Search code examples
python-3.xsslenvoyproxygrpc-python

Python gRPC client error - Cannot check peer : missing selected ALPN property

I am writing a Python (version: 3.6.8) gRPC client to connect to envoy using SSL.

I am using grpc.ssl_channel_credentials to specify root_certificates, private_key and certificate_chain, and then injecting it in grpc_secure_channel call.

Also, we have alpn_protocol defined at "h2,http/1.1"

However, on running the client notice below error:

grpc._channel._InactiveRpcError: <_InactiveRRpcError of RPC that terminated with:
    status = StatusCode.UNAVAILABLE
    details = "failed to connect to all addresses; last error: UNKNOWN : Cannot check peer: missing selected ALPN prroperty." 
    debug_error_string = "UNKNOWN:Failed to pick subchannel ..."

*** Additional Notes : ***

The "Cannot check peer: missing selected ALPN property" error message that you're seeing is related to gRPC's use of the Application-Layer Protocol Negotiation (ALPN) extension to negotiate the protocol to be used for a secure connection (e.g. HTTP/2 or HTTP/1.1).

This error typically occurs when the gRPC client is not able to negotiate the correct protocol with the server, either because the client and server do not support the same protocols, or because the client is not properly configured to use ALPN.

There are a few possible solutions to this issue:

  1. Make sure that the gRPC client and server support the same protocols. For example, if the server only supports HTTP/2, the client must also support HTTP/2.

  2. Make sure that the client is properly configured to use ALPN. This can typically be done by installing the OpenSSL library and making sure that the grpc._cython.cygrpc package is using it.

  3. If the error message still persist and you are using python version 3.8 and above. There is a known issue with the gRPC library in python 3.8 and above, you can upgrade to python version 3.9 and above which will fix the issue.

  4. If the above step did not work, you can try downgrading the gRPC library version, it could be possible that the version you are using is not compatible with the python version you are using

  5. If you are behind a proxy server, you may need to configure your client to use a proxy.

These are some of the common solutions, it's best to check the library and python version you are using and try to find the solution accordingly.

Solution

  • ALPN is a TLS extension for negotiating the protocol the connection will use. I'm assuming you're using a prebuilt gRPC Python artifact and not one built from source. If you're building from source, the answer will be slightly different.

    gRPC Python supports ALPN, so the issue is likely with either the server or with a proxy sitting between the client and the server. All officially supported gRPC server implementations support ALPN.

    How is the server running? Which language? Which version of gRPC? Do you have any proxies that could be stripping the ALPN property?

    This is definitely the first time I've seen a Stackoverflow question with a ChatGPT query included. So here's a quick critique of its response as well:

    The first two paragraphs are a great summary. Totally correct. After that, it seems to start making things up:

    Make sure that the gRPC client and server support the same protocols. For example, if the server only supports HTTP/2, the client must also support HTTP/2.


    The only official transport for gRPC is HTTP/2, so this doesn't make much sense.

    Make sure that the client is properly configured to use ALPN. This can typically be done by installing the OpenSSL library and making sure that the grpc._cython.cygrpc package is using it.


    The SSL library (whether BoringSSL or OpenSSL) is statically compiled into the Cython layer of gRPC Python, so this wouldn't work.

    If the error message still persist and you are using python version 3.8 and above. There is a known issue with the gRPC library in python 3.8 and above, you can upgrade to python version 3.9 and above which will fix the issue.


    We run a full suite of tests against gRPC Python on 3.8. This is not only wrong -- it's a bad rumor.

    Edit: I also just realized this also doesn't make any sense. It says that "there's an issue with 3.8 and above". How would upgrading to 3.9 fix that then?

    If the above step did not work, you can try downgrading the gRPC library version, it could be possible that the version you are using is not compatible with the python version you are using


    Roughly the same comment as the previous item. We have very few issues that are specific to a certain version of CPython. It is possible for there to be a regression in gRPC, in which case downgrading the library is a reasonable response, but we would definitely appreciate a bug report in that case so that we can fix the issue and backport to all affected released versions.

    If you are behind a proxy server, you may need to configure your client to use a proxy.

    While this might be true in general for networked clients, I don't think it makes a whole lot of sense in this particular case. You're clearly not trying to use (for example) HTTP CONNECT-based proxying, which would require client-side configuration. If you need to make a change to proxy configuration, it will likely be configuration on the proxy itself.