topic Re: Extensions Framework v2.0: root CA cert distribution on ActiveGate KO in Extensions

Extensions Framework v2.0: root CA cert distribution on ActiveGate KO

gilles_tabary — Tue, 25 Jun 2024 18:47:22 GMT

Hello.

I followed

Yet when trying to configure my signed custom extensions on my AGs I get :

ERROR Failed to assign monitoring configuration to ActiveGate. Reason: Cannot extract extension from /mypath/var/conf/dynatrace/remotepluginmodule/agent/runtime/extensions/download/my_custom_extention: checking signature failed dsfm warning [native] SignatureVerifier: openssl error: error:2E099064:CMS routines:cms_signerinfo_verify_cert:certificate verify error : Verify error:unable to get local issuer certificate

Any idea ?

Re: Extensions Framework v2.0: root CA cert distribution on ActiveGate KO

Julius_Loman — Tue, 25 Jun 2024 18:53:28 GMT

Check the extension module log if it loads the certificate, check permissions for the certificate file (ActiveGate user must be able to read it) and also its format.

Re: Extensions Framework v2.0: root CA cert distribution on ActiveGate KO

gilles_tabary — Tue, 25 Jun 2024 19:29:44 GMT

AFAIS it does load the cert i.e. no error / warning in logs. Any other way to hard check it does load it ? Like :

1350 2024-06-25 12:42:02.241 UTC [001f78d3] info [native] SignatureVerifier: avaiable certificate files: cacert.pem, my-cert-root-ca.pem

File perm r--r----- dtuserag:dtuserag (no access denied error in logs)

Format is given by generating command 'dt extension genca --no-ca-passphrase'. Any thing else to check ? How-to ?

Re: Extensions Framework v2.0: root CA cert distribution on ActiveGate KO

Julius_Loman — Wed, 26 Jun 2024 05:38:50 GMT

Please double-check your extension is signed using a certificate issued by the CA you imported.

You can also verify the signature manually (does not help to import the extension, but shows you details) https://docs.dynatrace.com/docs/shortlink/sign-extension#verify-signature

Re: Extensions Framework v2.0: root CA cert distribution on ActiveGate KO

gilles_tabary — Wed, 26 Jun 2024 14:11:37 GMT

Thanks. Did so.

unzip bundle.zip # Signed extension bundle extracting: extension.zip extracting: extension.zip.sig openssl cms -verify \ -CAfile root-ca-cert.pem \ # *not* the extension leaf cert -in extension.zip.sig \ # *not* the signed extension -binary -content extension.zip \ # *not* the bundle, *only* the non signed extension --inform PEM -out /dev/null Verification successful

My verification was not successfull showing locally (ouside of a Dynatrace Environment) the message :

20004:error:2E099064:CMS routines:cms_signerinfo_verify_cert:certificate verify error:../openssl-1.1.1g/crypto/cms/cms_smime.c:252:Verify error:unable to get local issuer certificate

Ran again the procedure and now verification says it's fine. I deleted / re-uploaded extension in my Dynatrace Environment. Hope it will be better. We will see.