FAQ
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Looking to upgrade from Dynatrace Managed to SaaS? See how

DNS and SSL on Dynatrace Managed

Go to solution
y_buccellato
Pro

‎17 Nov 2022 02:43 PM - last edited on ‎19 Jun 2023 12:04 PM by Community Team

Is it possibile to keep Dynatrace Managed default ssl certificate with the automatically generated domain and still set up an internal DNS address that will keep the SSL valid (without turning off the SSL management within Dynatrace cmc)?

0 Kudos
Reply
5 REPLIES 5

Go to solution
Julius_Loman
DynaMight Legend
DynaMight Legend

‎17 Nov 2022 08:47 PM

@y_buccellato what do you need to achieve? 

Certified Dynatrace Master | Alanata a.s., Slovakia, Dynatrace Master Partner
0 Kudos
Reply

Go to solution
y_buccellato
Pro
In response to Julius_Loman

‎18 Nov 2022 01:52 PM

Hi @Julius_Loman I'd like to keep dynatrace ssl certificate and domain untouched while masking the standard domain url for user with an internal domain (or vip) but still retaining the SSL validation offered from Dynatrace.

The following would be a schema of it:

y_buccellato_0-1668779478328.png


Is this something technologically achievable?

Thanks for you time,

Yann

0 Kudos
Reply

Go to solution
Julius_Loman
DynaMight Legend
DynaMight Legend
In response to y_buccellato

‎18 Nov 2022 02:10 PM

Since you can't add any additional hostname into the existing certificate issued for the .dynatrace-managed.com domain, it's not that easy. You will need additional certificate for dynatrace.company.internal. TBH I don't understand why do you need to keep the *.dynatrace-managed.com and also dynatrace.company.internal. - For transition phase?

So for the cluster, you will keep the SSL management and the nodes will have a certificate issued by Dynatrace. Now it depends

  • if you have a solution in place for reverse proxy (F5 for example or any other solution), you can easily set it up against your nodes. So the request flow is
    User -> reverse proxy (dynatrace.company.internal) -> dynatrace node (xxx123.dynatrace-managed.com)
  • if you don't have such option, you can do some customization on the NGINX level on Dynatrace Managed node
Certified Dynatrace Master | Alanata a.s., Slovakia, Dynatrace Master Partner
Reply

Go to solution
richard_guerra
Advisor

‎18 Nov 2022 02:40 AM

IIRC, the automatically-generated domain/cert points to your (internal) IP of the host where you installed Dynatrace-Managed, only usable inside your network. If you then create a new internal domain name that resolves to the same IP, your SSL connection would complain that the domains don't match...

0 Kudos
Reply

Go to solution
Julius_Loman
DynaMight Legend
DynaMight Legend
In response to richard_guerra

‎18 Nov 2022 08:52 AM

@richard_guerraSo basically you want a custom name (e.g. dynatrace.company.internal) and still have the certificate renewal automation Dynatrace Managed uses for *.dynatrace-managed.com domain?

Or do you want your users to seamlessly migrate to a new domain? (keep the xxx123.dynatrace-managed.com working including SSL while having the dynatrace.company.internal working too including SSL on the same managed nodes?

The latter is, I believe, achievable by customizing the NGINX config using custom.settings file. It's non-trivial to setup, basically you will need to keep the SSL certificate management as it is and you will need to have two server entries in the nginx config - one left with the Dynatrace certificate, the other with your custom one. For the *.dynatrace-managed.com I would add a rewrite rule, so users are automatically redirected to the dynatrace.company.internal domain when accessing it.

Certified Dynatrace Master | Alanata a.s., Slovakia, Dynatrace Master Partner
0 Kudos
Reply
Ask a question

Featured Posts