Solved: Re: Configuration-less Advanced SSL Certificate Check Plugin - Page 2

r_weber · ‎12 Jan 2021

There are multiple variants how to validate SSL certificates and alert on expiry. I've taken a look at all of them and missed a lack of automation. I therefor created another one that hopefully overcomes some of the limitations and is easier to use in large environments.

As we are not having this feature out of the box for a long time this might be useful.

Summarizing the various attempts and threads from:

SSL Certification expiration checks out of the box - Details? (@Larry R.)
Does Dynatrace monitor SSL certificate validation (@Akshay S.)
Monitor SSL certificate expiry and generate alert (@Dario C.)
(also the contributors @Július L.'s OneAgent extension and @Leon Van Z.'s ActiveGate extension)

What is different about this plugin?

It doesn't need any configuration for hosts/sites that are checked. The endpoints are determined dynamically from already configured (and tagged) synthetic monitors. Add/remove monitors and they will be checked automatically without any additional configuration needs.
Error events (about expiring certificates) are posted/attached to the synthetic monitor, where one would expect it, not to custom devices
Check intervals can be adjusted in long timeframes - no one needs to check certificate validity every minute or even hour.
It is an active gate remote plugin so it can communicate with the Dynatrace API via the active gate.
It doesn't consume any licenses for custom metrics!

Where to find it?

You can find the plugin in my personal github repository.

Certified Dynatrace Master, Dynatrace Partner - 360Performance.net

pieter_luttig · ‎21 Sep 2022

After updating to v1.30 the plugin has stopped working. I get the below error.

(I am running AG v1.247.210 on REHL 7.)

Error(/usr/lib64/libc.so.6: version `GLIBC_2.28' not found (required by /opt/dynatrace/remotepluginmodule/plugin_deployment/custom.remote.python.certcheck/cryptography/hazmat/bindings/_rust.abi3.so))

Is v1.30 supported on RHEL 7? This library(GLIBC_2.28) seems to be only available in RHEL 8. The latest version for RHEL 7 is GLIBC_2.17.

r_weber · ‎21 Sep 2022

Hi @pieter_luttig ,

isn't RHEL7 EOL already?

I'm building the plugin on Debian Buster and Stretch images with Python 3.8 support. Since openssl has native dependencies (glibc) you might need to rebuild the plugin on a RHEL7 machine.
Unfortunately I can not pre-build it for all possible platforms

Certified Dynatrace Master, Dynatrace Partner - 360Performance.net

pieter_luttig · ‎22 Sep 2022

Hi @r_weber ,

No RHEL7 is only EOL June 2024.

Sure understood, will rebuild on RHEL7 thanks.

r_weber · ‎05 Oct 2022

@pieter_luttig you can now find a specific build for older gclib versions on the 1.4 release page, please try if this works for you.

Certified Dynatrace Master, Dynatrace Partner - 360Performance.net

pieter_luttig · ‎05 Oct 2022

@r_weber just tried it out now, and I am getting the below.

Error(/usr/lib64/libc.so.6: version `GLIBC_2.25' not found (required by /opt/dynatrace/remotepluginmodule/plugin_deployment/custom.remote.python.certcheck/cryptography/hazmat/bindings/_openssl.abi3.so))

dave_vos · ‎05 Oct 2022

Just did the same, with the same result. Error(/lib64/libc.so.6: version `GLIBC_2.25' not found (required by /apps/tapm/remotepluginmodule/plugin_deployment/custom.remote.python.certcheck/cryptography/hazmat/bindings/_openssl.abi3.so))

r_weber · ‎05 Oct 2022

@dave_vos @pieter_luttig
Can you please take a look at this issue on github and post the output from your environments.
I checked on my test environment (CentOS 7.9) with GLIBC 2.17 - all fine and no dependency to 2.25.
Did you make sure you certainly downloaded the right plugin version, completely removed the old one and replaced it?

Certified Dynatrace Master, Dynatrace Partner - 360Performance.net

r_weber · ‎05 Oct 2022

What minor version of RHEL are you? 7.4? This has been built with CentOS 7.9 (should match RHEL7.9) the latest update in the 7.x release.

Certified Dynatrace Master, Dynatrace Partner - 360Performance.net

dave_vos · ‎05 Oct 2022

We are on RHEL 7.9.

NAME="Red Hat Enterprise Linux Server"
VERSION="7.9 (Maipo)"
ID="rhel"
ID_LIKE="fedora"
VARIANT="Server"
VARIANT_ID="server"
VERSION_ID="7.9"

pieter_luttig · ‎06 Oct 2022

We are on RHEL 7.9.

NAME="Red Hat Enterprise Linux Server"
VERSION="7.9 (Maipo)"

r_weber · ‎06 Oct 2022

@pieter_luttig @dave_vos

I specifically built on an old RHEL 7.9 now and added the binary to the 1.40 release on github. Dave already confirmed it working.
Hope that also works for you pieter.

Certified Dynatrace Master, Dynatrace Partner - 360Performance.net

r_weber · ‎29 Sep 2022

New Version 1.40 Released

I have pushed a new version of the plugin which is mainly addressing performance for large installations with hundred's of checked endpoints. I introduced concurrent execution which should speed up the total execution of individual check runs by a factor 7-10.
(Thanks @ct_27 for the feedback!)

You can find the release here.

Certified Dynatrace Master, Dynatrace Partner - 360Performance.net

ct_27 · ‎29 Sep 2022

WAWHOO!! can't wait to try it. The version we're running now does 450 SSL checks in 21 seconds and 899 in 42 seconds. Quite linear. Can't wait to see how many 1.4 can do.

Running RedHat 8.6 on a 4 core 64-bit and 4GB of memory.

HigherEd

ct_27 · ‎05 Oct 2022

Just wanted to follow-up. Everything is running well. We have a total of 1,030 SSL checks running across 4 configurations (SSL5, SSL15, SSL29, SSL29_2), which are spread out over 3 1 ActiveGates (Threading at 20 got us down from 3 to 1). Everything is completing within the 1 minute timeframe. Problems are now remaining open (not closing after 10 minutes) thus the cross-configuration bug is fixed.

Next we're switching over to using the SSLCheckExpire tag to give teams more flexibility.

HigherEd

r_weber · ‎09 Mar 2023

New Version 1.50 Released

I have pushed a new version of the plugin which adds some functionality around TLS version support and reporting. It will now also work with older TLS versions (instead of not accepting TLS < 1.2) and include information about the TLS protocol and used ciphers in problem notifications. Additionally it will create custom info events on a synthetic monitor if it detects outdated TLS versions (no weak cipher checks though).

This should give responsible people that chance to identify weak protocols and ciphers additionally to expiring certs.

Certified Dynatrace Master, Dynatrace Partner - 360Performance.net

Inder · ‎17 Mar 2023

Hello r_weber, Much appreciate your efforts.

as you mentioned on git hub "(no plugin builds for older glibc linux platforms yet)". Any idea when it would be out. Keen to test for rhel 7.9 with older glibc for the client.