observatorium / api

The Observatorium API
Apache License 2.0
54 stars 65 forks source link

Observatorium-API with TLS difficulties on MacOS #192

Open esnible opened 3 years ago

esnible commented 3 years ago

Observatorium-API requires TLS 1.3 which is not default on MacOS. In addition, the error message on Mac is a bit confusing:

First, I ran make test-interactive. (Note that this test prints many lines of stuff, then the important bit with the ports, then endless lines of server logs. The docs should highlight that the user of this test needs to hunt through the output looking for.)

Opening http://127.0.0.1:63256 in browser.

You're all set up!
========================================
Observatorium API on host machine:      127.0.0.1:63330 
Observatorium internal server on host machine:  127.0.0.1:63331 
Thanos Query on host machine:           127.0.0.1:63256 
Loki on host machine:               127.0.0.1:63298 

I wanted to test the Observatorium API.

curl 127.0.0.1:63330
Client sent an HTTP request to an HTTPS server.

(It might be worthwhile to put https:// on the endpoints output above).

curl https://127.0.0.1:63330/ 
curl: (35) error:1400442E:SSL routines:CONNECT_CR_SRVR_HELLO:tlsv1 alert protocol version

After three hours of hair-pulling, and openssl s_client debugging, the problem became obvious:

curl --tlsv1.3 https://127.0.0.1:63330/                        
curl: (4) LibreSSL was built without TLS 1.3 support

Observatorium-Api requires TLS 1.3, and MacOS curl doesn't output anything useful.

Following the instructions on https://learnings.bolmaster2.com/posts/curl-openssl-tlsv1.3-on-macos.html I was able to get a openssl-based curl and verify Observatorium-api is fine:

brew install curl-openssl
/usr/local/opt/curl/bin/curl --insecure https://127.0.0.1:63330/
{
  "paths": [
    "/api/logs/v1/{tenant}/*",
    "/api/metrics/v1/{tenant}/*",
    "/api/v1/{tenant}/*",
    "/oidc/{tenant}/*",
    "/{tenant}"
  ]
}

My suggestion is either configure Observatorium-API to tolerate TLS 1.2 or include a section for Mac users explaining that SSL routines:CONNECT_CR_SRVR_HELLO:tlsv1 alert protocol version means that a 3rd-party openssl-based curl is needed.

My Chrome could have handled this. I went to https://127.0.0.1:63330/ in Chrome and was prompted for a cert. If I had clicked 'cancel' I would have seen everything was fine but I was uncertain which cert to supply so I didn't try.

matej-g commented 3 years ago

The TLS version should be configurable, see this flag https://github.com/observatorium/api/blob/main/main.go#L830.

I'm also thinking, for the purposes of running tests, we might want to adjust the tests for users to choose if to run Observatorium on HTTPS or plain HTTP.