Typescript sdk, mtls works for worker does not work for client

Hello,

thank you for the great product.

I configured mtls on temporal cluster, following tls simple scenario .

grpc health probe tool with all tls parameters shows status serving.

Typescript worker is able to connect.

Typescript client cannot connect Error: Failed to connect before the deadline , but configuration is identical to the one I provide to the worker. I see that they have different implementations, worker uses rust binary and client - grpc client.

I tried python hello-mtls with my certs/keys it also works. ui-server also able to connect.

As I understand from temporal cluster perspective worker and client are both just external clients, so not clear why I can connect with one and not with other.

Versions of typescript sdk I tried: 1.5.2, 1.6.0.

Connection options are the same for worker and client, but only worker works.

const connection = await Connection.connect({
    address: `temporal-dev.dnsname:7233`,
    tls: {
      serverRootCACertificate: fs.readFileSync(`./ca-cert-path`),
      serverNameOverride: 'temporal-dev.dnsname',
      clientCertPair: {
        crt: fs.readFileSync(`./client-cert-path`),
        key: fs.readFileSync(`./client-key-path`),
      }
    },
  });

please let me know if you have any ideas what may cause this error, thank you

Hi!

That’s surprising, indeed…

Two things come to my mind:

  1. Make sure to use only TS SDK 1.6.0. Release 1.5.2 might try to use @grpc/grpc-js 1.8.x, which is know to pose some issues that could results in “Failed to connect before the deadline” errors.
  2. Try running both the client and the worker with the following environment variables: GRPC_TRACE=all and GRPC_VERBOSITY=DEBUG. Then compare the output of both programs, especially early lines.

I hope this helps.

How did you generate the certs?
I’ve also has some issues with manual cert generation a while back, seems like using the -sha256 flag might help:

Just realized I never resolved this one.

GRPC debug helped to find an issue.

Fix was to include full chain (root → intermediate) into certificate CA file.

1 Like