# UNAVAILABLE: grpc: TLS certificate not found: /etc/ssl/certs/server.crt

- **ID:** `grpc/grpc-tls-certificate-not-found`
- **Domain:** grpc
- **Category:** config_error
- **Verification:** ai_generated
- **Fix Rate:** 95%

## Root Cause

The specified TLS certificate file path does not exist or is inaccessible due to permissions or incorrect path.

## Version Compatibility

| Version | Status | Introduced | Deprecated |
|---------|--------|------------|------------|
| grpc-go 1.60.0 | active | — | — |
| grpc-java 1.59.0 | active | — | — |
| OpenSSL 3.0.12 | active | — | — |

## Workarounds

1. **Verify the certificate file exists and has correct permissions. Run:
  ls -la /etc/ssl/certs/server.crt
  If missing, generate or copy the certificate. Example using OpenSSL:
  openssl req -x509 -newkey rsa:4096 -keyout /etc/ssl/certs/server.key -out /etc/ssl/certs/server.crt -days 365 -nodes
  Then update the gRPC server config to point to the correct paths.** (95% success)
   ```
   Verify the certificate file exists and has correct permissions. Run:
  ls -la /etc/ssl/certs/server.crt
  If missing, generate or copy the certificate. Example using OpenSSL:
  openssl req -x509 -newkey rsa:4096 -keyout /etc/ssl/certs/server.key -out /etc/ssl/certs/server.crt -days 365 -nodes
  Then update the gRPC server config to point to the correct paths.
   ```
2. **If using a custom path, set the GRPC_GO_TLS_CERT_FILE and GRPC_GO_TLS_KEY_FILE environment variables before starting the server:
  export GRPC_GO_TLS_CERT_FILE=/path/to/cert.pem
  export GRPC_GO_TLS_KEY_FILE=/path/to/key.pem
  ./your_server** (85% success)
   ```
   If using a custom path, set the GRPC_GO_TLS_CERT_FILE and GRPC_GO_TLS_KEY_FILE environment variables before starting the server:
  export GRPC_GO_TLS_CERT_FILE=/path/to/cert.pem
  export GRPC_GO_TLS_KEY_FILE=/path/to/key.pem
  ./your_server
   ```

## Dead Ends

- **** — The error is about the server certificate, not the root CA; changing root path doesn't help if server cert path is wrong. (85% fail)
- **** — This bypasses security but does not fix the missing certificate; the server still fails to start with TLS. (90% fail)