# Grpc.Core.RpcException: Status(StatusCode="Unavailable", Detail="failed to connect to all addresses; last error: UNKNOWN: No match found for server name") - **ID:** `dotnet/grpc-client-ssl-error` - **Domain:** dotnet - **Category:** network_error - **Verification:** ai_generated - **Fix Rate:** 80% ## Root Cause gRPC client SSL/TLS handshake fails because the server certificate's Subject Alternative Name (SAN) does not match the hostname used in the client channel address. ## Version Compatibility | Version | Status | Introduced | Deprecated | |---------|--------|------------|------------| | Grpc.Net.Client 2.49.x | active | — | — | | Grpc.Net.Client 2.50.x | active | — | — | | Grpc.Net.Client 2.51.x | active | — | — | | Grpc.Net.Client 2.52.x | active | — | — | ## Workarounds 1. **Ensure the server certificate's SAN includes the exact hostname used in the client channel address (e.g., myserver.local).** (90% success) ``` Ensure the server certificate's SAN includes the exact hostname used in the client channel address (e.g., myserver.local). ``` 2. **Use the correct hostname in the gRPC channel, matching the certificate SAN, especially when behind a load balancer.** (85% success) ``` Use the correct hostname in the gRPC channel, matching the certificate SAN, especially when behind a load balancer. ``` 3. **If using self-signed certificates for development, add the certificate to trusted root store and use matching hostname.** (70% success) ``` If using self-signed certificates for development, add the certificate to trusted root store and use matching hostname. ``` ## Dead Ends - **** — Disabling SSL validation entirely (using HttpClientHandler.ServerCertificateCustomValidationCallback) creates security vulnerability and doesn't fix SAN mismatch. (95% fail) - **** — Using IP address instead of hostname in channel address still fails if certificate doesn't have IP SAN. (90% fail) - **** — Setting GRPC_DNS_RESOLVER environment variable doesn't affect SSL certificate validation. (85% fail)