Skip to content

HZN_TRANSPORT=https broken #217

New issue
New issue
Open
Open
HZN_TRANSPORT=https broken#217
@Ksk190809

Description

@Ksk190809
Ksk190809
opened on Sep 29, 2025

The issue

In the file mgmt-hub/deploy-mgmt-hub.sh:

export HZN_TRANSPORT=${HZN_TRANSPORT:-http}   # Note: setting this to https is experimental, still under development!!!!!!

However, the instructions under Adding More Edge Devices specify to use the "https" option (understandable if one intends to deploy in an unsecured network). Doing so breaks the health checks for two containers:

CONTAINER ID   IMAGE                                              STATE     STATUS                  PORTS
47bedc5ccf8a   openhorizon/amd64_agbot:latest                     running   Up 6 days (healthy)     127.0.0.1:3110->8080/tcp, 192.168.10.3:3111->8083/tcp
c7098b830810   openhorizon/fdo-owner-services:testing             running   Up 6 days (unhealthy)   0.0.0.0:8042->8042/tcp, [::]:8042->8042/tcp, 0.0.0.0:9008->9008/tcp, [::]:9008->9008/tcp
52de7b726e51   quay.io/openbao/openbao-ubi:2.0                    running   Up 6 days (unhealthy)   192.168.10.3:8200->8200/tcp
fd83ce809aa3   openhorizon/amd64_cloud-sync-service:1.10.1-1591   running   Up 6 days (healthy)     192.168.10.3:9443->8080/tcp
2bb631d6aba5   quay.io/open-horizon/exchange-ubi:testing          running   Up 6 days (healthy)     8083/tcp, 192.168.10.3:3090->8080/tcp
45b40096dc63   postgres:13                                        running   Up 6 days (healthy)     0.0.0.0:5432->5432/tcp, [::]:5432->5432/tcp
090fd0749e9c   mongo:4.0.6                                        running   Up 6 days (healthy)     27017/tcp
a622aca0d6f1   postgres:13                                        running   Up 6 days (healthy)     0.0.0.0:5433->5432/tcp, [::]:5433->5432/tcp

One consequence of the broken container health checks is that the testMgmtHubServices function in test-mgmt-hub.sh fails.

For openbao

Further down in the file mgmt-hub/deploy-mgmt-hub.sh:

export BAO_DISABLE_TLS=true
# Todo: Future suuport for TLS/HTTPS with Bao
#if [[ ${HZN_TRANSPORT} == https ]]; then
#    BAO_DISABLE_TLS=false
#else
#    BAO_DISABLE_TLS=true
#fi

But in the file mgmt-hub/docker-compose.yml:

  bao:
    image: ${BAO_IMAGE_NAME}:${BAO_IMAGE_TAG}
    container_name: bao
    restart: always
    ports:
      - ${HZN_LISTEN_IP}:${BAO_PORT}:${BAO_PORT}

:

    healthcheck:
      test: test $$(curl -sS -w %{http_code} -k -o /dev/null ${HZN_TRANSPORT}://${HZN_LISTEN_IP}:${BAO_PORT}/v1/sys/seal-status) -eq 200
      interval: 15s
      timeout: 5s
      retries: 3

So the health check fails because HZN_TRANSPORT=https but BAO is configured not to support it. Unless the "Todo" is imminent, I'd suggest hard-coding the health check to http.

For fdo-owner-services

In the file mgmt-hub/docker-compose.yml:

  fdo-owner-services:
    image: ${FDO_OWN_SVC_IMAGE_NAME}:${FDO_OWN_SVC_IMAGE_TAG}
    container_name: fdo-owner-services
    restart: always
    ports:
      - ${FDO_OWN_SVC_PORT}:8042
      - ${FDO_OWN_COMP_SVC_PORT}:9008

:

    environment:
      - FDO_DB_PASSWORD=${FDO_OWN_SVC_DB_PASSWORD}
      - FDO_OPS_SVC_HOST=${HZN_LISTEN_IP}:${FDO_OWN_SVC_PORT}
      - FDO_DB_USER=${FDO_OWN_SVC_DB_USER}
      - FDO_DB_URL=${FDO_OWN_SVC_DB_URL}
      - HZN_FDO_API_URL=${HZN_TRANSPORT}://${HZN_LISTEN_IP}:${FDO_OWN_SVC_PORT}
      - FDO_API_PWD=${FDO_OWN_SVC_AUTH}
      - FDO_OCS_DB_PATH=${FDO_OCS_DB_CONTAINER_DIR}
      - FDO_OCS_SVC_PORT=${FDO_OWN_COMP_SVC_PORT}
      - FDO_OCS_SVC_TLS_PORT=${FDO_OWN_COMP_SVC_PORT}

:

    healthcheck:
      test: test $$(curl -sS -w %{http_code} -o /dev/null -X GET ${HZN_TRANSPORT}://${HZN_LISTEN_IP}:${FDO_OWN_COMP_SVC_PORT}/api/version) -eq 200
      interval: 15s
      timeout: 5s
      retries: 3

In the repository FDO-support, the file docker/run-fdo-owner-service.sh:

# FDO_OCS_SVC_TLS_PORT:   Port number OCS-API should listen on for TLS. Default is the value of FDO_OCS_SVC_PORT. (OCS API does not support TLS and non-TLS simultaneously.) Note: you can not set this$

Not clear what the failure cause is because both forms of the curl command fail:

curl -sS -w '%{http_code}\n' -o /dev/null -X GET http://192.168.10.3:9008/api/version
curl: (7) Failed to connect to 192.168.10.3 port 9008 after 0 ms: Couldn't connect to server
000
curl -sS -w '%{http_code}\n' -o /dev/null -X GET https://192.168.10.3:9008/api/version                                                                                                                  
curl: (7) Failed to connect to 192.168.10.3 port 9008 after 0 ms: Couldn't connect to server
000

Whereas with HZN_TRANSPORT=http, the expected health check works:

curl -sS -w '%{http_code}\n' -o /dev/null -X GET http://192.168.10.3:9008/api/version
200
curl -sS -w '%{http_code}\n' -o /dev/null -X GET https://192.168.10.3:9008/api/version
curl: (35) OpenSSL/3.0.13: error:0A00010B:SSL routines::wrong version number
000

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions