Reapply 19742 enforce TLS for OTel HTTP receiver in distributed setup

test_otel_with_dcd_in_distributed_setup configured the HTTP receiver
with
basicauth but encryption=False, which is now rejected by the API after
CMK-33249 (werk 19742).  Enable encryption, extract the central site's
CA
certificate via a new ca_certificate_path fixture, and pass --cert-path
/
--site-name to the OTel HTTP client so it can establish the TLS session.

Fixes the cascade failure in test_automatic_host_removal caused by the
otel_password and DCD connections being left as pending changes when the
receiver creation raised.

This reverts commit 451b182.

Change-Id: I2d29ecb2b8e9c65a71f1afd6228c473bc7ec9f7e

Author: m3hransh

.werks/19742.md

@@ -0,0 +1,22 @@
+[//]: # (werk v3)
+# Enforce TLS when using basic authentication for OTel Collector receivers
+
+key        | value
+---------- | ---
+date       | 2026-04-09T16:36:29.851214+00:00
+version    | 2.5.0b5
+class      | feature
+edition    | ultimate
+component  | wato
+level      | 1
+compatible | no
+
+Checkmk now validates that TLS encryption is enabled whenever basic authentication
+is configured for OpenTelemetry Collector receiver endpoints (GRPC and HTTP).
+
+Previously, it was possible to configure basic authentication without encryption,
+which would transmit credentials in plain text. The GUI setup and REST API now
+reject this combination and require you to enable TLS first.
+
+If you have existing receiver configurations using basic authentication without TLS,
+you will need to enable TLS encryption before you can save any changes to them.