# Grpc.Core.RpcException: Status(StatusCode="Unavailable", Detail="无法连接到所有地址；最后一个错误：UNKNOWN: 未找到服务器名称匹配")

- **ID:** `dotnet/grpc-client-ssl-error`
- **领域:** dotnet
- **类别:** network_error
- **验证级别:** ai_generated
- **修复率:** 80%

## 根因

gRPC 客户端 SSL/TLS 握手失败，因为服务器证书的主题备用名称 (SAN) 与客户端通道地址中使用的主机名不匹配。

## 版本兼容性

| 版本 | 状态 | 引入 | 弃用 |
|------|------|------|------|
| Grpc.Net.Client 2.49.x | active | — | — |
| Grpc.Net.Client 2.50.x | active | — | — |
| Grpc.Net.Client 2.51.x | active | — | — |
| Grpc.Net.Client 2.52.x | active | — | — |

## 解决方案

1. ```
   Ensure the server certificate's SAN includes the exact hostname used in the client channel address (e.g., myserver.local).
   ```
2. ```
   Use the correct hostname in the gRPC channel, matching the certificate SAN, especially when behind a load balancer.
   ```
3. ```
   If using self-signed certificates for development, add the certificate to trusted root store and use matching hostname.
   ```

## 无效尝试

- **** — Disabling SSL validation entirely (using HttpClientHandler.ServerCertificateCustomValidationCallback) creates security vulnerability and doesn't fix SAN mismatch. (95% 失败率)
- **** — Using IP address instead of hostname in channel address still fails if certificate doesn't have IP SAN. (90% 失败率)
- **** — Setting GRPC_DNS_RESOLVER environment variable doesn't affect SSL certificate validation. (85% 失败率)