Can you use different TLS CAs for client and server certs?

[ArthurMelin]

Hello,

I'm setting up a new etcd cluster and I'm having issue with TLS certificates and the GRPC gateway.
I'm using 3 certificates authorities, one for client auth, one for server auth and one for peer-peer auth.
This works well until I try to use a client that uses the GRPC gateway where I get the following errors:

On the client:
{"error":"connection closed before server preface received","code":14,"message":"connection closed before server preface received"}
On the server:
{"level":"warn","ts":"2023-09-21T07:29:14.883867Z","caller":"embed/config_logging.go:169","msg":"rejected connection","remote-addr":"127.0.0.1:35588","server-name":"","error":"tls: failed to verify client certificate: x509: certificate signed by unknown authority"}

After some digging, it looks like the gateway is failing to connect because it tries to use the certificate from the server's config which is not signed by the client CA therefore it gets rejected. This would mean that to use the GRPC gateway I need to use the same CA for the clients and servers certs but this seems less secure even when restricting key usages.

Is my theory correct?

[jmhbnz]

Hey @ArthurMelin - Thanks for your question. Yes, currently the gRPC gateway uses the etcd server certificate, refer:

• Add a flag to specify client certificate and private key that gRPC gateway provides to etcd server #16590
• Warnings at startup when running with --client-cert-auth and --client-cert-allowed-hostname #15755 (comment)

[ArthurMelin]

Oh ok thanks, I handed up just using the same CA to make it work anyway