opentelemetry-dotnet icon indicating copy to clipboard operation
opentelemetry-dotnet copied to clipboard

Published 20 hours ago verified publisher icon open-telemetry

Ability to use OTLP servers with self-signed certificates

Open ejsmith opened this issue 3 years ago • 3 comments

Feature Request

My OTLP server has a self-signed SSL certificate, but there is no way for me to configure the GrpcChannelOptions in order to customize how the certificates are validated. I've read through various issues and there seems to be a desire to not expose GrpcChannelOptions which is fine, but there needs to be some sort of way to customize how certificates are validated. Ideally, I'd like to check the certificates thumbprint to validate it and I can also see wanting to just ignore cert errors just for the OTLP server requests.

It seems like it would be nice if the HttpClientFactory was used to set the HttpClient property on the GrpcChannelOptions. Then I could configure the client just for that export service.

ejsmith avatar Jun 20 '22 19:06 ejsmith

@alanwest might be able to recommend the options, if any. I believe this is same as https://github.com/open-telemetry/opentelemetry-dotnet/issues/2009

Maybe related is https://github.com/open-telemetry/opentelemetry-dotnet/issues/2120

cijothomas avatar Jun 24 '22 04:06 cijothomas

options, if any

Yea, there are no options today.

It seems like it would be nice if the HttpClientFactory was used to set the HttpClient property on the GrpcChannelOptions.

Agreed. This occurred to me in the past as well when the HttpClientFactory options was introduced for http/protobuf. I just haven't had a chance to experiment with this idea yet.

The option in #2009 to implement the additional configuration options required by the specification should probably be done anyways just to be consistent with other language SDKs, but as you note, it's a limited solution that doesn't quite get you what you're after.

The other option that might get you what you're after is to expose the GrpcChannelOptions from the exporter's config. We originally had it this way, but scoped it down to just the options defined in the spec prior to the 1.0 release. That said, I'd be keen on exploring the HttpClientFactory idea first.

Maybe related is https://github.com/open-telemetry/opentelemetry-dotnet/issues/2120

I think #2120 is the same as what you'd like. The ability to bypass or customize cert validation.

alanwest avatar Jun 24 '22 17:06 alanwest