Currently I'm trying to set mTLS between two OTEL collectors one is running on docker and another on...

Anurag Vishwakarma

06/18/2024, 7:08 AM

Currently I'm trying to set mTLS between two OTEL collectors one is running on docker and another one is running on Kubernetes. While setting up K8s I'm getting this following error @Prashant Shahi

Copy code

2024-06-18T06:49:16.787Z	info	exporterhelper/retry_sender.go:177	Exporting failed. Will retry the request after interval.	{"kind": "exporter", "data_type": "metrics", "name": "otlp", "error": "rpc error: code = Unavailable desc = connection error: desc = \"transport: authentication handshake failed: tls: failed to verify certificate: x509: certificate signed by unknown authority\"", "interval": "13.402682275s"}
2024-06-18T06:49:30.191Z	info	exporterhelper/retry_sender.go:177	Exporting failed. Will retry the request after interval.	{"kind": "exporter", "data_type": "metrics", "name": "otlp", "error": "rpc error: code = Unavailable desc = connection error: desc = \"transport: authentication handshake failed: tls: failed to verify certificate: x509: certificate signed by unknown authority\"", "interval": "20.649604662s"}

But it works well with the other Otel collector. Here is the command which i'm using to setup K8s-Infra. Also I'm using Secrets for TLS certs in k8s.

Copy code

helm --namespace k8s-infra install my-release signoz/k8s-infra \
  --set otelCollectorEndpoint=<https://example.dev:4317> \
  --set otelInsecure=false \
  --set global.clusterName=k04-admin@kubernetes \
  --set tls.enabled=true \
  --set tls.secretName=ss-dev-new \
  --set tls.caCert=rootCA.crt \
  --set tls.tlsCert=monitor.crt \
  --set tls.tlsKey=monitor.key

Anurag Vishwakarma

06/19/2024, 10:43 AM

@Prashant Shahi @nitya-signoz I'm getting this error.

Copy code

": "exporter", "data_type": "metrics", "name": "otlp", "error": "rpc error: code = Unavailable desc = connection error: desc = \"transport: authentication handshake failed: tls: failed to verify certificate: x509: certificate signed by unknown authority\"", "interval": "32.884282746s"}
2024-06-19T10:29:15.804Z	info	exporterhelper/retry_sender.go:177	Exporting failed. Will retry the request after interval.	{"kind": "exporter", "data_type": "metrics", "name": "otlp", "error": "rpc error: code = Unavailable desc = connection error: desc = \"transport: authentication handshake failed: tls: failed to verify certificate: x509: certificate signed by unknown authority\"", "interval": "12.601209538s"}
2024-06-19T10:29:23.637Z	error	exporterhelper/queue_sender.go:93	Exporting failed. No more retries left. Dropping data.	{"kind": "exporter", "data_type": "metrics", "name": "otlp", "error": "max elapsed time expired rpc error: code = Unavailable desc = connection error: desc = \"transport: authentication handshake failed: tls: failed to verify certificate: x509: certificate signed by unknown authority\"", "dropped_items": 818}

Anurag Vishwakarma

06/19/2024, 10:44 AM

The certs works well if i use it with other otel collectors to send data to signoz.

Anurag Vishwakarma

06/20/2024, 5:42 AM

@Prashant Shahi Waiting for your reply!

Prashant Shahi

06/20/2024, 6:04 AM

Copy code

--set tls.enabled=true \
  --set tls.secretName=ss-dev-new \
  --set tls.caCert=rootCA.crt \
  --set tls.tlsCert=monitor.crt \
  --set tls.tlsKey=monitor.key

^ I don't think these are valid configuration.

Anurag Vishwakarma

06/20/2024, 6:05 AM

ok any guide on this ? what should i do next ?

Anurag Vishwakarma

06/20/2024, 6:05 AM

I tried via helm chart values too got same error.

Prashant Shahi

06/20/2024, 6:10 AM

Try using these instead:

Copy code

global:
  clusterName: k04-admin
otelCollectorEndpoint: <https://example.dev:4317>
otelInsecure: false
otelTlsSecrets:
  enabled: true
  existingSecretName: ss-dev-new
  certificate: |
    <INCLUDE_CERTIFICATE_HERE>
  key: |
    <INCLUDE_PRIVATE_KEY_HERE>
  ca: |
    <INCLUDE_CA_HERE>

Prashant Shahi

06/20/2024, 6:12 AM

For existing secret, you will need to add certificate data with the following keys.

Copy code

cert.pem: ...
key.pem: ...
ca.pem: ... # optional

Anurag Vishwakarma

06/20/2024, 7:44 AM

Now I tried to convert

crt

key

pem

format and i passed this .... same issue

transport: authentication handshake failed: tls: failed to verify certificate: x509: certificate signed by unknown authority

Copy code

helm --namespace otel install my-release signoz/k8s-infra \
  --set otelCollectorEndpoint=example:4317 \
  --set otelInsecure=false \
  --set global.clusterName=k04-admin \
  --set otelTlsSecrets.enabled=true \
  --set otelTlsSecrets.existingSecretName=otel-key

Anurag Vishwakarma

06/20/2024, 7:45 AM

Screenshot 2024-06-20 at 1.15.10 PM.png

Prashant Shahi

06/20/2024, 4:22 PM

sorry, I am caught up with things at hand right now. Will try this out and get back.

Prashant Shahi

06/20/2024, 4:22 PM

also, how did you generate the certificates?

Anurag Vishwakarma

06/20/2024, 4:22 PM

openssl

Anurag Vishwakarma

06/20/2024, 4:24 PM

The certificates works fine as i said earlier with other otel collectors

Prashant Shahi

06/25/2024, 5:44 AM

@Anurag Vishwakarma The CA might not mounted at all. Can you try setting

<http://otelTlsSecrets.ca|otelTlsSecrets.ca>

to non-empty value i.e. set it to any strings. Try the updated values (include all of these): https://signoz-community.slack.com/archives/C01HWQ1R0BC/p1718863800775029?thread_ts=1718694490.175009&cid=C01HWQ1R0BC

151 Views

Open in Slack

Previous Next

SigNoz Community

SigNoz is an open-source APM. It helps developers monitor their applications & troubleshoot problems, an open-source alternative to DataDog, NewRelic, etc.