dotnet network_error ai_generated partial

Grpc.Core.RpcException: Status(StatusCode="Unavailable", Detail="failed to connect to all addresses; last error: UNKNOWN: No match found for server name")

ID: dotnet/grpc-client-ssl-error

Also available as: JSON · Markdown · 中文
80%Fix Rate
81%Confidence
1Evidence
2024-01-05First Seen

Version Compatibility

VersionStatusIntroducedDeprecatedNotes
Grpc.Net.Client 2.49.x active
Grpc.Net.Client 2.50.x active
Grpc.Net.Client 2.51.x active
Grpc.Net.Client 2.52.x active

Root Cause

gRPC client SSL/TLS handshake fails because the server certificate's Subject Alternative Name (SAN) does not match the hostname used in the client channel address.

generic

中文

gRPC 客户端 SSL/TLS 握手失败,因为服务器证书的主题备用名称 (SAN) 与客户端通道地址中使用的主机名不匹配。

Official Documentation

https://learn.microsoft.com/en-us/aspnet/core/grpc/troubleshoot?view=aspnetcore-8.0#ssl-errors

Workarounds

  1. 90% success Ensure the server certificate's SAN includes the exact hostname used in the client channel address (e.g., myserver.local). 
    Ensure the server certificate's SAN includes the exact hostname used in the client channel address (e.g., myserver.local).
  2. 85% success Use the correct hostname in the gRPC channel, matching the certificate SAN, especially when behind a load balancer. 
    Use the correct hostname in the gRPC channel, matching the certificate SAN, especially when behind a load balancer.
  3. 70% success If using self-signed certificates for development, add the certificate to trusted root store and use matching hostname. 
    If using self-signed certificates for development, add the certificate to trusted root store and use matching hostname.

中文步骤

  1. Ensure the server certificate's SAN includes the exact hostname used in the client channel address (e.g., myserver.local).
  2. Use the correct hostname in the gRPC channel, matching the certificate SAN, especially when behind a load balancer.
  3. If using self-signed certificates for development, add the certificate to trusted root store and use matching hostname.

Dead Ends

Common approaches that don't work:

  1. 95% fail

    Disabling SSL validation entirely (using HttpClientHandler.ServerCertificateCustomValidationCallback) creates security vulnerability and doesn't fix SAN mismatch.

  2. 90% fail

    Using IP address instead of hostname in channel address still fails if certificate doesn't have IP SAN.

  3. 85% fail

    Setting GRPC_DNS_RESOLVER environment variable doesn't affect SSL certificate validation.