cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

DNS and SSL on DYnatrace Managed

y_buccellato
Mentor

Is it possibile to keep Dynatrace Managed default ssl certificate with the automatically generated domain and still set up an internal DNS address that will keep the SSL valid (without turning off the SSL management within Dynatrace cmc)?

5 REPLIES 5

Julius_Loman
DynaMight Guru
DynaMight Guru

@y_buccellato what do you need to achieve? 

Certified Dynatrace Master | Alanata a.s., Slovakia, Dynatrace Master Partner

Hi @Julius_Loman I'd like to keep dynatrace ssl certificate and domain untouched while masking the standard domain url for user with an internal domain (or vip) but still retaining the SSL validation offered from Dynatrace.

The following would be a schema of it:

y_buccellato_0-1668779478328.png


Is this something technologically achievable?

Thanks for you time,

Yann

Since you can't add any additional hostname into the existing certificate issued for the .dynatrace-managed.com domain, it's not that easy. You will need additional certificate for dynatrace.company.internal. TBH I don't understand why do you need to keep the *.dynatrace-managed.com and also dynatrace.company.internal. - For transition phase?

So for the cluster, you will keep the SSL management and the nodes will have a certificate issued by Dynatrace. Now it depends

  • if you have a solution in place for reverse proxy (F5 for example or any other solution), you can easily set it up against your nodes. So the request flow is
    User -> reverse proxy (dynatrace.company.internal) -> dynatrace node (xxx123.dynatrace-managed.com)
  • if you don't have such option, you can do some customization on the NGINX level on Dynatrace Managed node
Certified Dynatrace Master | Alanata a.s., Slovakia, Dynatrace Master Partner

richard_guerra
Advisor

IIRC, the automatically-generated domain/cert points to your (internal) IP of the host where you installed Dynatrace-Managed, only usable inside your network. If you then create a new internal domain name that resolves to the same IP, your SSL connection would complain that the domains don't match...

@richard_guerraSo basically you want a custom name (e.g. dynatrace.company.internal) and still have the certificate renewal automation Dynatrace Managed uses for *.dynatrace-managed.com domain?

Or do you want your users to seamlessly migrate to a new domain? (keep the xxx123.dynatrace-managed.com working including SSL while having the dynatrace.company.internal working too including SSL on the same managed nodes?

The latter is, I believe, achievable by customizing the NGINX config using custom.settings file. It's non-trivial to setup, basically you will need to keep the SSL certificate management as it is and you will need to have two server entries in the nginx config - one left with the Dynatrace certificate, the other with your custom one. For the *.dynatrace-managed.com I would add a rewrite rule, so users are automatically redirected to the dynatrace.company.internal domain when accessing it.

Certified Dynatrace Master | Alanata a.s., Slovakia, Dynatrace Master Partner