I've been working a while on getting gRPC to run with TLS. I have a working server which I confirm is running TLS by using Postman. I've been reading the docs namely here: https://grpc.io/docs/guides/auth/#java which states I can use:
var credentials = TlsChannelCredentials.create();
channel = Grpc.newChannelBuilderForAddress(hostName, port, credentials).build();
return channel;
However it is throwing the exception:
Caused by: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
Which in turn bubbles up to:
UNAVAILABLE: io exception Channel Pipeline: [SslHandler#0, ProtocolNegotiators$ClientTlsHandler#0, WriteBufferingAndExceptionHandler#0, DefaultChannelPipeline$TailContext#0] io.grpc.StatusRuntimeException: UNAVAILABLE: io exception Channel Pipeline: [SslHandler#0, ProtocolNegotiators$ClientTlsHandler#0, WriteBufferingAndExceptionHandler#0, DefaultChannelPipeline$TailContext#0]
I can confirm that the Client request pops up and exchanges the Client Hello via Wireshark.
What I want to achieve is using TLS only as encryption. I do not care about the client side CA/trust store etc. Can anybody help or tell me what I'm doing wrong or if I am misunderstanding the docs?
Thank you all
With TLS the client has to accept the server certificate before proceeding to the next step (negotiate the session key for encryption).
To enable that you can import the server's public certificate chain and supply it on the client side via TlsChannelCredentials 's trustManager(File rootCerts) method. You should be able to find enough pointers on the web to figure out how to do it.