grpc-gateway-example

[annidy]

grpc-gateway-example 是一个grpc转http的一个示例。不过因为年久失修，证书配置上有问题。

这个示例演示如何将grpc和http绑定到同一个端口，但是grpc-gateway的官方文档的示例更简单

在build工程后，用curl命令测试时，出现错误

curl -X POST -k https://localhost:10000/v1/echo -H "Content-Type: text/plain" -d '{"value": "foo"}'
{"error":"connection error: desc = \"transport: authentication handshake failed: tls: failed to verify certificate: x509: certificate relies on legacy Common Name field, use SANs instead\"","code":14,"message":"connection error: desc = \"transport: authentication handshake failed: tls: failed to verify certificate: x509: certificate relies on legacy Common Name field, use SANs instead\""}

原因是因为，代码中的证书使用的是传统的Common Name (CN) 字段，而没有使用现代标准所推荐的 Subject Alternative Names (SANs) 字段。现代的 TLS 客户端（比如最新版本的浏览器和curl）要求证书使用 SANs 字段来指定有效的主机名。

可以参考下面的文章，确保生成的证书包含SAN字段。简单的方法是修改certs/Makefile的代码

openssl req -new -x509 -key server.key -out server.pem -days 3650 -subj "/C=cn/OU=devhg/O=devhg/CN=localhost:10000" -addext "subjectAltName = DNS:localhost"

这里新增一条subjectAltName = DNS:localhost记录。不过，这时会发现还是有问题：

curl -X POST -k https://localhost:10000/v1/echo -H "Content-Type: text/plain" -d '{"value": "foo"}'
{"error":"connection error: desc = \"transport: authentication handshake failed: tls: failed to verify certificate: x509: certificate is valid for localhost, not localhost:10000\"","code":14,"message":"connection error: desc = \"transport: authentication handshake failed: tls: failed to verify certificate: x509: certificate is valid for localhost, not localhost:10000\""}

有人提了一个issue: bad practice on creating the tls credentials，因为代码中固定了ServerName为“localhost:10000”，导致SANs不匹配。一个临时的解决方案是，在生成pem时，修改为subjectAltName = DNS:localhost:10000，带上端口号。这样可以运行，但证书的可用性降低了。

---

verify certificate: x509: certificate relies on legacy Common Name field, use SANs instead