jaeger icon indicating copy to clipboard operation
jaeger copied to clipboard

Published 20 hours ago verified publisher icon jaegertracing

jaegertracing/opentelemetry-all-in-on: ES_TLS_SKIP_HOST_VERIFY/es.tls.skip-host-verify - does not work with self signed certificate,

Open JWebDev opened this issue 3 years ago • 6 comments

Describe the bug I am trying to redirect/save opentelemetry spans to an elasticsearch which is signet with self made certificate. I can confirm that the "skip check certificate" works for example with grafana and fluentd. In the case of opentelemetry container is not working.

To Reproduce Just run this docker-compose and try to connect to the https://elasticsearch:9200

version: '3.7'
services:
  jaeger:
    image: jaegertracing/opentelemetry-all-in-one
    container_name: jaeger
    environment:
      SPAN_STORAGE_TYPE: elasticsearch
      ES_TLS_SKIP_HOST_VERIFY: "true"
    command: [
        "--es.server-urls=https://elasticsearch:9200",
        "--es.num-shards=1",
        "--es.num-replicas=0",
        "--es.tls.skip-host-verify=true",
        "--log-level=error",
        "--es.username=jdev",
        "--es.password=$ELASTICSEARCH_PASSWORD"
    ]
    ports:
      - "5775:5775/udp"
      - "6831:6831/udp"
      - "6832:6832/udp"
      - "5778:5778"
      - "16686:16686"
      - "14268:14268"
      - "9411:9411"
    networks: [ net ]


Recreating jaeger ... done
Attaching to jaeger
jaeger    | Error: cannot setup pipelines: cannot build builtExporters: error creating jaeger_elasticsearch exporter: Get "https://elasticsearch:9200": x509: certificate is not valid for any names, but wanted to match elasticsearch
jaeger    | 2021/04/17 19:54:47 Failed to run the service: cannot setup pipelines: cannot build builtExporters: error creating jaeger_elasticsearch exporter: Get "https://elasticsearch:9200": x509: certificate is not valid for any names, but wanted to match elasticsearch
jaeger exited with code 1

Version (please complete the following information):

  • OS: Ubuntu
  • Jaeger version: latest
  • Deployment: Docker

Several hours of googling and trying didn't help. All indications are shows that the flags I have set should work. I guess this is a bug.

JWebDev avatar Apr 17 '21 20:04 JWebDev

I have a similar problem (but not in all-in-on container)

When I creating self-signed certificates in elastic, I add the argument --es. tls.skip-host-verify=true to the collector and query, but they still write an certificate error.

I ran into this problem after updating the jaeger: it work correc with 1.17 and 1.18 version and doesn't work with 1.19 and higher jaeger version.

aksenk avatar May 18 '21 19:05 aksenk

@rubenvp8510, could you please try this one?

jpkrohling avatar May 19 '21 08:05 jpkrohling

Hi @jpkrohling @rubenvp8510 - any updates from this story? Thanks.

JWebDev avatar Jul 22 '21 13:07 JWebDev

I have verified, this is broken with 1.29. Certificate error goes away with version 1.18, but it fails for other reasons.

nibbleshift avatar Jan 02 '22 15:01 nibbleshift

ditto, verified in 1.18 working fine but failed with the latest version 1.33

arulselvan avatar Apr 26 '22 13:04 arulselvan

@JWebDev try to add flag --es.tls.enabled=true into command section. I had the same issue, and it works.

wkedz avatar May 25 '22 10:05 wkedz