Hey Community!
I've recently been in touch with our users having problems to download OneAgent and ActiveGate from their Dynatrace Managed cluster. The `wget` command fails as following:
wget -O Dynatrace-OneAgent-Linux-1.217.187.sh https://xxx123.dynatrace-managed.com/e/xxx/api/v1/deployment/installer/agent/unix/default/latest?arch=x86&flavor=default --header="Authorization: Api-Token <token>"
--2021-10-07 19:56:58-- https://xxx123.dynatrace-managed.com/e/xxx/api/v1/deployment/installer/agent/unix/default/latest?arch=x86&flavor=default
Resolving xxx123.dynatrace-managed.com (xxx123.dynatrace-managed.com)... 135.xxx.xxx.xxx, 135.xxx.xxx.xxx, 135.xxx.xxx.xxx
Connecting to xxx123.dynatrace-managed.com (xxx123.dynatrace-managed.com)|135.xxx.xxx.xxx|:443... connected.
ERROR: cannot verify xxx123.dynatrace-managed.com's certificate, issued by '/C=US/O=Let's Encrypt/CN=R3':
Issued certificate has expired.
"Issues arose not so much because of clients running obsolete versions of operating systems, but because the servers of several organizations failed to serve updated certificate chains to clients due to configuration problems." says portswigger.net.
The reason is expired Let's Encrypt Root certificate on the host where you want to monitor OneAgent. Here's an official Let's Encrypt statement:
As planned, the DST Root CA X3 has expired and we’re now using our own ISRG Root X1 for trust. We used a cross-sign with DST Root CA X3 to gain broad trust for our certificates when we were just starting out. Now our own root is widely trusted.
(source: https://letsencrypt.org/2021/10/01/cert-chaining-help.html)
Read more to find out details.
Am I affected?
Instances and containers running the following operating systems might not be able to connect to Dynatrace Managed clusters using Dynatrace-provided certificates:
- CentOS and RHEL 7 or lower
- Amazon Linux and Amazon Linux 2
- Ubuntu 16.04 or lower
- Debian 8 or lower
With OpenSSL 1.0.2, the untrusted chain is always preferred. This means that the expired certificate is seen and the entire chain is distrusted as expired. Servers with the affected version of OpenSSL and the DST Root CA X3 certificate in their root store can't connect to Dynatrace Managed clusters.
Senior Product Manager,
Dynatrace Managed expert