https://community.dynatrace.com/t5/Container-platforms/Is-shared-ActiveGates-between-OneAgent-in-vm-and-OneAgent-in/m-p/286442#M3286 <P>Thank your for your reply&nbsp;<a href="https://community.dynatrace.com/t5/user/viewprofilepage/user-id/4669">@michiel_otten</a>&nbsp;</P><P>It's indeed the error we are getting.</P><P>Here is the solution we chose to avoid to change the shared ActiveGate's certificates.</P><UL><LI>We choose to <STRONG>not</STRONG> ignore the certificate.</LI><LI>We inject the trustedCAs to authorize the communication between CSI and Docker Registry to download code module.</LI><LI>We add 2 env var to oneagent to ignore the self signed certificate<BR /><BR /></LI></UL><LI-CODE lang="markup">apiVersion: dynatrace.com/v1beta5 kind: DynaKube spec: skipCertCheck: false trustedCAs: companyCA oneAgent: cloudNativeFullStack: env: - name: DT_SSLVERIFYHOST value: "false" - name: DT_SSLVERIFYPEER value: "false"</LI-CODE><P>Could be usefull for people in the same shared ActiveGate configuration.<BR />&nbsp;<BR />I found this workaround here :&nbsp;<SPAN><A href="https://community.dynatrace.com/t5/Heads-up-from-Dynatrace/Resolved-OneAgent-pods-unable-to-validate-SSL-cert-of/ta-p/255723" target="_blank">https://community.dynatrace.com/t5/Heads-up-from-Dynatrace/Resolved-OneAgent-pods-unable-to-validate-SSL-cert-of/ta-p/255723</A></SPAN></P> Fri, 19 Sep 2025 12:23:43 GMT prgss 2025-09-19T12:23:43Z https://community.dynatrace.com/t5/Container-platforms/Is-shared-ActiveGates-between-OneAgent-in-vm-and-OneAgent-in/m-p/286119#M3281 <P>Hi Dynatrace,</P> <P>We have trouble deploying CloudNative Dynatrace in OpenShift clusters.<BR />Can you confirm us that these "hybrid" architecture is valid ?<BR /><BR /><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="dynatrace-noname.png" style="width: 999px;"><img src="https://community.dynatrace.com/t5/image/serverpage/image-id/30088iA681F0166F3E806D/image-size/large?v=v2&amp;px=999" role="button" title="dynatrace-noname.png" alt="dynatrace-noname.png" /></span></P> <P>- Install CloudNative Dynatrace in OpenShift clusters with Company trustedCA in Dynakube</P> <P>- Private docker registry holding OneAgent and codemodules images exposing the Company certificate (green box on the left)</P> <P>- ActiveGate VM with Dynatrace self signed Certificate (purple box)</P> <P>- Company Internet Proxy (no certificate)</P> <P>- Notice that we have many oneagent deployed in virtual machine. These oneagents trust the ActiveGate VM Certificate.</P> <P>- We don't want to change the exposed certificate of ActiveGate.</P> <P>&nbsp;</P> <P>When we add the trustedCAs field in the dynakube configuration, the communication between oneagent pod and activegate vm are broken (invalid certificate).</P> <P>&nbsp;<span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="broken-cert.png" style="width: 999px;"><img src="https://community.dynatrace.com/t5/image/serverpage/image-id/30089iE470B8DA2E614070/image-size/large?v=v2&amp;px=999" role="button" title="broken-cert.png" alt="broken-cert.png" /></span></P> <P>&nbsp;</P> Fri, 09 Jan 2026 10:30:28 GMT https://community.dynatrace.com/t5/Container-platforms/Is-shared-ActiveGates-between-OneAgent-in-vm-and-OneAgent-in/m-p/286119#M3281 prgss 2026-01-09T10:30:28Z https://community.dynatrace.com/t5/Container-platforms/Is-shared-ActiveGates-between-OneAgent-in-vm-and-OneAgent-in/m-p/286134#M3282 <P>In my opinion, the problem is that when you configure a&nbsp;<SPAN>trustedCA&nbsp;in Kubernetes, it will use it for <U>all outgoing communication</U>. Now: when the OneAgents want to sent out that information, it'll mismatch with the self-signed one.<BR /></SPAN>You could potentially test this to add it to 1 of the Environment ActiveGate and put that one in a network zone.<BR /><BR />if this doesn't help, I'd recommend getting Dynatrace support onboard to figure out what the best solution for you is.</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="michiel_otten_0-1758021178503.png" style="width: 400px;"><img src="https://community.dynatrace.com/t5/image/serverpage/image-id/30096i5D3EA678F0B2A1F7/image-size/medium?v=v2&amp;px=400" role="button" title="michiel_otten_0-1758021178503.png" alt="michiel_otten_0-1758021178503.png" /></span></P><P>&nbsp;</P> Tue, 16 Sep 2025 11:13:09 GMT https://community.dynatrace.com/t5/Container-platforms/Is-shared-ActiveGates-between-OneAgent-in-vm-and-OneAgent-in/m-p/286134#M3282 michiel_otten 2025-09-16T11:13:09Z https://community.dynatrace.com/t5/Container-platforms/Is-shared-ActiveGates-between-OneAgent-in-vm-and-OneAgent-in/m-p/286442#M3286 <P>Thank your for your reply&nbsp;<a href="https://community.dynatrace.com/t5/user/viewprofilepage/user-id/4669">@michiel_otten</a>&nbsp;</P><P>It's indeed the error we are getting.</P><P>Here is the solution we chose to avoid to change the shared ActiveGate's certificates.</P><UL><LI>We choose to <STRONG>not</STRONG> ignore the certificate.</LI><LI>We inject the trustedCAs to authorize the communication between CSI and Docker Registry to download code module.</LI><LI>We add 2 env var to oneagent to ignore the self signed certificate<BR /><BR /></LI></UL><LI-CODE lang="markup">apiVersion: dynatrace.com/v1beta5 kind: DynaKube spec: skipCertCheck: false trustedCAs: companyCA oneAgent: cloudNativeFullStack: env: - name: DT_SSLVERIFYHOST value: "false" - name: DT_SSLVERIFYPEER value: "false"</LI-CODE><P>Could be usefull for people in the same shared ActiveGate configuration.<BR />&nbsp;<BR />I found this workaround here :&nbsp;<SPAN><A href="https://community.dynatrace.com/t5/Heads-up-from-Dynatrace/Resolved-OneAgent-pods-unable-to-validate-SSL-cert-of/ta-p/255723" target="_blank">https://community.dynatrace.com/t5/Heads-up-from-Dynatrace/Resolved-OneAgent-pods-unable-to-validate-SSL-cert-of/ta-p/255723</A></SPAN></P> Fri, 19 Sep 2025 12:23:43 GMT https://community.dynatrace.com/t5/Container-platforms/Is-shared-ActiveGates-between-OneAgent-in-vm-and-OneAgent-in/m-p/286442#M3286 prgss 2025-09-19T12:23:43Z