diff --git a/Cargo.lock b/Cargo.lock
index bc7995354f..3db7a8408a 100644
--- a/Cargo.lock
+++ b/Cargo.lock
@@ -4661,6 +4661,7 @@ dependencies = [
  "percent-encoding",
  "pin-project-lite",
  "rustls 0.21.12",
+ "rustls-native-certs",
  "rustls-pemfile 1.0.4",
  "serde",
  "serde_json",
@@ -4901,6 +4902,18 @@ dependencies = [
  "zeroize",
 ]
 
+[[package]]
+name = "rustls-native-certs"
+version = "0.6.3"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "a9aace74cb666635c918e9c12bc0d348266037aa8eb599b5cba565709a8dff00"
+dependencies = [
+ "openssl-probe",
+ "rustls-pemfile 1.0.4",
+ "schannel",
+ "security-framework",
+]
+
 [[package]]
 name = "rustls-pemfile"
 version = "1.0.4"
diff --git a/crates/containerd-shimkit/Cargo.toml b/crates/containerd-shimkit/Cargo.toml
index bc1dd365f8..c1108299bd 100644
--- a/crates/containerd-shimkit/Cargo.toml
+++ b/crates/containerd-shimkit/Cargo.toml
@@ -51,6 +51,7 @@ opentelemetry-otlp = { version = "0.16.0", default-features = false, features =
     "grpc-tonic",
     "http-proto",
     "reqwest-client",
+    "reqwest-rustls",
     "trace",
 ], optional = true }
 opentelemetry_sdk = { version = "0.23", default-features = false, features = [
diff --git a/crates/containerd-shimkit/src/sandbox/cli.rs b/crates/containerd-shimkit/src/sandbox/cli.rs
index 709294b2c2..83cdca4e1a 100644
--- a/crates/containerd-shimkit/src/sandbox/cli.rs
+++ b/crates/containerd-shimkit/src/sandbox/cli.rs
@@ -246,13 +246,18 @@ where
     }
 
     #[cfg(feature = "opentelemetry")]
-    if otel_traces_enabled() {
+    // Only initialize OTEL in serve mode (empty action).
+    if otel_traces_enabled() && flags.action.is_empty() {
         // opentelemetry uses tokio, so we need to initialize a runtime
         async {
-            let otlp_config = OtlpConfig::build_from_env().expect("Failed to build OtelConfig.");
-            let _guard = otlp_config
-                .init()
-                .expect("Failed to initialize OpenTelemetry.");
+            let _guard = OtlpConfig::build_from_env()
+                .and_then(|c| c.init())
+                .map_err(|e| {
+                    eprintln!(
+                        "Failed to initialize OpenTelemetry (continuing without tracing): {e}"
+                    )
+                })
+                .ok();
             tokio::task::block_in_place(move || {
                 shim_main_inner::<I>(name, config);
             });
diff --git a/crates/containerd-shimkit/src/sandbox/shim/otel.rs b/crates/containerd-shimkit/src/sandbox/shim/otel.rs
index 868ccdfbdf..2c6c05a4db 100644
--- a/crates/containerd-shimkit/src/sandbox/shim/otel.rs
+++ b/crates/containerd-shimkit/src/sandbox/shim/otel.rs
@@ -88,7 +88,7 @@ impl Config {
     /// Initializes the tracer, sets up the telemetry and subscriber layers, and sets the global subscriber.
     ///
     /// Note: this function should be called only once and be called by the binary entry point.
-    pub fn init(&self) -> anyhow::Result<impl Drop> {
+    pub fn init(&self) -> anyhow::Result<impl Drop + use<>> {
         let tracer = self.init_tracer()?;
         let telemetry = tracing_opentelemetry::layer().with_tracer(tracer);
         set_text_map_propagator(TraceContextPropagator::new());