[exporter/opensearch-exporter] Unable to send traces to OpenSearch with TLS disabled

[AmythD]

Component(s)

No response

Describe the issue you're reporting

Hello,

My OpenSearch endpoint has TLS enabled using a self signed certificate, but while trying to connect from OTEL Collector, I am seeing errors when disabling TLS (insecure=true, and removed references to certificates)

Ideally I would like to have TLS disabled. Any suggestions on what could be wrong here?

receivers:
  otlp:
    protocols:
      grpc:
        endpoint: 0.0.0.0:4317
      http:
        endpoint: 0.0.0.0:4318

extensions:
  basicauth/client:
    client_auth:
      username: admin
      password: admin

processors:
  batch:

exporters:
  opensearch/trace:
    dataset: otel
    namespace: traces
    http:
      endpoint: https://dev-opensearch.com:9200
      tls:
        insecure: true
        ca_file: /apps/PDC****-CA.crt
        cert_file: /apps/10.xx.xx.xx.crt         
        key_file: /apps/10.xx.xx.xx.key
       #insecure_skip_verify : true
      auth:
        authenticator: basicauth/client
service:
  pipelines:
    traces:
      receivers: [otlp]
      exporters: [opensearch/trace]
      processors: [batch]

  extensions: [basicauth/client]      

2024-02-08T10:41:30.168Z warn batchprocessor@v0.93.0/batch_processor.go:258 Sender failed {"kind": "processor", "name": "batch", "pipeline": "traces", "error": "not retryable error: Permanent error: Permanent error: flush: tls: failed to verify certificate: x509: certificate signed by unknown authority\nPermanent error: Permanent error: flush: tls: failed to verify certificate: x509: certificate signed by unknown authority"}

[github-actions]

Pinging code owners for exporter/opensearch: @Aneurysm9 @MitchellGale @MaxKsyunz @YANG-DB. See Adding Labels via Comments if you do not have permissions to add labels yourself.

[github-actions]

Pinging code owners for exporter/opensearch: @Aneurysm9 @MitchellGale @MaxKsyunz @YANG-DB. See Adding Labels via Comments if you do not have permissions to add labels yourself.

[crobert-1]

Hello @AmythD, I believe if you set the other TLS config options in addition to insecure: verify they will still be checked, resulting in this error. If you don't define values for ca_file and ca_pem (you don't have this value currently, but including for the sake of verbosity), I believe this will work.

Source: https://github.com/open-telemetry/opentelemetry-collector/blob/b75fe362294cb1617e81621767a84c19d8df4612/config/configtls/configtls.go#L344

[github-actions]

This issue has been inactive for 60 days. It will be closed in 60 days if there is no activity. To ping code owners by adding a component label, see Adding Labels via Comments, or if you are unsure of which component this issue relates to, please ping @open-telemetry/collector-contrib-triagers. If this issue is still relevant, please ping the code owners or leave a comment explaining why it is still relevant. Otherwise, please close it.

Pinging code owners:

• exporter/opensearch: @Aneurysm9 @MitchellGale @MaxKsyunz @YANG-DB

See Adding Labels via Comments if you do not have permissions to add labels yourself.

[github-actions]

This issue has been closed as inactive because it has been stale for 120 days with no activity.