grpc
auth_error
ai_generated
true
UNAVAILABLE: grpc: 双向 TLS 需要客户端证书
UNAVAILABLE: grpc: client certificate required for mutual TLS
ID: grpc/client-certificate-required
90%修复率
86%置信度
1证据数
2024-02-05首次发现
版本兼容性
| 版本 | 状态 | 引入 | 弃用 | 备注 |
|---|---|---|---|---|
| gRPC Go 1.64.0 | active | — | — | — |
| gRPC Python 1.63.0 | active | — | — | — |
| gRPC Java 1.62.0 | active | — | — | — |
根因分析
gRPC 服务器配置为双向 TLS (mTLS),但客户端未提供证书,导致 TLS 握手失败。
English
The gRPC server is configured for mutual TLS (mTLS) but the client did not provide a certificate, causing the TLS handshake to fail.
官方文档
https://grpc.io/docs/guides/auth/#with-client-side-ssl解决方案
-
使用有效客户端证书和密钥配置客户端:`creds = grpc.ssl_channel_credentials(root_certificates=root_cert, private_key=client_key, certificate_chain=client_cert)` 然后使用 `grpc.secure_channel('host:port', creds)` -
测试时,使用 openssl 生成客户端证书:`openssl req -newkey rsa:2048 -nodes -keyout client.key -x509 -days 365 -out client.crt` 并传给凭据
无效尝试
常见但无效的做法:
-
Disable TLS entirely by using insecure channel
90% 失败
Server requires TLS; insecure connections are rejected at transport level.
-
Use a self-signed server certificate on client but no client cert
80% 失败
Client still does not provide required certificate; mTLS fails anyway.
-
Set client certificate path to empty string hoping server skips validation
70% 失败
gRPC requires a valid certificate file; empty path causes error or no certificate.