Grpc.Core.RpcException: Status(StatusCode="Unavailable", Detail="无法连接到所有地址;最后一个错误:UNKNOWN: 未找到服务器名称匹配")
Grpc.Core.RpcException: Status(StatusCode="Unavailable", Detail="failed to connect to all addresses; last error: UNKNOWN: No match found for server name")
ID: dotnet/grpc-client-ssl-error
版本兼容性
| 版本 | 状态 | 引入 | 弃用 | 备注 |
|---|---|---|---|---|
| Grpc.Net.Client 2.49.x | active | — | — | — |
| Grpc.Net.Client 2.50.x | active | — | — | — |
| Grpc.Net.Client 2.51.x | active | — | — | — |
| Grpc.Net.Client 2.52.x | active | — | — | — |
根因分析
gRPC 客户端 SSL/TLS 握手失败,因为服务器证书的主题备用名称 (SAN) 与客户端通道地址中使用的主机名不匹配。
English
gRPC client SSL/TLS handshake fails because the server certificate's Subject Alternative Name (SAN) does not match the hostname used in the client channel address.
官方文档
https://learn.microsoft.com/en-us/aspnet/core/grpc/troubleshoot?view=aspnetcore-8.0#ssl-errors解决方案
-
Ensure the server certificate's SAN includes the exact hostname used in the client channel address (e.g., myserver.local).
-
Use the correct hostname in the gRPC channel, matching the certificate SAN, especially when behind a load balancer.
-
If using self-signed certificates for development, add the certificate to trusted root store and use matching hostname.
无效尝试
常见但无效的做法:
-
95% 失败
Disabling SSL validation entirely (using HttpClientHandler.ServerCertificateCustomValidationCallback) creates security vulnerability and doesn't fix SAN mismatch.
-
90% 失败
Using IP address instead of hostname in channel address still fails if certificate doesn't have IP SAN.
-
85% 失败
Setting GRPC_DNS_RESOLVER environment variable doesn't affect SSL certificate validation.