# UNAVAILABLE: grpc: 双向 TLS 需要客户端证书

- **ID:** `grpc/client-certificate-required`
- **领域:** grpc
- **类别:** auth_error
- **验证级别:** ai_generated
- **修复率:** 90%

## 根因

gRPC 服务器配置为双向 TLS (mTLS)，但客户端未提供证书，导致 TLS 握手失败。

## 版本兼容性

| 版本 | 状态 | 引入 | 弃用 |
|------|------|------|------|
| gRPC Go 1.64.0 | active | — | — |
| gRPC Python 1.63.0 | active | — | — |
| gRPC Java 1.62.0 | active | — | — |

## 解决方案

1. ```
   使用有效客户端证书和密钥配置客户端：`creds = grpc.ssl_channel_credentials(root_certificates=root_cert, private_key=client_key, certificate_chain=client_cert)` 然后使用 `grpc.secure_channel('host:port', creds)`
   ```
2. ```
   测试时，使用 openssl 生成客户端证书：`openssl req -newkey rsa:2048 -nodes -keyout client.key -x509 -days 365 -out client.crt` 并传给凭据
   ```

## 无效尝试

- **Disable TLS entirely by using insecure channel** — Server requires TLS; insecure connections are rejected at transport level. (90% 失败率)
- **Use a self-signed server certificate on client but no client cert** — Client still does not provide required certificate; mTLS fails anyway. (80% 失败率)
- **Set client certificate path to empty string hoping server skips validation** — gRPC requires a valid certificate file; empty path causes error or no certificate. (70% 失败率)