opentelemetry-collector-contrib icon indicating copy to clipboard operation
opentelemetry-collector-contrib copied to clipboard

Published 20 hours ago verified publisher icon open-telemetry

[cmd/telemetrygen] Changes to SSL behavior breaks case where you aren't providing a custom CA

Open AlexDCraig opened this issue 1 year ago • 1 comments

Component(s)

cmd/telemetrygen

What happened?

Description

Upgrading telemetrygen to latest breaks my use case for using telemetrygen. That is, I have grpc and http ingresses with legitimate TLS certificates issued to them and normal trusted CAs recognize them. SSL changes in recent telemetrygen versions have added the ability to provide a CA to verify certificates, but it has seemingly broken the case where the CA that validates the certificate is one that already exists on the host machine via a trusted roots folder. In a nutshell, it works now if you want to sign your own cert with your own CA, but if you have real certs signed by real CAs, it doesn't work like before.

Steps to Reproduce

  • Install telemetrygen @ latest using go
  • Use telemetrygen to write to an endpoint that has a real TLS certificate on it, for example:
telemetrygen metrics --otlp-endpoint [my-site]:443 --otlp-header 'Authorization="Bearer [my-token]"'

Expected Result

  • The command succeeds.

Actual Result

  • The command fails with:
2024-02-12T15:35:09.323-0800	INFO	[email protected]/clientconn.go:1225	[core][Channel #1 SubChannel #2] Subchannel Connectivity change to TRANSIENT_FAILURE, last error: connection error: desc = "transport: authentication handshake failed: tls: failed to verify certificate: x509: certificate signed by unknown authority"	{"system": "grpc", "grpc_log": true}

Workaround

  1. Downgrade at least to v0.85.0

OR

  1. On latest. Go to your endpoint and download the CA cert that is assigned to it (e.g. in my case, it's a Baltimore Cyber Trust Root). Supply this downloaded cert to telemetrygen via the --ca-cert flag.

Collector version

0.83.0

Environment information

Environment

OS: (e.g., "Ubuntu 20.04") Compiler(if manually compiled): (e.g., "go 14.2")

OpenTelemetry Collector configuration

No response

Log output

No response

Additional context

No response

AlexDCraig avatar Feb 12 '24 23:02 AlexDCraig

Pinging code owners:

  • cmd/telemetrygen: @mx-psi @codeboten

See Adding Labels via Comments if you do not have permissions to add labels yourself.

github-actions[bot] avatar Feb 12 '24 23:02 github-actions[bot]

I believe this was fixed by #31250, but let me know if I'm incorrect. Thanks for fixing @AlexDCraig!

crobert-1 avatar Feb 28 '24 22:02 crobert-1