Issue while running tls-full sample

Hi,

Facing an issue while running tls-full sample(samples-server/tls/tls-full at main · temporalio/samples-server · GitHub). Steps followed as below:

  1. I have generated the certificates using the given generate-certs.sh script and started temporal with start-temporal.sh script.
  2. Added “server-root-ca.pem” certificate in cacerts using below command :
    keytool -trustcacerts -keystore cacerts -storepass changeit -importcert -alias <alias_name> -file <path_to_crt_file>
  3. While running HelloActivity Workflow, trying to create service stubs as below:
InputStream clientCert1 = new FileInputStream(getFile("client-accounting-namespace.pfx"));
    // Create SSL enabled client by passing SslContext, created by SimpleSslContextBuilder.
    WorkflowServiceStubs service =
        WorkflowServiceStubs.newInstance(
            WorkflowServiceStubsOptions.newBuilder()
                .setSslContext(SimpleSslContextBuilder.forPKCS12(clientCert1).build())
                .build());

Getting below error:
Client logs:

Caused by: javax.net.ssl.SSLException: error:10000412:SSL routines:OPENSSL_internal:SSLV3_ALERT_BAD_CERTIFICATE
	at io.grpc.netty.shaded.io.netty.handler.ssl.ReferenceCountedOpenSslEngine.shutdownWithError(ReferenceCountedOpenSslEngine.java:1071)
	at io.grpc.netty.shaded.io.netty.handler.ssl.ReferenceCountedOpenSslEngine.sslReadErrorResult(ReferenceCountedOpenSslEngine.java:1365)
	at io.grpc.netty.shaded.io.netty.handler.ssl.ReferenceCountedOpenSslEngine.unwrap(ReferenceCountedOpenSslEngine.java:1305)
	at io.grpc.netty.shaded.io.netty.handler.ssl.ReferenceCountedOpenSslEngine.unwrap(ReferenceCountedOpenSslEngine.java:1392)
	at io.grpc.netty.shaded.io.netty.handler.ssl.ReferenceCountedOpenSslEngine.unwrap(ReferenceCountedOpenSslEngine.java:1435)
	at io.grpc.netty.shaded.io.netty.handler.ssl.SslHandler$SslEngineType$1.unwrap(SslHandler.java:221)
	at io.grpc.netty.shaded.io.netty.handler.ssl.SslHandler.unwrap(SslHandler.java:1341)
	at io.grpc.netty.shaded.io.netty.handler.ssl.SslHandler.decodeJdkCompatible(SslHandler.java:1234)
	at io.grpc.netty.shaded.io.netty.handler.ssl.SslHandler.decode(SslHandler.java:1283)
	at io.grpc.netty.shaded.io.netty.handler.codec.ByteToMessageDecoder.decodeRemovalReentryProtection(ByteToMessageDecoder.java:507)
	at io.grpc.netty.shaded.io.netty.handler.codec.ByteToMessageDecoder.callDecode(ByteToMessageDecoder.java:446)
	... 17 more
Caused by: io.grpc.netty.shaded.io.netty.handler.codec.DecoderException: javax.net.ssl.SSLException: error:10000412:SSL routines:OPENSSL_internal:SSLV3_ALERT_BAD_CERTIFICATE

Caused by: javax.net.ssl.SSLException: error:10000412:SSL routines:OPENSSL_internal:SSLV3_ALERT_BAD_CERTIFICATE

Temporal Server logs:

temporal_1                  | {"level":"warn","ts":"2022-04-25T08:59:29.190Z","msg":"cannot find a per-host provider for attempted incoming TLS connection. returning default TLS configuration","server-name":"","address":"192.168.160.1:56434","logging-call-at":"localStoreTlsProvider.go:271"}
  1. In the above code, the “clientCert1” being passed is “client-accounting-namespace.pfx”. Is this correct? If I want to build SSLContext using PKCS8, then should I use “client-accounting-namespace.pem” or “client-accounting-namespace-chain.pem”?
  2. Also, need a clear understanding of whether the accounting and development indicating 2 different clients or 2 different namespaces? Why do we have multiple CLIs in docker-compose.yaml?
  3. In docker-compose.yaml, there is no env variable mentioned for client’s ca certificate. Could this be the reason for the above error? Also, which client ca certificate should be mentioned? client Root ca or client intermediate ca?

If I want to build SSLContext using PKCS8

currently the certificates built in this repo are PKCS1 and not PKCS8, see open issue here.

  1. Two different clients that have different server names
  2. Yes, the sample is really not meant to be used with Java SDK locally to do an end-to-end test. It’s there more as example for configuration. We will work on this.

Your code looks correct, here is full sample. Once the issue for generating PKCS8 is fixed we can update the sample to allow to be tested by Java SDK.

1 Like

We also opened this issue recently, just fyi.
You can set for example:

export SERVER_TAG=1.15.2

in start-temporal.sh to specify a version < 1.16.0

PR for PKCS8 cert generation.
I tested with this PR locally, and was able to run workflows in both “tls-simple” and “tls-full” via:

service =
    WorkflowServiceStubs.newInstance(
        WorkflowServiceStubsOptions.newBuilder()
            .setSslContext(
                SimpleSslContextBuilder.forPKCS8(CLIENT_CERT, CLIENT_KEY)
                                              .setUseInsecureTrustManager(true)

(where CLIENT_CERT is the generated client.pem, and CLIENT_KEY is the generated client.key)

Note that setUseInsecureTrustManager is needed still, trying to fix the “CN” values of the generated certificates so it works without it, but for now it should do the trick.

Faced the same exact problem and error. In my case it was caused by an expired client CA certificate registered with the Temporal Server.