Is it possibile to keep Dynatrace Managed default ssl certificate with the automatically generated domain and still set up an internal DNS address that will keep the SSL valid (without turning off the SSL management within Dynatrace cmc)?
Solved! Go to Solution.
Hi @Julius_Loman I'd like to keep dynatrace ssl certificate and domain untouched while masking the standard domain url for user with an internal domain (or vip) but still retaining the SSL validation offered from Dynatrace.
The following would be a schema of it:
Is this something technologically achievable?
Thanks for you time,
Since you can't add any additional hostname into the existing certificate issued for the .dynatrace-managed.com domain, it's not that easy. You will need additional certificate for dynatrace.company.internal. TBH I don't understand why do you need to keep the *.dynatrace-managed.com and also dynatrace.company.internal. - For transition phase?
So for the cluster, you will keep the SSL management and the nodes will have a certificate issued by Dynatrace. Now it depends
IIRC, the automatically-generated domain/cert points to your (internal) IP of the host where you installed Dynatrace-Managed, only usable inside your network. If you then create a new internal domain name that resolves to the same IP, your SSL connection would complain that the domains don't match...
@richard_guerraSo basically you want a custom name (e.g. dynatrace.company.internal) and still have the certificate renewal automation Dynatrace Managed uses for *.dynatrace-managed.com domain?
Or do you want your users to seamlessly migrate to a new domain? (keep the xxx123.dynatrace-managed.com working including SSL while having the dynatrace.company.internal working too including SSL on the same managed nodes?
The latter is, I believe, achievable by customizing the NGINX config using custom.settings file. It's non-trivial to setup, basically you will need to keep the SSL certificate management as it is and you will need to have two server entries in the nginx config - one left with the Dynatrace certificate, the other with your custom one. For the *.dynatrace-managed.com I would add a rewrite rule, so users are automatically redirected to the dynatrace.company.internal domain when accessing it.