Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[cmd/telemetrygen] Changes to SSL behavior breaks case where you aren't providing a custom CA #31191

Closed
AlexDCraig opened this issue Feb 12, 2024 · 2 comments
Labels
bug Something isn't working cmd/telemetrygen telemetrygen command needs triage New item requiring triage

Comments

@AlexDCraig
Copy link
Contributor

Component(s)

cmd/telemetrygen

What happened?

Description

Upgrading telemetrygen to latest breaks my use case for using telemetrygen. That is, I have grpc and http ingresses with legitimate TLS certificates issued to them and normal trusted CAs recognize them. SSL changes in recent telemetrygen versions have added the ability to provide a CA to verify certificates, but it has seemingly broken the case where the CA that validates the certificate is one that already exists on the host machine via a trusted roots folder. In a nutshell, it works now if you want to sign your own cert with your own CA, but if you have real certs signed by real CAs, it doesn't work like before.

Steps to Reproduce

  • Install telemetrygen @ latest using go
  • Use telemetrygen to write to an endpoint that has a real TLS certificate on it, for example:
telemetrygen metrics --otlp-endpoint [my-site]:443 --otlp-header 'Authorization="Bearer [my-token]"'

Expected Result

  • The command succeeds.

Actual Result

  • The command fails with:
2024-02-12T15:35:09.323-0800	INFO	grpc@v1.61.0/clientconn.go:1225	[core][Channel #1 SubChannel #2] Subchannel Connectivity change to TRANSIENT_FAILURE, last error: connection error: desc = "transport: authentication handshake failed: tls: failed to verify certificate: x509: certificate signed by unknown authority"	{"system": "grpc", "grpc_log": true}

Workaround

  1. Downgrade at least to v0.85.0

OR

  1. On latest. Go to your endpoint and download the CA cert that is assigned to it (e.g. in my case, it's a Baltimore Cyber Trust Root). Supply this downloaded cert to telemetrygen via the --ca-cert flag.

Collector version

0.83.0

Environment information

Environment

OS: (e.g., "Ubuntu 20.04")
Compiler(if manually compiled): (e.g., "go 14.2")

OpenTelemetry Collector configuration

No response

Log output

No response

Additional context

No response

@AlexDCraig AlexDCraig added bug Something isn't working needs triage New item requiring triage labels Feb 12, 2024
@github-actions github-actions bot added the cmd/telemetrygen telemetrygen command label Feb 12, 2024
Copy link
Contributor

Pinging code owners:

See Adding Labels via Comments if you do not have permissions to add labels yourself.

TylerHelmuth pushed a commit that referenced this issue Feb 21, 2024
…onment (#31250)

**Description:** 

Adding TLS configuration to telemetrygen made it so that providing root
CA information is mandatory. This is for the case when you are
generating CAs and using them to sign certificates. In the case where
the CA that signed the certificate is a known trusted CA, we shouldn't
have to provide its CA certificate. This PR fixes this problem by
allowing the code to pull its CA pool from the host environment when CAs
are not explicitly supplied.

**Link to tracking Issue:**
[github.com//issues/31191](#31191)

**Testing:** Generate metrics, logs, traces against http and grpc
endpoints with legitimate certificates

**Documentation:** <Describe the documentation added.>
@crobert-1
Copy link
Member

I believe this was fixed by #31250, but let me know if I'm incorrect. Thanks for fixing @AlexDCraig!

XinRanZhAWS pushed a commit to XinRanZhAWS/opentelemetry-collector-contrib that referenced this issue Mar 13, 2024
…onment (open-telemetry#31250)

**Description:** 

Adding TLS configuration to telemetrygen made it so that providing root
CA information is mandatory. This is for the case when you are
generating CAs and using them to sign certificates. In the case where
the CA that signed the certificate is a known trusted CA, we shouldn't
have to provide its CA certificate. This PR fixes this problem by
allowing the code to pull its CA pool from the host environment when CAs
are not explicitly supplied.

**Link to tracking Issue:**
[github.com/open-telemetry/issues/31191](open-telemetry#31191)

**Testing:** Generate metrics, logs, traces against http and grpc
endpoints with legitimate certificates

**Documentation:** <Describe the documentation added.>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
bug Something isn't working cmd/telemetrygen telemetrygen command needs triage New item requiring triage
Projects
None yet
Development

No branches or pull requests

2 participants