https://community.dynatrace.com/t5/Extensions/ActiveGate-plugin-can-t-access-CA-Certificates-Python/m-p/121115#M979 <P><A rel="user" href="https://answers.dynatrace.com/users/20278/view.html" nodeid="20278">@Reinhard W.</A> thanks for posting this!</P> Wed, 17 Feb 2021 23:45:15 GMT ChadTurner 2021-02-17T23:45:15Z https://community.dynatrace.com/t5/Extensions/ActiveGate-plugin-can-t-access-CA-Certificates-Python/m-p/121113#M977 <P>For those who might encounter this as well when writing their AG Remote Plugins a little hint.</P> <P>While building another plugin with dependencies to another library I was confronted with an error that the included urllib3 library of the remoteplugin environment couldn't load RooT CA certificates. The error in the plugin's log looked something like this:</P> <PRE>ERROR &nbsp; [Python][15052339058944823227][Hostunit Consumption][140518812161792][ThreadPoolExecutor-0_2] - [set_full_status] (0)<BR />Reason: SSLError<BR />[Errno 2] No such file or directory<BR />Traceback (most recent call last):<BR />&nbsp;&nbsp;File "/opt/dynatrace/remotepluginmodule/agent/plugin/engine.zip/site-packages/urllib3/util/ssl_.py", line 319, in ssl_wrap_socket<BR />&nbsp; &nbsp;&nbsp;context.load_verify_locations(ca_certs, ca_cert_dir)<BR />FileNotFoundError: [Errno 2] No such file or directory</PRE> <P>After digging into it I found that the invoked external SSL connection required the root certificates that are typically shipped with urllib3 or certifi package. (both are included in the remoteplugin runtime environment). However the virtual (?) path would try to find the CA certificate package at this path:</P> <PRE>/opt/dynatrace/remotepluginmodule/agent/plugin/engine.zip/site-packages/certifi/cacert.pem</PRE> <P><BR />This is not a real path but points to the content of the site.zip archive. Python certifi gets this path by calling certifi.where() and urllib then fails to get the file, leading to this error.</P> <P>To resolve this issue I had to explicitly point my plugin to an "real" cacert.pem file in the AG's filesystem that is not within a zip file. I manually added ca cacert.pem file (which could be enahanced with corporate CA certs as well to my plugin directory:</P> <PRE>/opt/dynatrace/remotepluginmodule/plugin_deployment/custom.remote.python.missingmetrics/cacert.pem</PRE> <P><BR />Just posting this here because I was pretty surprised to see this. Maybe it's a bug in the plugin runtime as well that can be fixed permanently as well...</P> Thu, 18 May 2023 13:01:46 GMT https://community.dynatrace.com/t5/Extensions/ActiveGate-plugin-can-t-access-CA-Certificates-Python/m-p/121113#M977 r_weber 2023-05-18T13:01:46Z https://community.dynatrace.com/t5/Extensions/ActiveGate-plugin-can-t-access-CA-Certificates-Python/m-p/121114#M978 <P>This is also how we've resolved this with extensions our services team has created for customers. I never dug into it as deep as you did with the root cause though. Thanks for sharing!</P> Fri, 29 Jan 2021 09:21:42 GMT https://community.dynatrace.com/t5/Extensions/ActiveGate-plugin-can-t-access-CA-Certificates-Python/m-p/121114#M978 Mike_L 2021-01-29T09:21:42Z https://community.dynatrace.com/t5/Extensions/ActiveGate-plugin-can-t-access-CA-Certificates-Python/m-p/121115#M979 <P><A rel="user" href="https://answers.dynatrace.com/users/20278/view.html" nodeid="20278">@Reinhard W.</A> thanks for posting this!</P> Wed, 17 Feb 2021 23:45:15 GMT https://community.dynatrace.com/t5/Extensions/ActiveGate-plugin-can-t-access-CA-Certificates-Python/m-p/121115#M979 ChadTurner 2021-02-17T23:45:15Z