Closed nic-godz closed 4 months ago
marcalff
commented
5 months ago Are you sure the build actually uses SSL on 1.12.0 ?
In opentelemetry-cpp 1.12.0, WITH_OTLP_HTTP_SSL_PREVIEW is OFF by default, and needs to be explicitly enabled when building.
In 1.14.2, this option is removed, and SSL is mainstream.
nic-godz
commented
5 months ago As we only have HTTPS(443) endpoints I always thought SSL was enabled. But looking in the build logs for 1.12, it looks like WITH_OTLP_HTTP_SSL_PREVIEW is OFF
But what does this mean? Is Curl running in --insecure/-k mode? With certificate validation disabled.
I tried to enable WITH_OTLP_HTTP_SSL_PREVIEW in 1.12 via Conan. But it looks like that option is hardcoded. Will try to patch it just to make sure this is a 1.12 issue as well.
marcalff
commented
5 months ago To clarify,
the OTLP HTTP protocol uses port 4318 by default, for both http and https traffic.
Presence of a port 80 or 443 on the host is irrelevant, this would be for http / https traffic to a web server, independent of an opentelemetry-cpp endpoint (typically the opentelemetry collector).
With WITH_OTLP_HTTP_SSL_PREVIEW set to OFF, THE OTLP HTTP protocol is using only http on port 4318, not https.
nic-godz
commented
5 months ago Thanks for fast reply and clarification. What I'm saying is that we use port 443 and only accept HTTPS(No HTTP) on that port. It looks like WITH_OTLP_HTTP_SSL_PREVIEW is set to OFF in the Conan build for 1.12. If that is the case it makes me wonder what WITH_OTLP_HTTP_SSL_PREVIEW really means as HTTPS has been working for for several months for 1.12 release.
But as I say, the Conan magic when it comes to params is a bit tricky to follow sometimes. I will dig deeper into it.
nic-godz
commented
4 months ago Solved. Using the option the (new?)insecure option in 1.14.2 solved it:
opentelemetry::exporter::otlp::OtlpHttpLogRecordExporterOptions opts; opts.ssl_insecure_skip_verify = true;
marcalff
commented
4 months ago Solved. Using the option the (new?)insecure option in 1.14.2 solved it:
opentelemetry::exporter::otlp::OtlpHttpLogRecordExporterOptions opts; opts.ssl_insecure_skip_verify = true;
This can hardly be considered a "fix", as this option disables SSL entirely.
At the minimum, it allows to upgrade:
ssl_insecure_skip_verify = trueClosing this issue as the upgrade is no longer blocked.
I would strongly encourage you to investigate why the SSL setup is not functional, assuming SSL is desired.
If the setup is to not use SSL at all, configure the OTLP HTTP endpoint to use http:// instead of https://.
nic-godz
commented
4 months ago Thanks, fair enough. Compatibility fix was first prio. I will check why not distribution of cert is working as it should and keep the option in mind.
Got the latest version(1.14.2) available from Conan:
[Error] File: build/.conan2/p/b/opentd6194588ef21d/b/src/exporters/otlp/src/otlp_http_client.cc:200 [OTLP HTTP Client] Session state: connection failed.SSL certificate problem: unable to get local issuer certificate [Error] File: build/.conan2/p/b/opentd6194588ef21d/b/src/exporters/otlp/src/otlp_http_log_record_exporter.cc:130 [OTLP LOG HTTP Exporter] ERROR: Export 1 log(s) error: 1Went back to 1.12.0(via Conan as well) and no problem.
I know a lot of stuff regarding SSL has been updated in version 1.14.0. But to me it mostly looks like gRPC related changes. Are only using HTTP.
Anything I have been mising in terms of configuration that needs to be done in 1.14.2?
Version of depending 3rd-party sw/packages can be found over at conan.io