AWS Lambda (dotnet 8) - connection/certificate issue

Andrew_Radford · June 6, 2024, 2:07am

Greetings - we’ve just created an AWS Lambda which runs some dotnet 8 code that signals workflows with the Temporal Dotnet SDK. However I think we’ve hit a rust/platform issue. The Temporal client fails to connect with the error below. Credentials are fine, the code works on alternative dotnet environments, and Lambdas deployed the same way but written with the Python SDK do not seem to be affected. I think the default AWS dotnet lambda runtime image is here - has anyone encountered this? What are our options to circumvent the issue?

System.InvalidOperationException: Connection failed: Server connection error: tonic::transport::Error(Transport, hyper::Error(Connect, Custom { kind: InvalidData, error: InvalidCertificate(UnknownIssuer) }))
   at Temporalio.Bridge.Client.ConnectAsync(Runtime runtime, TemporalConnectionOptions options)
   at Temporalio.Client.TemporalConnection.GetBridgeClientAsync()
   at Temporalio.Client.TemporalConnection.InvokeRpcAsync[T](RpcService service, String rpc, IMessage req, MessageParser`1 resp, RpcOptions options)
   at Temporalio.Client.WorkflowService.StartWorkflowExecutionAsync(StartWorkflowExecutionRequest req, RpcOptions options)
   at Temporalio.Client.TemporalClient.Impl.StartWorkflowInternalAsync[TWorkflow,TResult](StartWorkflowInput input)
   at Temporalio.Client.TemporalClient.Impl.StartWorkflowAsync[TWorkflow,TResult](StartWorkflowInput input)
   at Temporalio.Client.TemporalClient.StartWorkflowAsync(String workflow, IReadOnlyCollection`1 args, WorkflowOptions options)
  <...snip...>

Chad_Retz · June 6, 2024, 2:48pm

The .NET and Python SDKs use the same TLS logic. Is this using self-hosted or cloud? At first glance, the failure looks like it can’t validate the CA of the server cert. This is most likely caused by the image/system having out of date CA certs. I don’t see in the lambda bootstrap script where it is updating the CA certs on the system.

Andrew_Radford · June 6, 2024, 10:39pm

This is cloud, and using self-signed certs created with tctl. You are right it sure does looks like an issue with the certs, however the exact same ones do work when running off my local machine, or when running using python on an AWS Lambda…

Chad_Retz · June 7, 2024, 1:03pm

I am saying it may not be an issue with the client certs with mTLS but rather the server certificate we send and your system’s inability to validate it against its trusted set of CAs. Your local machine has updated CA certs but the AWS machine may not. I do not know for sure if this is the case, but it is commonly the case when the exact same client code/options work on one machine but not another and you get these unknown issuer failures. It is clearly environment specific and not code related. You may need to find a way to update the system certificates on the AWS Lambda instance.

Andrew_Radford · June 10, 2024, 3:41am

Yeah - at the moment we’re rolling a new Lambda image that does work. Maybe in the future when we know a bit more about this stuff, we can find a more light-weight way to do it.

Topic		Replies	Views
Temporal mTLS .NET Server Deployment dotnet-sdk , server , mtls	12	44	November 6, 2024
Unable to Connect to Server Community Support	2	177	September 24, 2024
Getting error TransportError (InvalidCertificateEncoding) when using SSL Community Support typescript-sdk	7	889	August 17, 2024
[TypeScript SDK] tls connection error Community Support typescript-sdk , tls , mtls	4	782	January 30, 2023
Connecting via core-sdk in rust Community Support general-impl	3	741	December 23, 2022

AWS Lambda (dotnet 8) - connection/certificate issue

Related topics