Difficulty getting tls to work with relay

[kennedyjosh]

Environment

Config file:

---
relay:
  mode: static
  upstream: "https://sentry.io/"
  host: 0.0.0.0
  port: 3000
  tls_port: 3001
  tls_identity_path: /etc/cert/keyStore.p12
  tls_identity_password: xxx

Using latest version from this docker command:

sudo docker run --rm -it  \
  -v $(pwd)/config/:/etc/relay/  \
  -v $(pwd)/cert/:/etc/cert/  \
  -p 3000:3000  \
  -p 3001:3001  \
  getsentry/relay run --config /etc/relay/

keyStore.p12 was generated by doing:

openssl req -x509 -newkey rsa:4096 -keyout myKey.pem -out cert.pem -days 365
openssl pkcs12 -export -out keyStore.p12 -inkey myKey.pem -in cert.pem

Steps to Reproduce

1. Start Relay using docker command above
2. Logs show that ports 3000 and 3001 are open

   INFO  relay::setup > launching relay from config folder /etc/relay/
   INFO  relay::setup >   relay mode: static
   INFO  relay::setup >   relay id: -
   INFO  relay::setup >   public key: -
   INFO  relay::setup >   log level: TRACE
   INFO  relay_server::actors::outcome > Configured to emit outcomes as client reports
   INFO  relay_server::actors::upstream > upstream relay started
   INFO  relay_server::actors::processor > starting 2 envelope processing workers
   INFO  relay_server::actors::outcome   > OutcomeProducer started.
   INFO  relay_server::actors::envelopes > envelope manager started
   INFO  relay_server::actors::project_cache > project cache started
   INFO  relay_server::service               > spawning http server
   INFO  relay_server::service               >   listening on: http://0.0.0.0:3000/
   INFO  relay_server::service               >   listening on: https://0.0.0.0:3001/
   INFO  actix_net::server::server           > Starting 2 workers
   INFO  relay_metrics::aggregation          > aggregator started
   INFO  actix_net::server::server           > Starting server on 0.0.0.0:3000
   INFO  actix_net::server::server           > Starting server on 0.0.0.0:3001
   INFO  relay_system::controller            > relay server startin
   INFO  relay_server::actors::outcome_aggregator > outcome aggregator started
   INFO  relay_server::actors::project_local      > project local cache started
   INFO  relay_server::actors::project_upstream   > project upstream cache started
   INFO  relay_server::actors::relays             > key cache started
   

3. I can ping on port 3000:

   export SENTRY_DSN="http://nfvu4830bvfu3iuujfnvb3809@domain:3000/43275240"
   sentry-cli send-event -m "test event"
   

4. I cannot ping on port 3001:

   export SENTRY_DSN="https://nfvu4830bvfu3iuujfnvb3809@domain:3001/43275240"
   sentry-cli send-event -m "secure test event"
   

Expected Result

I expected events sent through ports 3000 and 3001 to show up on sentry.io website for my project.

Actual Result

Only events sent to port 3000 show up online for me. Additionally, I can see activity in the logs when sending to port 3000 vs nothing for port 3001.

I tested that port 3001 was accepting activity on my machine by doing:

sudo tcpdump -i docker0 port 3001

And I can see the activity when I try to send an event over that port – identical activity to running that same command on port 3000. So, I've deduced that the problem is something to do with how I'm configuring relay.

[jjbayer]

@kennedyjosh thank you for the detailed steps to reproduce! I can reproduce your problem so I will add it to our internal backlog.

[olksdr]

I've looked into this shortly, it is not a problem with relay - since it works perfectly fine with TLS configuration and accepts the incoming requests.

The issue here is in the sentry-cli which, looks like, does not send the message to endpoints with self-signed certificates.

[olksdr]

Once new sentry-cli is released with changed from getsentry/sentry-rust#508 it will be possible to set env variable SSL_VERIFY=false to disable certificates validation for self-signed certificates. And it will make it possible to send the events to above mentioned configuration.

Another way would be to get a free, e.g. let's encrypt, certificate and use it for self-hosted relay.

Closing as this has nothing to do with relay, and patch for the sentry-rust already submitted and merged.