# UNAVAILABLE: grpc: client certificate required for mutual TLS

- **ID:** `grpc/client-certificate-required`
- **Domain:** grpc
- **Category:** auth_error
- **Verification:** ai_generated
- **Fix Rate:** 90%

## Root Cause

The gRPC server is configured for mutual TLS (mTLS) but the client did not provide a certificate, causing the TLS handshake to fail.

## Version Compatibility

| Version | Status | Introduced | Deprecated |
|---------|--------|------------|------------|
| gRPC Go 1.64.0 | active | — | — |
| gRPC Python 1.63.0 | active | — | — |
| gRPC Java 1.62.0 | active | — | — |

## Workarounds

1. **Configure client with a valid client certificate and key: `creds = grpc.ssl_channel_credentials(root_certificates=root_cert, private_key=client_key, certificate_chain=client_cert)` then use `grpc.secure_channel('host:port', creds)`** (95% success)
   ```
   Configure client with a valid client certificate and key: `creds = grpc.ssl_channel_credentials(root_certificates=root_cert, private_key=client_key, certificate_chain=client_cert)` then use `grpc.secure_channel('host:port', creds)`
   ```
2. **If testing, generate client cert using openssl: `openssl req -newkey rsa:2048 -nodes -keyout client.key -x509 -days 365 -out client.crt` and pass to credentials** (85% success)
   ```
   If testing, generate client cert using openssl: `openssl req -newkey rsa:2048 -nodes -keyout client.key -x509 -days 365 -out client.crt` and pass to credentials
   ```

## Dead Ends

- **Disable TLS entirely by using insecure channel** — Server requires TLS; insecure connections are rejected at transport level. (90% fail)
- **Use a self-signed server certificate on client but no client cert** — Client still does not provide required certificate; mTLS fails anyway. (80% fail)
- **Set client certificate path to empty string hoping server skips validation** — gRPC requires a valid certificate file; empty path causes error or no certificate. (70% fail)