This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
FAQ
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
New Article

Fixing SSL Errors in OpenTelemetry SDKs when exporting to Dynatrace ActiveGate

florian_bacher
Dynatrace Participant
Dynatrace Participant

on ‎07 Feb 2025 02:00 PM

Abstract

This article addresses SSL errors encountered when using various OpenTelemetry SDKs (Go, Python, Java, etc.) to communicate with the environment ActiveGate in a Kubernetes (K8s) cluster. The issue arises because the environment ActiveGate uses self-signed certificates, which are not accepted by default by the OpenTelemetry SDKs. This article provides troubleshooting steps and solutions to enable the SDKs to accept these self-signed certificates.

 

Problem

When configuring OpenTelemetry SDKs to send telemetry data to Dynatrace ActiveGate in a K8s cluster, users may encounter SSL errors. These errors occur because the environment ActiveGate uses self-signed certificates, which the OpenTelemetry SDKs do not trust by default. As a result, the communication between the SDKs and the ActiveGate fails, preventing data from being sent.

 

Troubleshooting Steps

  1. Verify ActiveGate Configuration:
    Ensure that the ActiveGate is correctly configured and accessible. You can test the connection using tools like curl to test whether the ActiveGate is reachable within your cluster. For example, you can execute the following command from within a pod in your cluster:
    curl -v http://<activegate-service>.dynatrace.svc.cluster.local

    If the connection fails, check the ActiveGate's configuration and network settings. Especially, check if there is a K8s Service object exposing the ActiveGate within the cluster.

  2. Check SDK Configuration:
    Review the configuration of your OpenTelemetry SDK to ensure it is set up to communicate with the ActiveGate. Verify the endpoint URL and any authentication tokens required.

  3. Identify the SSL Error:
    If the ActiveGate endpoint is reachable, and you have verified the correctness of the authentication token, check the logs of your OpenTelemetry SDK for SSL-related error messages. Common errors include "SSLHandshakeException", "certificate verify failed", or similar messages indicating a problem with certificate validation.

Resolution

To resolve the SSL errors, you need to configure the OpenTelemetry SDKs to trust the self-signed certificates used by the ActiveGate. As described in the OTLP specification, this can be done by setting the OTEL_EXPORTER_OTLP_CERTIFICATE environment variable to the path of the server certificate file.

Note: for the JavaScript SDK, this environment variable is currently not supported. In this case, you will have to load the trusted certificate programatically, as in the following example:

 

const exporter = new OTLPMetricExporter({
  // <any other settings you may have>
  httpAgentOptions: {
     ca: fs.readFileSync('/path/to/my/cert.pem'), // reading a file like that may throw an exception, add error handling for reading the file as needed
  }
}

 


By following these steps, you can configure your OpenTelemetry SDKs to accept self-signed certificates from the Dynatrace ActiveGate, resolving the SSL errors and enabling successful communication.

 

What's next

If you have any further questions, or encounter any issues not listed above, please feel free to contact our support team.

If this article has helped you and provided you with good insight, please make sure to give the article a thumbs up (kudos)

Version history
Last update:
‎07 Feb 2025 09:07 AM
Updated by:
Dynatrace Guru