grpc-node TLS sample code is not complete. #273
Comments
|
There is some confusion here and I'm not certain if you are trying to initiate a "normal" TLS connection to a server from the client side or if you are instead trying to connect to a server that performs client authentication via certs ("mutual TLS"). If it is the latter ("mutual TLS"), then you do need to pass the client cert ( If it is the former (you are not doing mutual TLS), the optional Hopefully that helps. I stumbled on this issue looking for other issues here and thought I would try to help clear things up. |
|
grpc nodejs docs are appalling. What shall I supply in root_certs? Buffer of what? |
|
@celesteking were you able to figure that out? We are having the same issue. In particular, node's root certs (require("tls").rootCertificates) are an array of strings |
|
The root certs is supposed to be a Buffer loaded from a root certificates file. If you want to use the default public root certificates, just omit that argument. It is supposed to be used with self-signed certificates, or certificates that otherwise don't have a signing chain that includes one of the main root certificate authorities. An example of self-signed certificates can be found in this directory: https://github.com/grpc/grpc-node/tree/master/test/data. The |
|
@murgatroid99 I don't believe the code works like that. The following example from the grpc-js, but I believe the native version works the same way. If ssl is missing, it looks for an environment variable called |
|
If that environment variable is not set, it defaults to using the built in root certificates. Also, I'm not sure if this is clear: one .pem file can contain information for multiple certificates. |
|
Thank you guys for the time on this ticket. |
|
Was also looking at just doing a TLS client connection from node (not mutual TLS) and couldn't get it working. The Java and Go equivalent are fairly straightforward but was unable to get it working in node. |
|
Using |
|
it is super easy to create a grpc ssl server you only have to import the certificates in my case with letsencrypt let credentials = grpc.ServerCredentials.createSsl(null await server.bindAsync("0.0.0.0:50051", credentials, (error, port) => { |
|
Creating a server is straightforward based on the docs, it is the client-side what is lacking docs and possibly features. I have managed to create server-side with a Node server, connecting golang clients, but I cannot add Node clients the same manner as with golang. I would like to achieve server-side TLS.
Authenticate using a public key, not using a CA, is this feature missing? |
|
On the server side, you need to use |
|
Server-side, the node component being the client, |
|
I had a use case where I needed to test minimal setup of gRPC SSL on LAN with Node.js across multiple devices and without being familiar in detail with gRPC and SSL (plus everyone names root and intermediate certificates differently making it confusing sometimes) It took me couple days of frustration with lack of examples for server setup, so I made small server-client example for localhost in case anyone finds it useful: sample-grpc-ssl. It uses selfsigned certs with node-forge (Alternative with openssl here) or can replace them with letsencrypt or other |
|
@murgatroid99 can you please give some sample code in nodejs for server to apply TLS ServerCredentials.createSsl(). for this thing it will be really helpful or any link where in nodejs server side and client side TLS is setup sir please |
|
Example, if you have to use combine import grpc from '@grpc/grpc-js';
import { readFileSync } from 'node:fs';
import tls from 'node:tls';
import { EOL } from 'node:os';
import type { ClientOptions } from '@grpc/grpc-js';
import type {VerifyOptions} from "@grpc/grpc-js/src/channel-credentials";
const systemRootCerts = Buffer.from(tls.rootCertificates.join(EOL));
const myRootCert = readFileSync('config/certs/ca-cert.pem')
const rootCerts = Buffer.concat([myRootCert, systemRootCerts])
const privateKey = readFileSync('config/certs/client-key.pem')
const certChain = readFileSync('config/certs/client-cert.pem')
const verifyOptions: VerifyOptions = {}
const channelCredentials = grpc.credentials.createSsl(rootCerts, privateKey, certChain, verifyOptions)
console.debug('endpoints', endpoints);
// If no ServerName is set, infer the ServerName from the hostname we're connecting to.
const hostname = endpoints.engine?.split(':')[0] ?? 'localhost';
console.debug('engine hostname:', hostname);
const clientOptions: ClientOptions = {
'grpc.ssl_target_name_override': hostname,
'grpc.default_authority': hostname
};
const transport = new GrpcTransport({ host: endpoints.engine, channelCredentials, clientOptions });
const engineServiceClient = new EngineServiceClient(transport); |
|
I wrote an article about it - https://itnext.io/how-to-setup-and-test-tls-in-grpc-grpc-web-1b67cc4413e6 |
Hi gurus,
I am a newbee to node.js and grpc. So a good sample code is really appreciated.
The grpc-node TLS sample code is in https://grpc.io/docs/guides/auth.html#nodejs not complete.
For example, no sample code for TLS client side.
The strange thing is,
https://grpc.io/grpc/node/grpc.credentials.html
createSsl( [root_certs] [, private_key] [, cert_chain])
Create an SSL Credentials object. If using a client-side certificate, both the second and third arguments must be passed.
Why are private key and cert chain needed for client side?
They are not needed for grpc-go TLS client side.
grpc/grpc-go#1980
The text was updated successfully, but these errors were encountered: