HELP: How to create a client with TLS

I am using this example to start a temporal server: https://github.com/temporalio/samples-server/tree/main/tls/tls-simple
I am not sure how the client will use the client’s certs to connect with temporal server.
when I start a worker, I am getting this error:
get system info failed: last connection error: connection closed before server preface received - *serviceerror.Unavailable

is these any documentation or example about how to configure a client with TLS?

Hi @Dlo

get system info failed: last connection error: connection closed before server preface received - *serviceerror.Unavailable

Yes, you will get this if you do not configure TLS in client.Options.

Following code worked for me:

    var cert *tls.Certificate
	myCert, err := tls.LoadX509KeyPair("./myproject/mypem.pem", "./myproject/mykey.key")
	if err != nil {
		log.Fatal("Failed to load client certificate", tag.Error(err))
	}
	cert = &myCert
	
	c, err := client.NewClient(client.Options{
        // set HostPort if you are not using default 127.0.0.1:7233
		HostPort: "MyHost:MyPort",
        // set Namespace if you are not using default "default" namespace name
		Namespace: "MyNamespace",
		ConnectionOptions: client.ConnectionOptions{
			TLS: &tls.Config{
				Certificates: []tls.Certificate{*cert},
			},
		},
	})
    if err != nil {
		log.Fatalln("Unable to create client", err)
	}

Note you will have to do do this for client you use in your code that starts workflow execs, as well the one you use to create your worker(s). Hope this helps.

is these any documentation or example about how to configure a client with TLS?

Opened issue to add a sample for this in the go samples.

Hi @tihomir
thank you so much for the example code.

Hi @tihomir I am following the same approach but getting this error

2022/05/16 10:58:15 Unable to create client get system info failed: last connection error: connection error: desc = "transport: authentication handshake failed: x509: certificate has expired or is not yet valid: current time 2022-05-16T10:58:15Z is after 2022-05-16T08:53:54Z" - *serviceerror.Unavailable

certificate time stamps are as below

notBefore=May 16 08:52:44 2022 GMT
notAfter=May 17 08:53:14 2022 GMT

**current date in my machine is**
Mon 16 May 2022 11:02:22 AM UTC

same time tctl cli works fine

tctl n list
Name: abc                                                                                                                                                                                                     
Id: 2e386412-efd7-4634-b82a-7c6d1a362450                                                                                                                                                                           

@sumesh_kanayi
how/where are you deploying? check the system time on the container(s) the server is running on, maybe there is a diff.

sure.I am checking in details . I am running temporal server in a clustered mode. All services (front end,history,matching etc) are running on different virtual machines with MTLS enabled. Using hashicorp vault PKI for certificate issuer. Primary investigation doesn’t show any time differences. I am trying to run the go code above on the same front end server. tctl cli was also tested successfully on the same machine. Funny part is that, the error message says current date is after notBefore time stamp which i thought is OK

Do you have a load balancer setup? Could be some issue with not updated certs there? Think this issue has to do with cert management and maybe not Temporal itself. Let me know if you find something out.

You were right @tihomir . It was a problem with certificates in Worker service node. Worked fine after fixing it