Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Bug] tls full not working with server version 1.16.x #29

Open
tsurdilo opened this issue Apr 25, 2022 · 1 comment
Open

[Bug] tls full not working with server version 1.16.x #29

tsurdilo opened this issue Apr 25, 2022 · 1 comment
Labels
bug Something isn't working

Comments

@tsurdilo
Copy link

tls-full sample does not work with server version 1.16.x. It does start up with server versions < 1.16.0.
Error:

{"level":"fatal","ts":"2022-04-25T15:44:33.343Z","msg":"error getting system sdk client","service":"worker","error":"unable to create SDK client: get system info failed: last connection error: connection error: desc = "transport: authentication handshake failed: x509: certificate signed by unknown authority (possibly because of \"x509: cannot verify signature: insecure algorithm SHA1-RSA (temporarily override with GODEBUG=x509sha1=1)\" while trying to verify candidate authority certificate \"cluster-x.contoso.com\")" - *serviceerror.Unavailable","logging-call-at":"factory.go:98","stacktrace":"go.temporal.io/server/common/log.(*zapLogger).Fatal\n\t/home/builder/temporal/common/log/zap_logger.go:150\ngo.temporal.io/server/common/sdk.(*clientFactory).GetSystemClient.func1\n\t/home/builder/temporal/common/sdk/factory.go:98\nsync.(*Once).doSlow\n\t/usr/local/go/src/sync/once.go:68\nsync.(*Once).Do\n\t/usr/local/go/src/sync/once.go:59\ngo.temporal.io/server/common/sdk.(*clientFactory).GetSystemClient\n\t/home/builder/temporal/common/sdk/factory.go:94\ngo.temporal.io/server/service/worker.(*Service).startScanner\n\t/home/builder/temporal/service/worker/service.go:441\ngo.temporal.io/server/service/worker.(*Service).Start\n\t/home/builder/temporal/service/worker/service.go:355\ngo.temporal.io/server/service/worker.ServiceLifetimeHooks.func1.1\n\t/home/builder/temporal/service/worker/fx.go:129"}
@tsurdilo tsurdilo added the bug Something isn't working label Apr 25, 2022
@kussberg
Copy link

kussberg commented Jul 1, 2024

The issue is due to the use of an insecure SHA1-RSA certificate in a newer server version that enforces stricter security policies. The recommended solution is to upgrade to a more secure certificate. If immediate upgrading is not feasible, temporarily overriding the security settings using GODEBUG can be a workaround, though it's not advisable for long-term use due to security implications. Additionally, ensuring that the CA certificate is trusted can resolve issues with unknown authorities.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something isn't working
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@tsurdilo @kussberg