Err() == context.Cancelled { //do stuff here }

it should be
if ctx.Err() == context.DeadlineExceeded { //do stuff here }

Hello
I am trying to study your course, but I can not pass a 17th path of the Lesson
First protoc format and keys was changed and I was needed to read a documentation for update keys and set the full path for package.

For now I am trying to follow a simple add listener and getting error
server.go

package main

import (
	"fmt"
	"github.com/davidka79/go-grp-study/greet/greetpb"
	"google.golang.org/grpc"
	"log"
	"net"
)

type server struct {}


func main() {
	fmt.Println("Hello World")

	lis, err := net.Listen("tcp", "0.0.0.0:50051")
	if err != nil {
		log.Fatalf("Failed %v", err)
	}
	s := grpc.NewServer()
	greetpb.RegisterGteetServiceServer(s, &server{})

	if err := s.Serve(lis); err != nil {
		log.Fatalf("Failed to serve %v", err)
	}
}

here at greetpb.RegisterGteetServiceServer(s, &server{}) the error that *"Cannot use '&server{}' (type server) as the type GteetServiceServer Type does not implement 'GteetServiceServer' as some methods are missing: mustEmbedUnimplementedGteetServiceServer()"

I tried many ways but still not succeed, probably need to update code, but I do not know what to do

With the current code, if we handle the errors at the connection closing with MongoDB and at the listener closing, we've got errors : "accept tcp [::]:50051: use of closed network connection".

So we need to, first, close the connection with MongoDB, then, close the listener and, finally, stop the server.

Solution :

// Correct order :
// First we close the connection with MongDB:
fmt.Println("Closing MongoDB Connection")
client.Disconnect(context.TODO())
if err := client.Disconnect(context.TODO()); err != nil {
	log.Fatalf("Error on disconnection with MongoDB : %v", err)
}
// Second step : closing the listener
fmt.Println("Closing the listener")
if err := lis.Close(); err != nil {
    log.Fatalf("Error on closing the listener : %v", err)
}
// Finally, we close the server
fmt.Println("Stopping the server")
s.Stop()
fmt.Println("End of Program")`

I think the correction done at here is out-of-date: https://github.com/simplesteph/grpc-go-course/pull/1/files

we need to change "github.com/mongodb/mongo-go-driver/bson/primitive" to "go.mongodb.org/mongo-driver/bson/primitive"

Hi,
In the Udemy course, you have created a docker-compose file from the github repo, but I couldn't find one here. Why?

GRPC Version - 1.37.0-dev
openssl version - 1.1.1

Steps to reproduce :-

1. Generate CA root, server and client keys/certificates for mutual SSL authentication using the steps as attached in gen_certs.sh
2. Provide an extension file named ssl.cnf so that alternate subject domain names can be inserted while generating server/client certificates.
3. Both pairs of server and client certificates are used in c++ server & client applications.

Expected result :-
API's should be triggered without any errors.

Actual result :-
Get the below error message on the client side

Handshake failed with fatal error SSL_ERROR_SSL: error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed.
14: failed to connect to all addresses
RPC failed

However , if the certificates are generated without the SAN feature, calls are triggered successfully.
I'm stuck here since past 3 days and a prompt help would be highly appreciated.
I need to understand what would be the correct way of generating the client/server certificates with the SAN option
certificates.zip

Hello everyone
After I created the certificate, I run the client program I met some bugs. It looks like the under image

And this is a instructions.sh

Could you help me? Thank all.