Cannot check peer: missing selected ALPN property.

[YvesZHI]

I'm trying to use the Envoy as the gateway of my backend servers.

I've a grpc streaming server so I need to configure the Envoy with grpc.

Here is the proto:

syntax = "proto3";

option java_multiple_files = true;
option java_package = "io.grpc.examples.helloworld";
option java_outer_classname = "HelloWorldProto";
option objc_class_prefix = "HLW";

package helloworld;

service Greeter {
  rpc SayHelloStream(stream MessageReq) returns (stream MessageRes) {}
}

message MessageReq {
  string text = 1;
}

message MessageRes {
  int32 count = 1;
}

Here is my server:

#include <iostream>
#include <memory>
#include <string>
#include <thread>
#include <grpcpp/grpcpp.h>
#include "helloworld.grpc.pb.h"

using grpc::Server;
using grpc::ServerBuilder;
using grpc::ServerContext;
using grpc::Status;
using helloworld::Greeter;
using helloworld::MessageReq;
using helloworld::MessageRes;

class BiStreamServiceImpl final : public Greeter::Service {
 public:
  Status SayHelloStream(ServerContext* context, grpc::ServerReaderWriter<MessageRes, MessageReq>* stream) override {
    MessageReq request;
    while (stream->Read(&request)) {
      std::cout << "received" << std::endl;
      MessageRes response;
      response.set_count(request.text().length());
      stream->Write(response);
    }
    return Status::OK;
  }
};

void RunServer() {
  std::string server_address("0.0.0.0:50051");
  BiStreamServiceImpl service;

  ServerBuilder builder;
  builder.AddListeningPort(server_address, grpc::InsecureServerCredentials());
  builder.RegisterService(&service);

  std::unique_ptr<Server> server(builder.BuildAndStart());
  std::cout << "Server listening on " << server_address << std::endl;
  server->Wait();
}

int main(int argc, char** argv) {
  std::thread server_thread(RunServer);
  server_thread.join();
  return 0;
}

Here is my client:

#include <iostream>
#include <thread>
#include <memory>
#include <string>
#include <grpcpp/grpcpp.h>
#include "helloworld.grpc.pb.h"

using grpc::Channel;
using grpc::ClientContext;
using grpc::ClientReaderWriter;
using grpc::Status;
using helloworld::Greeter;
using helloworld::MessageReq;
using helloworld::MessageRes;


class MyClient {
 public:
  MyClient(std::shared_ptr<Channel> channel) : stub_(Greeter::NewStub(channel)) { std::cout << "init channel" << std::endl; }

  void doJob() {
    MessageRes response;
    ClientContext context;
    std::shared_ptr<ClientReaderWriter<MessageReq, MessageRes>> stream(stub_->SayHelloStream(&context));
    std::thread writer([&stream]() {
      while (true) {
        std::cout << "write msg" << std::endl;
        MessageReq request;
        request.set_text("abc");
        stream->Write(request);
        std::this_thread::sleep_for(std::chrono::seconds(5));
      }
    });

    while (stream->Read(&response)) {
      std::cout << "Server responded with count: " << response.count() << std::endl;
    }

    Status status = stream->Finish();
    if (!status.ok()) {
       std::cerr << status.error_code() << ". StreamData rpc failed: " << status.error_message() << std::endl;
    }
    writer.join();
  }

 private:
  std::unique_ptr<Greeter::Stub> stub_;
};

int main(int argc, char** argv) {
  const char *addr = nullptr;
  if (argc == 2) {
    addr = argv[1];
  } else {
    addr = "example.com:1444";
  }
//  MyClient client(grpc::CreateChannel(addr, grpc::InsecureChannelCredentials()));
  MyClient client(grpc::CreateChannel(addr, grpc::SslCredentials(grpc::SslCredentialsOptions())));

  client.doJob();
  return 0;
}

Here is the config of my Envoy:

  - name: listener_official_common_http
    address:
      socket_address: { address: 0.0.0.0, port_value: 1444 }
    filter_chains:
    - filters:
      - name: envoy.filters.network.http_connection_manager
        typed_config:
          "@type": type.googleapis.com/envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager
          stat_prefix: ingress_https
          common_http_protocol_options:
            idle_timeout: 3600s
          request_timeout: 200s
          http_filters:
          - name: envoy.filters.http.compressor
            typed_config:
              "@type": type.googleapis.com/envoy.extensions.filters.http.compressor.v3.Compressor
              compressor_library:
                name: text_optimized
                typed_config:
                  "@type": type.googleapis.com/envoy.extensions.compression.gzip.compressor.v3.Gzip
          - name: envoy.filters.http.router
            typed_config:
              "@type": type.googleapis.com/envoy.extensions.filters.http.router.v3.Router
          route_config:
            name: local_route
            virtual_hosts:
            - name: local_service
              domains: ["example.com:*"]
              routes:
              - match:
                  prefix: "/"
                  grpc: {}
                route:
                  cluster: cluster_robot_grpc_testing
                  timeout: 0s
                  idle_timeout: 0s
      transport_socket:
        name: envoy.transport_sockets.tls
        typed_config:
          "@type": type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.DownstreamTlsContext
          common_tls_context: {tls_certificates: [{certificate_chain: {filename: "/test.crt"}, private_key: {filename: "/test.key"}}]}
      transport_socket_connect_timeout: 30s
...
  - name: cluster_robot_grpc_testing
    connect_timeout: 30s
    type: LOGICAL_DNS
    typed_extension_protocol_options:
      envoy.extensions.upstreams.http.v3.HttpProtocolOptions:
        "@type": type.googleapis.com/envoy.extensions.upstreams.http.v3.HttpProtocolOptions
        upstream_http_protocol_options:
          auto_sni: true
        common_http_protocol_options:
          idle_timeout: 3600s
        explicit_http_config:
          http2_protocol_options: {}
    load_assignment:
      cluster_name: cluster_robot_grpc_testing
      endpoints:
      - lb_endpoints:
        - endpoint:
            address:
              socket_address: {address: 172.16.0.3, port_value: 50051}

If I comment the TLS config (transport_socket) and create an insecure channel MyClient client(grpc::CreateChannel(addr, grpc::InsecureChannelCredentials()));, it would work without any error. Then I enable transport_socket and try to create a secure channel MyClient client(grpc::CreateChannel(addr, grpc::SslCredentials(grpc::SslCredentialsOptions()))); between client and Envoy. When I execute the client, I always get the error:

14. StreamData rpc failed: failed to connect to all addresses; last error: UNKNOWN: ipv4:172.16.0.3:1444: Cannot check peer: missing selected ALPN property.

The client, the server and the Envoy are all deployed on CentOS7 and the versions of openssl are OpenSSL 1.1.1k 25 Mar 2021.

[alyssawilk]

cc @ggreenway @RyanTheOptimist

[github-actions]

This issue has been automatically marked as stale because it has not had activity in the last 30 days. It will be closed in the next 7 days unless it is tagged "help wanted" or "no stalebot" or other activity occurs. Thank you for your contributions.

[github-actions]

This issue has been automatically closed because it has not had activity in the last 37 days. If this issue is still valid, please ping a maintainer and ask them to label it as "help wanted" or "no stalebot". Thank you for your contributions.