Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Observatorium-API with TLS difficulties on MacOS #192

Open
esnible opened this issue Nov 16, 2021 · 1 comment
Open

Observatorium-API with TLS difficulties on MacOS #192

esnible opened this issue Nov 16, 2021 · 1 comment

Comments

@esnible
Copy link
Contributor

esnible commented Nov 16, 2021

Observatorium-API requires TLS 1.3 which is not default on MacOS. In addition, the error message on Mac is a bit confusing:

First, I ran make test-interactive.
(Note that this test prints many lines of stuff, then the important bit with the ports, then endless lines of server logs. The docs should highlight that the user of this test needs to hunt through the output looking for.)

Opening http://127.0.0.1:63256 in browser.

You're all set up!
========================================
Observatorium API on host machine: 		127.0.0.1:63330 
Observatorium internal server on host machine: 	127.0.0.1:63331 
Thanos Query on host machine: 			127.0.0.1:63256 
Loki on host machine: 				127.0.0.1:63298

I wanted to test the Observatorium API.

curl 127.0.0.1:63330
Client sent an HTTP request to an HTTPS server.

(It might be worthwhile to put https:// on the endpoints output above).

curl https://127.0.0.1:63330/ 
curl: (35) error:1400442E:SSL routines:CONNECT_CR_SRVR_HELLO:tlsv1 alert protocol version

After three hours of hair-pulling, and openssl s_client debugging, the problem became obvious:

curl --tlsv1.3 https://127.0.0.1:63330/                        
curl: (4) LibreSSL was built without TLS 1.3 support

Observatorium-Api requires TLS 1.3, and MacOS curl doesn't output anything useful.

Following the instructions on https://learnings.bolmaster2.com/posts/curl-openssl-tlsv1.3-on-macos.html I was able to get a openssl-based curl and verify Observatorium-api is fine:

brew install curl-openssl
/usr/local/opt/curl/bin/curl --insecure https://127.0.0.1:63330/
{
  "paths": [
    "/api/logs/v1/{tenant}/*",
    "/api/metrics/v1/{tenant}/*",
    "/api/v1/{tenant}/*",
    "/oidc/{tenant}/*",
    "/{tenant}"
  ]
}

My suggestion is either configure Observatorium-API to tolerate TLS 1.2 or include a section for Mac users explaining that SSL routines:CONNECT_CR_SRVR_HELLO:tlsv1 alert protocol version means that a 3rd-party openssl-based curl is needed.

My Chrome could have handled this. I went to https://127.0.0.1:63330/ in Chrome and was prompted for a cert. If I had clicked 'cancel' I would have seen everything was fine but I was uncertain which cert to supply so I didn't try.
@matej-g
Copy link
Contributor

matej-g commented Nov 17, 2021

The TLS version should be configurable, see this flag https://github.com/observatorium/api/blob/main/main.go#L830.

I'm also thinking, for the purposes of running tests, we might want to adjust the tests for users to choose if to run Observatorium on HTTPS or plain HTTP.

@nyza99 nyza99 mentioned this issue Jul 1, 2022
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@esnible @matej-g