gRPC mTLS Without Tears: Shipping Zero-Trust Channels in Go and Kotlin
Hook: The Night mTLS Died Because Someone Rotated the Root
Your Go service calls a Kotlin microservice over gRPC with mutual TLS. Both services use Envoy sidecars that trust a shared root CA. Security rotates the root to phase out SHA1, updates the central PKI, and reloads the Envoys. Half the calls start failing with remote error: tls: failed to verify certificate. The rotation job missed updating the client trust bundle baked into the Go service binary. Retries storm the network, circuit breakers open, and the incident recap says what every developer already knows: mTLS is fragile when you rely on static files and manual restarts.
This article tackles the developer-facing mTLS pain: distributing trust bundles, pinning client identities, and preventing silent downgrades. We will show concrete code in Go (using credentials.TransportCredentials) and Kotlin (using gRPC-Java), plus integration tests that catch bad certificates before they land in prod.
The Problem Deep Dive
Common failure patterns:
- Static trust stores. Developers bake
ca.peminto containers; rotations require new images. - Missing SAN validation. Clients accept any certificate signed by the CA, allowing impersonation.
- Clock skew. Functions running on Fargate or k8s nodes without NTP drift reject valid certs.
- Inconsistent cipher suites. Clients and servers use different TLS versions or cipher suites; load balancers downgrade connections.
- Weak observability. There is no metric when TLS verification fails, so errors surface as gRPC status codes.
Minimal Go client anti-pattern:
creds, _ := credentials.NewClientTLSFromFile("/etc/certs/ca.pem", "")
conn, err := grpc.Dial(serverAddr, grpc.WithTransportCredentials(creds))
No server name override, no certificate pinning. Kotlin server anti-pattern:
val server = NettyServerBuilder.forPort(8443)
.useTransportSecurity(File("/etc/certs/server.pem"), File("/etc/certs/server.key"))
.build()
Without configuring trust managers, the server accepts any client cert signed by the CA, even if the subject is wrong.
Technical Solutions
Quick Patch: Dynamic Trust Bundles
Mount trust bundles as ConfigMaps or Secrets and reload them. In Go, watch the CA file and recreate TLS config on changes:
func loadTLSConfig() (*tls.Config, error) {
certPool := x509.NewCertPool()
pem, err := os.ReadFile("/certs/ca.pem")
if err != nil { return nil, err }
if !certPool.AppendCertsFromPEM(pem) { return nil, errors.New("invalid CA") }
return &tls.Config{
RootCAs: certPool,
MinVersion: tls.VersionTLS12,
ServerName: "payments.internal",
}, nil
}
func dial(ctx context.Context) (*grpc.ClientConn, error) {
cfg, err := loadTLSConfig()
if err != nil { return nil, err }
creds := credentials.NewTLS(cfg)
return grpc.DialContext(ctx, serverAddr, grpc.WithTransportCredentials(creds))
}
Use a file watcher (fsnotify) to reload when the bundle changes.
Durable Fix: SPIFFE and Identity Pinning
Adopt SPIFFE/SPIRE to issue workload identities (spiffe://payments/service). Configure clients to require specific SPIFFE IDs:
import "github.com/spiffe/go-spiffe/v2/spiffetls"
conn, err := spiffetls.Dial(ctx, spiffetls.MTLSDialOption(spiffetls.AuthorizeID(spiffeid.Must("spiffe://inventory/service"))))
On the JVM side:
val tlsContext = SpiffeTlsContext.newBuilder()
.trust(bundleSource)
.keyManager(workloadApiClient)
.build()
val server = NettyServerBuilder.forPort(8443)
.sslContext(GrpcSslContexts.forServer(tlsContext.keyManager).trustManager(tlsContext.trustManager).clientAuth(ClientAuth.REQUIRE).build())
.build()
This enforces mutual authentication with explicit identities and handles rotation automatically.
Enforce SAN Validation
If you cannot adopt SPIFFE, validate SANs manually:
cfg.VerifyPeerCertificate = func(raw [][]byte, chains [][]*x509.Certificate) error {
cert, err := x509.ParseCertificate(raw[0])
if err != nil { return err }
for _, dns := range cert.DNSNames {
if dns == "inventory.internal" {
return nil
}
}
return errors.New("unexpected client identity")
}
Observability Hooks
Expose TLS metrics:
- Go: wrap transport with interceptor logging handshake errors.
- Kotlin: implement
ServerInterceptorthat increments Micrometer counters onStatus.UNAVAILABLEcaused by TLS failures.
Alprina Policies
Scan for NewClientTLSFromFile without ServerName. Flag server configs missing ClientAuth.REQUIRE. Ensure TLS min version set to 1.2 or higher.
Testing & Verification
Create integration tests with self-signed certs. In Go:
func TestRejectUnknownClient(t *testing.T) {
srv := startServer(t, withClientIdentity("spiffe://payments/service"))
badClient := newClient(t, withClientIdentity("spiffe://evil/service"))
_, err := badClient.List(ctx, &pb.Request{})
require.Error(t, err)
}
Use mkcert or cfssl to generate test certs. Validate that rotated certs load without restarting pods by simulating file updates in integration tests (kind cluster + tilt).
Inject clock skew by setting TZ and date in containers during tests; ensure handshake tolerates small offsets but fails when cert is expired.
Common Questions & Edge Cases
Do I need dual roots during rotation? Yes. Serve both old and new CA bundles until all workloads refresh. Keep both trust bundles available for at least one full deployment cycle.
What about gRPC-Web or HTTP/2 proxies? Ensure proxies pass through client certificates or terminate TLS at an mTLS-aware edge and forward identity via headers (validated downstream).
Can we use AWS ACM or GCP mTLS? Managed cert managers reduce toil. Configure services to fetch certs dynamically via SDS (Envoy) or workload API.
How do we handle Cron jobs? Jobs often run with different identities. Issue separate SPIFFE IDs or SANs for batch workloads and pin them explicitly.
Is TLS 1.3 safe? Yes, but check language runtime support. Go 1.13+ and modern JVMs support it. Configure cipher suites to match across services.
Conclusion
mTLS succeeds when identity and trust evolve with your code. Load trust bundles dynamically, pin client identities, instrument failures, and rehearse rotations in staging. Your next root rotation should be a non-event for both developers and pagers.