Closed nic-godz closed 4 months ago
Are you sure the build actually uses SSL on 1.12.0 ?
In opentelemetry-cpp 1.12.0, WITH_OTLP_HTTP_SSL_PREVIEW
is OFF
by default, and needs to be explicitly enabled when building.
In 1.14.2, this option is removed, and SSL is mainstream.
As we only have HTTPS(443) endpoints I always thought SSL was enabled. But looking in the build logs for 1.12, it looks like WITH_OTLP_HTTP_SSL_PREVIEW
is OFF
But what does this mean? Is Curl running in --insecure
/-k
mode? With certificate validation disabled.
I tried to enable WITH_OTLP_HTTP_SSL_PREVIEW
in 1.12 via Conan. But it looks like that option is hardcoded. Will try to patch it just to make sure this is a 1.12 issue as well.
To clarify,
the OTLP HTTP protocol uses port 4318 by default, for both http
and https
traffic.
Presence of a port 80 or 443 on the host is irrelevant, this would be for http / https traffic to a web server, independent of an opentelemetry-cpp endpoint (typically the opentelemetry collector).
With WITH_OTLP_HTTP_SSL_PREVIEW
set to OFF
, THE OTLP HTTP protocol is using only http
on port 4318, not https
.
Thanks for fast reply and clarification. What I'm saying is that we use port 443 and only accept HTTPS(No HTTP) on that port. It looks like WITH_OTLP_HTTP_SSL_PREVIEW
is set to OFF
in the Conan build for 1.12. If that is the case it makes me wonder what WITH_OTLP_HTTP_SSL_PREVIEW
really means as HTTPS has been working for for several months for 1.12 release.
But as I say, the Conan magic when it comes to params is a bit tricky to follow sometimes. I will dig deeper into it.
Solved. Using the option the (new?)insecure option in 1.14.2 solved it:
opentelemetry::exporter::otlp::OtlpHttpLogRecordExporterOptions opts; opts.ssl_insecure_skip_verify = true;
Solved. Using the option the (new?)insecure option in 1.14.2 solved it:
opentelemetry::exporter::otlp::OtlpHttpLogRecordExporterOptions opts; opts.ssl_insecure_skip_verify = true;
This can hardly be considered a "fix", as this option disables SSL entirely.
At the minimum, it allows to upgrade:
ssl_insecure_skip_verify = true
Closing this issue as the upgrade is no longer blocked.
I would strongly encourage you to investigate why the SSL setup is not functional, assuming SSL is desired.
If the setup is to not use SSL at all, configure the OTLP HTTP endpoint to use http://
instead of https://
.
Thanks, fair enough. Compatibility fix was first prio. I will check why not distribution of cert is working as it should and keep the option in mind.
Got the latest version(1.14.2) available from Conan:
[Error] File: build/.conan2/p/b/opentd6194588ef21d/b/src/exporters/otlp/src/otlp_http_client.cc:200 [OTLP HTTP Client] Session state: connection failed.SSL certificate problem: unable to get local issuer certificate [Error] File: build/.conan2/p/b/opentd6194588ef21d/b/src/exporters/otlp/src/otlp_http_log_record_exporter.cc:130 [OTLP LOG HTTP Exporter] ERROR: Export 1 log(s) error: 1
Went back to 1.12.0(via Conan as well) and no problem.
I know a lot of stuff regarding SSL has been updated in version 1.14.0. But to me it mostly looks like gRPC related changes. Are only using HTTP.
Anything I have been mising in terms of configuration that needs to be done in 1.14.2?
Version of depending 3rd-party sw/packages can be found over at conan.io