Typescript sdk, mtls works for worker does not work for client

Ivan · February 4, 2023, 12:30am

Hello,

thank you for the great product.

I configured mtls on temporal cluster, following tls simple scenario .

grpc health probe tool with all tls parameters shows status serving.

Typescript worker is able to connect.

Typescript client cannot connect Error: Failed to connect before the deadline , but configuration is identical to the one I provide to the worker. I see that they have different implementations, worker uses rust binary and client - grpc client.

I tried python hello-mtls with my certs/keys it also works. ui-server also able to connect.

As I understand from temporal cluster perspective worker and client are both just external clients, so not clear why I can connect with one and not with other.

Versions of typescript sdk I tried: 1.5.2, 1.6.0.

Connection options are the same for worker and client, but only worker works.

const connection = await Connection.connect({
    address: `temporal-dev.dnsname:7233`,
    tls: {
      serverRootCACertificate: fs.readFileSync(`./ca-cert-path`),
      serverNameOverride: 'temporal-dev.dnsname',
      clientCertPair: {
        crt: fs.readFileSync(`./client-cert-path`),
        key: fs.readFileSync(`./client-key-path`),
      }
    },
  });

please let me know if you have any ideas what may cause this error, thank you

jwatkins · February 5, 2023, 9:07pm

Hi!

That’s surprising, indeed…

Two things come to my mind:

Make sure to use only TS SDK 1.6.0. Release 1.5.2 might try to use @grpc/grpc-js 1.8.x, which is know to pose some issues that could results in “Failed to connect before the deadline” errors.
Try running both the client and the worker with the following environment variables: GRPC_TRACE=all and GRPC_VERBOSITY=DEBUG. Then compare the output of both programs, especially early lines.

I hope this helps.

bergundy · February 6, 2023, 4:37pm

How did you generate the certs?
I’ve also has some issues with manual cert generation a while back, seems like using the -sha256 flag might help:

github.com/temporalio/sdk-typescript

[Bug] Intermediate certificates sample does not work on MacOS

opened 11:06AM - 18 May 21 UTC

closed 05:11PM - 10 Jan 23 UTC

bergundy

bug good first issue

**Describe the bug** When trying to connect the Worker to a server using the `t…ls-full` [sample](https://github.com/temporalio/customization-samples/tree/master/tls/tls-full), connection fails with `[TransportError: transport error: error trying to connect: invalid certificate: UnknownIssuer]` **To Reproduce** Steps to reproduce the behavior: 1. Follow the [mTLS tutorial](https://docs.temporal.io/docs/node/tls/#mtls-tutorial) but use `tls-full` instead of simple 1. Run the Worker ```shell TEMPORAL_ADDRESS=localhost \ TEMPORAL_NAMESPACE=accounting \ TEMPORAL_CLIENT_CERT_PATH=certs/client/accounting/client-accounting-namespace-chain.pem \ TEMPORAL_CLIENT_KEY_PATH=certs/client/accounting/client-accounting-namespace.key \ TEMPORAL_SERVER_NAME_OVERRIDE=accounting.cluster-x.contoso.com \ TEMPORAL_SERVER_ROOT_CA_CERT_PATH=certs/cluster/ca/server-intermediate-ca.pem \ npm start ``` **Expected behavior** Worker should connect to server **Versions (please complete the following information where relevant):** - OS: Mac - Temporal Version: `temporalio/auto-setup@sha256:004f4440664f13c3b049eaad5c019c9f780082d8752655d01ef91e322b482097` **Additional context** Tried using different certificates without success, seems like this is a MacOS issue, @Sushisource got it working on Linux.

Ivan · September 21, 2023, 5:22pm

Just realized I never resolved this one.

GRPC debug helped to find an issue.

Fix was to include full chain (root → intermediate) into certificate CA file.

Topic		Replies	Views
[TypeScript SDK] tls connection error Community Support typescript-sdk , tls , mtls	4	544	January 30, 2023
Can't connect workers/clients to temporal-cloud namespace Community Support typescript-sdk , temporal-cloud	2	630	November 17, 2022
Temporal worker is unable to connect to Cluster Community Support typescript-sdk , tls , certificate	2	581	August 24, 2023
Connecting via core-sdk in rust Community Support general-impl	3	612	December 23, 2022
Typescript connection to docker-compose temporal instance Community Support docker , typescript-sdk	6	785	August 7, 2022

Typescript sdk, mtls works for worker does not work for client

Related Topics