Connection error in secure mode

Hi,

I’m trying to execute a local deployment with –insecure option False. When --insecure is True everything works as expected. My docker compose-file looks like the following:

services:
  # create a SuperLink service
  superlink:
    image: flwr/superlink:${FLWR_VERSION:-1.12.0}
    command:
#      --insecure
      --ssl-ca-certfile=certificates/ca.crt
      --ssl-certfile=certificates/server.pem
      --ssl-keyfile=certificates/server.key
    volumes:
      - .cache/certificates:/app/certificates:ro

  # create a SuperExec service
  superexec:
    build:
      context: ${PROJECT_DIR:-.}
      dockerfile_inline: |
        FROM flwr/superexec:${FLWR_VERSION:-1.12.0}

        # gcc is required for the fastai quickstart example
        USER root
        RUN apt-get update \
            && apt-get -y --no-install-recommends install \
            build-essential \
            && rm -rf /var/lib/apt/lists/*
        USER app

        WORKDIR /app
        COPY --chown=app:app pyproject.toml .
        RUN sed -i 's/.*flwr\[simulation\].*//' pyproject.toml \
          && python -m pip install -U --no-cache-dir .

        ENTRYPOINT ["flower-superexec"]
    ports:
      - 9093:9093
    command:
      - --executor
      - flwr.superexec.deployment:executor
#      - --insecure
      - --executor-config
      - superlink="superlink:9091"
      - --ssl-ca-certfile=certificates/ca.crt
      - --ssl-certfile=certificates/server.pem
      - --ssl-keyfile=certificates/server.key
    depends_on:
      - superlink
    volumes:
      - .cache/certificates:/app/certificates:ro

  # create a two SuperNode service with different node configs
  supernode-1:
    image: flwr/supernode:${FLWR_VERSION:-1.12.0}
    command:
#      - --insecure
      - --superlink
      - superlink:9092
      - --supernode-address
      - 0.0.0.0:9094
      - --isolation
      - process
      - --node-config
      - "partition-id=0 num-partitions=2"
      - --root-certificates=certificates/ca.crt
    depends_on:
      - superlink
    volumes:
      - .cache/certificates:/app/certificates:ro

  supernode-2:
    image: flwr/supernode:${FLWR_VERSION:-1.12.0}
    command:
#      - --insecure
      - --superlink
      - superlink:9092
      - --supernode-address
      - 0.0.0.0:9095
      - --isolation
      - process
      - --node-config
      - "partition-id=1 num-partitions=2"
      - --root-certificates=certificates/ca.crt
    depends_on:
      - superlink
    volumes:
      - .cache/certificates:/app/certificates:ro

The problem is that when I run docker compose up --build -d I see the following:

  • Superlink
2024-11-18 12:03:26 INFO :      Starting Flower SuperLink
2024-11-18 12:03:26 INFO :      Flower ECE: Starting Driver API (gRPC-rere) on 0.0.0.0:9091
2024-11-18 12:03:26 INFO :      Flower ECE: Starting Fleet API (gRPC-rere) on 0.0.0.0:9092
2024-11-18 12:03:27 WARNING: All log messages before absl::InitializeLog() is called are written to STDERR
2024-11-18 12:03:27 E0000 00:00:1731924207.239103      26 ssl_transport_security.cc:2128] No match found for server name: superlink
2024-11-18 12:03:27 E0000 00:00:1731924207.240866      30 ssl_transport_security.cc:2128] No match found for server name: superlink
  • Supernode
2024-11-18 11:55:54 INFO :      Starting Flower SuperNode
2024-11-18 11:55:55 INFO :      Starting Flower ClientAppIo gRPC server on 0.0.0.0:9094
2024-11-18 11:55:55 WARNING :   Connection attempt failed, retrying...
2024-11-18 11:55:55 WARNING :   Connection attempt failed, retrying in 0.81 seconds
2024-11-18 11:55:56 WARNING :   Connection attempt failed, retrying in 2.58 seconds

I have manually checked that the certificates are mounted to the created containers.

Hi,
What version of Flower did you use?

Hi! I’m using 1.12.0.

Hey @vagzikopis ,

Welcome to the Flower Discuss!

At first glance, your Docker Compose file looks fine. However, there’s a small issue: the SuperExec does not use the SuperLink certificate to validate the SuperLink identity. I’m guessing you’re using the same set of certificates and keys for both SuperLink and SuperExec, is that correct?

If that’s the case, you’ll need to replace the line in the SuperExec service:

- superlink="superlink:9091"

with:

- superlink="superlink:9091" root-certificates="certificates/ca.crt"

However, this change alone will not resolve your error.

Are you using the Docker Compose command described in this section to generate the certificates?

My guess is that the certificate does not include the DNS name superlink as a Subject Alternative Name (SAN).

I recommend checking out the Quickstart with Docker Compose guide and this certs.yml to see how to set the SAN.

Let me know if this helps!

1 Like

Hey @robert. Thanks for replying back to my question, your instructions have helped me move forward. But now I have another issue.

I followed the commands from this link and the compose files from here and now I don’t get any errors during the build of the containers. However, when I execute the flwr run . local-deployment --stream I get the following error :

_InactiveRpcError: <_InactiveRpcError of RPC that terminated with:
        status = StatusCode.UNAVAILABLE
        details = "failed to connect to all addresses; last error: UNKNOWN: ipv4:127.0.0.1:9093: Ssl handshake failed (TSI_PROTOCOL_FAILURE): SSL_ERROR_SSL: error:1000007d:SSL
routines:OPENSSL_internal:CERTIFICATE_VERIFY_FAILED"
        debug_error_string = "UNKNOWN:Error received from peer  {created_time:"2024-11-27T13:18:50.69710094+02:00", grpc_status:14, grpc_message:"failed to connect to all addresses; last error: UNKNOWN:
ipv4:127.0.0.1:9093: Ssl handshake failed (TSI_PROTOCOL_FAILURE): SSL_ERROR_SSL: error:1000007d:SSL routines:OPENSSL_internal:CERTIFICATE_VERIFY_FAILED"}"
>
E0000 00:00:1732706340.595075    1726 ssl_transport_security.cc:1654] Handshake failed with fatal error SSL_ERROR_SSL: error:1000007d:SSL routines:OPENSSL_internal:CERTIFICATE_VERIFY_FAILED
E0000 00:00:1732706350.594511    1720 ssl_transport_security.cc:1654] Handshake failed with fatal error SSL_ERROR_SSL: error:1000007d:SSL routines:OPENSSL_internal:CERTIFICATE_VERIFY_FAILED
E0000 00:00:1732706360.593597    1728 ssl_transport_security.cc:1654] Handshake failed with fatal error SSL_ERROR_SSL: error:1000007d:SSL routines:OPENSSL_internal:CERTIFICATE_VERIFY_FAILED
E0000 00:00:1732706370.593564    1724 ssl_transport_security.cc:1654] Handshake failed with fatal error SSL_ERROR_SSL: error:1000007d:SSL routines:OPENSSL_internal:CERTIFICATE_VERIFY_FAILED
E0000 00:00:1732706380.592757    1721 ssl_transport_security.cc:1654] Handshake failed with fatal error SSL_ERROR_SSL: error:1000007d:SSL routines:OPENSSL_internal:CERTIFICATE_VERIFY_FAILED
E0000 00:00:1732706390.592663    1723 ssl_transport_security.cc:1654] Handshake failed with fatal error SSL_ERROR_SSL: error:1000007d:SSL routines:OPENSSL_internal:CERTIFICATE_VERIFY_FAILED
E0000 00:00:1732706405.591836    1720 ssl_transport_security.cc:1654] Handshake failed with fatal error SSL_ERROR_SSL: error:1000007d:SSL routines:OPENSSL_internal:CERTIFICATE_VERIFY_FAILED
E0000 00:00:1732706430.591835    1722 ssl_transport_security.cc:1654] Handshake failed with fatal error SSL_ERROR_SSL: error:1000007d:SSL routines:OPENSSL_internal:CERTIFICATE_VERIFY_FAILED
E0000 00:00:1732706475.589544    1727 ssl_transport_security.cc:1654] Handshake failed with fatal error SSL_ERROR_SSL: error:1000007d:SSL routines:OPENSSL_internal:CERTIFICATE_VERIFY_FAILED
E0000 00:00:1732706535.587665    1721 ssl_transport_security.cc:1654] Handshake failed with fatal error SSL_ERROR_SSL: error:1000007d:SSL routines:OPENSSL_internal:CERTIFICATE_VERIFY_FAILED

Do you have any thoughts on this one ?

Update

I get the same error when I follow the commands from this link. I just used the latest versions of the .yml files from here. Could it be that something is outdated or that I’m using a wrong version of something ?

Hi @vagzikopis ,

It seems your Docker Compose setup might be outdated compared to the one used in the quickstart example.

Try updating the root-certificates value in your pyproject.toml to:

[tool.flwr.federations.local-deployment-tls]
address = "127.0.0.1:9093"
root-certificates = "../superexec-certificates/ca.crt"

Alternatively, use the latest Docker Compose setup by cloning the Flower repository with the tag v1.13.1. If you choose this option, also update the Flower CLI to version 1.13.1:

pip uninstall flwr  
pip install flwr==1.13.1  

Let us know if this resolves the issue!