Hi I'm trying to use bazel-remote-cache with pants and I'm able to connect to it using client certificates through https. But when configuring pants with:

[GLOBAL]
...
remote_cache_read = true
remote_cache_write = true
remote_client_certs_path = "certs/clientCert.pem"
remote_client_key_path = "certs/clientKey.pem"
ca_certs_path = "certs/caCert.pem"
remote_ca_certs_path = "certs/caCert.pem"
remote_store_address = "<grpcs://bazel-remote-cache-python>.[redacted].azurecontainerapps.io:9092"

I'm getting the following error messages when running

pants check ::

10:51:09.52 [WARN] Failed to read from remote cache (1 occurrences so far): Unavailable: "error trying to connect: invalid peer certificate: NotValidForName"
10:51:19.41 [INFO] Completed: Building requirements_venv.pex
10:51:19.47 [WARN] Failed to write to remote cache (1 occurrences so far): Unavailable: "error trying to connect: invalid peer certificate: NotValidForName"
10:51:19.64 [WARN] Failed to read from remote cache (2 occurrences so far): Unavailable: "error trying to connect: invalid peer certificate: NotValidForName"
10:51:20.16 [WARN] Failed to write to remote cache (2 occurrences so far): Unavailable: "error trying to connect: invalid peer certificate: NotValidForName"

Any help I could get?

Hey mate 🙂. Have you tried using grpcurl to confirm everything is ok connection wise?

hey! I didn't. But I found the main issue. The certificate was missing a SAN DNS name even though the CN was correctly configured. Maybe this is something related to the package pants use for doing the grpc calls? Looks very much like a bug once having the correct CN should be enough for mTLS to work

I half-remebered something about this, found: RFC6125 means that if the SAN is present, the CN MUST NOT be consulted https://www.rfc-editor.org/rfc/rfc6125#section-6.4.4

Then it's a bug. Because in my case it should check the CN because there was no DNS name in SAN