grpc auth_error ai_generated true

UNAVAILABLE: grpc: client certificate required for mutual TLS

ID: grpc/client-certificate-required

Also available as: JSON · Markdown · 中文
90%Fix Rate
86%Confidence
1Evidence
2024-02-05First Seen

Version Compatibility

VersionStatusIntroducedDeprecatedNotes
gRPC Go 1.64.0 active
gRPC Python 1.63.0 active
gRPC Java 1.62.0 active

Root Cause

The gRPC server is configured for mutual TLS (mTLS) but the client did not provide a certificate, causing the TLS handshake to fail.

generic

中文

gRPC 服务器配置为双向 TLS (mTLS),但客户端未提供证书,导致 TLS 握手失败。

Official Documentation

https://grpc.io/docs/guides/auth/#with-client-side-ssl

Workarounds

  1. 95% success Configure client with a valid client certificate and key: `creds = grpc.ssl_channel_credentials(root_certificates=root_cert, private_key=client_key, certificate_chain=client_cert)` then use `grpc.secure_channel('host:port', creds)` 
    Configure client with a valid client certificate and key: `creds = grpc.ssl_channel_credentials(root_certificates=root_cert, private_key=client_key, certificate_chain=client_cert)` then use `grpc.secure_channel('host:port', creds)`
  2. 85% success If testing, generate client cert using openssl: `openssl req -newkey rsa:2048 -nodes -keyout client.key -x509 -days 365 -out client.crt` and pass to credentials 
    If testing, generate client cert using openssl: `openssl req -newkey rsa:2048 -nodes -keyout client.key -x509 -days 365 -out client.crt` and pass to credentials

中文步骤

  1. 使用有效客户端证书和密钥配置客户端:`creds = grpc.ssl_channel_credentials(root_certificates=root_cert, private_key=client_key, certificate_chain=client_cert)` 然后使用 `grpc.secure_channel('host:port', creds)`
  2. 测试时,使用 openssl 生成客户端证书:`openssl req -newkey rsa:2048 -nodes -keyout client.key -x509 -days 365 -out client.crt` 并传给凭据

Dead Ends

Common approaches that don't work:

  1. Disable TLS entirely by using insecure channel 90% fail

    Server requires TLS; insecure connections are rejected at transport level.

  2. Use a self-signed server certificate on client but no client cert 80% fail

    Client still does not provide required certificate; mTLS fails anyway.

  3. Set client certificate path to empty string hoping server skips validation 70% fail

    gRPC requires a valid certificate file; empty path causes error or no certificate.