10 Jul 2019
02:57 PM
- last edited on
18 May 2023
04:20 PM
by
Michal_Gebacki
Hi Folks,
We have a customer who wants to monitor SSL certification validation check via dynatrace.
Is it possible to monitor SSL certificate validation? I'm seeking more information from the customer about the this but this is what I got as requirement.
BR,
AK
Solved! Go to Solution.
By Dynatrace our of the box not but you can make OneAgent plugin that will validate it and send data as custom metrics to Dynatrace
Hi Sebastian,
Thanks for response.
Any document available with respect to this? I mean, specific to OneAgent plugin creation for SSL certification validation check.
BR,
AK
There are not documents like this because these are custom things. What you need to do is first finding way how using python (or bash) get information about certificates. When you will have this you are good to go for writing plugin because you will need those peace of code as source of extra metrics. That's all basically.
Sebastian
I've written a OneAgent plugin for SSL/TLS certificate expiration check (also does notification in advance). If you need to check certificates locally for any process running on a host monitored by oneagent.
If you are interested, you can download it from https://github.com/juliusloman/dynatrace-oneagent-plugin-sslcertcheck.
Hi Julius,
I have uploaded your OneAgent plugin for SSL/TLS certificate expiration however dont how to deploy plugin to hosts running OneAgents
Download the zip file. (available in the releases tab).
You have to do two steps:
OneAgent will pick up the new plugin just after a few minutes. No need to restart OneAgent
i have given it necessary permission as well
*ADMINSHELL* opt/dynatrace/remotepluginmodule/plugin_deployment/dynatrace-oneagent-plugin-sslcertcheck-master # ll
total 20
-rwxr-xr-x 1 root root 2277 Jan 12 21:22 plugin.json
-rwxr-xr-x 1 root root 2172 Jan 12 21:22 README.md
-rwxr-xr-x 1 root root 9410 Jan 12 21:22 sslcertcheck_plugin.py
*ADMINSHELL* opt/dynatrace/remotepluginmodule/plugin_deployment/dynatrace-oneagent-plugin-sslcertcheck-master #
First - you have downloaded the repo, not the built plugin. Head to the releases page and download the release zip file, that's actually here.
Second - you have put it into the directory of ActiveGate plugin module. This is a OneAgent plugin, not an ActiveGate plugin. Unless you have installed OneAgent in some nondefault directory, it is the /opt/dynatrace/oneagent/plugin_deployment/ directory.
Yes,I have downloaded file name called Source code(ZIP) and I have uploaded like below.
Is it right way to download and upload it?
No, it is the file custom.python.sslcertcheck_plugin.zip not the zip code.
Upload this file to the tenant as on your screenshot and also unzip the file on an agent.
unzip the file on an agent means do i have to unzip and put this custom.python.sslcertcheck_pluginunder /opt/dynatrace/oneagent/plugin_deployment/ on the host right?
Exactly. Is should look like this
# ls -l /opt/dynatrace/oneagent/plugin_deployment/custom.python.sslcertcheck_plugin/
total
drwxrwxr-x 1 root root 382 Jan 12 22:24 asn1cryp
drwxrwxr-x 1 root root 96 Jan 12 22:24 asn1crypto-1.3.0.dist-in
-rwxrwxr-x 1 root root 2277 Jan 12 22:21 plugin.js
-rwxrwxr-x 1 root root 2172 Jan 12 22:17 README.
drwxrwxr-x 1 root root 82 Jan 12 22:24 sslcertcheck_plugin-1.0.dist-in
-rwxrwxr-x 1 root root 9410 Jan 12 22:02 sslcertcheck_plugin.py
As per your guideline,I have uploaded,still its not capturing
how to check the certificate are listed and monitoring in dynatrace?
*ADMINSHELL* opt/dynatrace/remotepluginmodule/plugin_deployment/custom.python.sslcertcheck_plugin # ll
total 32
drwxr-xr-x 2 root root 4096 Jan 21 09:18 asn1crypto
drwxr-xr-x 2 root root 4096 Jan 21 09:18 asn1crypto-1.3.0.dist-info
-rwxr-xr-x 1 root root 2277 Jan 21 09:18 plugin.json
-rwxr-xr-x 1 root root 2172 Jan 21 09:18 README.md
drwxr-xr-x 2 root root 4096 Jan 21 09:18 sslcertcheck_plugin-1.0.dist-info
-rwxr-xr-x 1 root root 9410 Jan 21 09:18 sslcertcheck_plugin.py
Hello @Gokul S.,
you still have the plugin copied in an incorrect directory. This directory is for the remote plugins (executed by ActiveGate).
You need to have the plugin copied in this directory
/opt/dynatrace/oneagent/plugin_deployment/custom.python.sslcertcheck_plugin/
and not in:
/opt/dynatrace/remotepluginmodule/plugin_deployment/custom.python.sslcertcheck_plugin
I've added a new release (1.01) that of the plugin that will inform you about certificates the plugin found and will monitor:
Still its not working.
Can you review my below steps :
1)I have place the custom.python.sslcertcheck_plugin zip file under Settings->Monitoring->Monitored technologies->Add new technology monitoring->Build OneAgent plugin with Python->Upload your plugin here or via command line (choose Upload plugin)
2)Unzip the custom.python.sslcertcheck_plugin file and placed the file under
opt/dynatrace/oneagent/plugin_deployment/custom.python.sslcertcheck_plugin/custom.python.sslcertcheck_plugin# ll
total 32
drwxr-xr-x 2 root root 4096 Jan 23 13:11 asn1crypto
drwxr-xr-x 2 root root 4096 Jan 23 13:11 asn1crypto-1.3.0.dist-info
-rwxr-xr-x 1 root root 2278 Jan 23 13:11 plugin.json
-rwxr-xr-x 1 root root 3017 Jan 23 13:11 README.md
drwxr-xr-x 2 root root 4096 Jan 23 13:11 sslcertcheck_plugin-1.1.dist-info
-rwxr-xr-x 1 root root 10459 Jan 23 13:11 sslcertcheck_plugin.py
Is it right?
You have it unzipped in one more directory - you have two directories custom.python.sslcertcheck_plugin in the path.
It must look like this:
# ls -al /opt/dynatrace/oneagent/plugin_deployment/custom.python.sslcertcheck_plugin/
total 20
drwxrwxr-x 1 root root 222 Jan 16 15:41 .
drwxr-xr-x 1 root root 140 Jan 13 11:25 ..
drwxrwxr-x 1 root root 382 Jan 12 22:24 asn1crypto
drwxrwxr-x 1 root root 96 Jan 12 22:24 asn1crypto-1.3.0.dist-info
-rwxrwxr-x 1 root root 2277 Jan 12 22:21 plugin.json
-rwxrwxr-x 1 root root 2172 Jan 12 22:17 README.md
drwxrwxr-x 1 root root 82 Jan 12 22:24 sslcertcheck_plugin-1.0.dist-info
-rwxrwxr-x 1 root root 9458 Jan 16 15:41 sslcertcheck_plugin.
still its not capturing ,How much time take to pick it up?
Hey Julius,
This is awesome. I have been asked about this type of feature before. Appreciate you for open sourcing this project!
Thanks
-Dallas
Thanks! Happy to share.
Pretty cool stuff! Do you know if there is a compilation of other types of plugins?
Hi Julius, thanks for writing this plugin. We're looking for something like this. I have exactly done as per the given steps for my Apache HTTP Server running on Windows 2012, but its not capturing the data. Please help.
Regards, Sandeep
Hi Julius, thanks for this wonderful plugin, it is successfully detecting the certificates.
One quick query regarding the metrics consumption, will it consume any custom metrics in terms of licenses?
Thanks.
No custom metrics are consumed.
Hi Julius,
Followed the same procedure. But receiving an error. Is this known ?
How to clear this ?
Can you share the plugin engine log file from that agent?
Error is being triggered because of line 148 in the python file.
sub=cert['subject'].native['common_name'],
Py code near the line 148 :
self.logger.info("SSLCheck result {hps} subject CN {sub} notvalidbefore {nvb} novalidafter {nva}".format(hps=hps,
sub=cert['subject'].native['common_name'],
nvb=cert['validity']['not_before'].native,
nva=cert['validity']['not_after'].native))
In the plugin engine log :
2020-07-24 13:36:14,326 DEBUG 140009279579904(MainThread) - [report_status] {('custom.python.sslcertcheck_plugin', 9331643405291913339): (PluginFullStatus(pluginName=custom.python.sslcertcheck_plugin, pluginVersion=1.01, state=ERROR_UNKNOWN, description=common_name, monitoredEntityId=xxxxxxxxxx, stacktrace=Traceback (most recent call last):
File "/var/lib/dynatrace/oneagent/agent/runtime/engine_unpacked/ruxit/plugin_state_machine.py", line 340, in _execute_next_task
self._query_plugin()
File "/var/lib/dynatrace/oneagent/agent/runtime/engine_unpacked/ruxit/plugin_state_machine.py", line 672, in _query_plugin
self._plugin_run_data.plugin_instance._query_internal(**self._plugin_run_data.plugin_args)
File "/var/lib/dynatrace/oneagent/agent/runtime/engine_unpacked/ruxit/api/base_plugin.py", line 455, in _query_internal
return self.query(**kwargs)
File "/opt/dynatrace/oneagent/plugin_deployment/custom.python.sslcertcheck_plugin/sslcertcheck_plugin.py", line 148, in query
sub=cert['subject'].native['common_name'],
KeyError: 'common_name'
),
Hope this would be sufficient.
Hi Julius,
The plugin is working for other servers.
Seems like there is some issue for that particular server.
Could you point out what that can be ?
Appreciate your quick responses and superb plugin development !
Hi @Julius L.
when you get a chance, can you please respond to my post on the issue i am having..
Thanks,
Avi
Hello Juius, we have installed your plugin SSL certificate check (version 1.02) but can't see where it shows the results. In which menu should it be visible? I would assume Technologies and processes, but can't see it there.
We have created an AG Plugin that checks Certs: https://github.com/mediro-ict/activegate_python_ssl_plugin
It worked for me. Thanks!
@Leon Van Z.Thank you for the plugin.I have successfully uploaded activegate plugin in dynatrace but not able to capture the details...It has getting error: Hosts not being polled..Also I have query about host details format..The format is like www.example.com:443 but I have entered hostname like example:443 which is the name assign to particular host...could you please help me to resolve this issue.
Hello, seems like something needs to be updated in your plugin. When I tried now I got an error
Error(cannot import name '_openssl' from 'cryptography.hazmat.bindings._rust' (unknown location))
@Julius L. At long last I got around to trying this out and I must say.... OUTSTANDING!
This is a keeper! Thank you!
Thanks @Larry R.!... I have made few fixes - mainly regarding metadata - all information in one entry for each certificate. I hope this will be in the repository very soon.
@Sandeep K. i also successfully connected but in dynatrace which tab i can see my certification details?
If you used my plugin it will show in the properties for the process group (you need to expand them).
Hi @Julius Loman
we installed the plugin on the server and uploaded extension in dynatrace. but we are getting an error
Error ('SSLCertCheck_Plugin' object has no attribute 'config') for: |
lnbroams04.highmark.com |
please help us on what we are missing here..
on server
/opt/dynatrace/oneagent/plugin_deployment/custom.python.sslcertcheck_plugin
drwxrwxr-x. 2 root root 4096 Jan 21 13:19 asn1crypto
drwxrwxr-x. 2 root root 4096 Jan 21 13:19 asn1crypto-1.3.0.dist-info
-rwxrwxr-x. 1 root root 2278 Jan 21 09:46 plugin.json
-rwxrwxr-x. 1 root root 3017 Jan 21 10:54 README.md
drwxrwxr-x. 2 root root 4096 Jan 21 13:19 sslcertcheck_plugin-1.1.dist-info
-rwxrwxr-x. 1 root root 10459 Jan 21 13:19 sslcertcheck_plugin.py
in Dynatrace
Hi @Julius L. I have deployed this but getting same events continously ,like it is giving details of same certificate again and again ,so can you tell like what is to be changed so that we do not get same certificate after every one min or so
It would be so nice to have it out of the box ! It is part of basic monitoring of the system and should be included if OneAgent is installed on the server and detect any https endpoint.
Hi Julius,
I have uploaded the plugin via dynatrace UI and unzipped the file the /opt/dynatrace/oneagent/plugin_deployment.
But I am not able to see any data .
Note : Since plugin_deplyment directory was not available by default I created this directory then proceeded with further steps.
Also i m not able to see log file for plugin in /opt/dynatrace/oneagent/log
I have tried using both 1.0 and 1.01 version but no success
Am i missing anything ?
Pls see if this Synthetic monitoring option works for you.
https://www.dynatrace.com/support/help/shortlink/http-monitor#create-an-http-monitor
Hi,
Does anyone know whether that would work for browser/clickpath monitors? At least based on my quick testing, an invalid cert didn't show the clickpath as unavailable. It's strange in a way that browser monitors are the more advanced ones (and expensive regarding DEM consumption) but appear to be missing the certificate check feature?
I see different approaches for testing the validity of a certificate and great that there are now multiple plugins to do so, with different advantages:
OneAgent Plugin |
|
ActiveGate Plugin |
|
Standard synthetic monitors |
|
Just to add for the OneAgent plugin - I considered checking the files or keystores (I did similar plugin for a different monitoring tool a while ago) it has severe limitations:
Nice summary!
I would add that some HTTPS sites are not globally accessible. That might mean that Activegate and/or synthetic monitors might not reach them.
I can imagine that OneAgent plugins can also check remote servers, like Július refers to, but there might be limitations there.
There's also always the API route...
Will also be interesting to know if some type of information regarding TLS security will be available in the incoming Dynatrace security functionality...
Plugin-less SSL Check for public sites with Dynatrace Synthetic!
I've been digging a bit more for a solution that does not require any custom agent or active gate plugins and would reuse what is already existing with the standard synthetic monitors.
I found a feasible workaround solution that at least works for public sites, which might be handy for people:
It works like this:
I'm attaching the Synthetic monitor definition so you can post that via the config-api to create such a monitor: synthettic-monitor-http-ssl-check.json.zip
(API first - better than screenshots!)
Hope that helps all the folks out there who want to verify their certificates in Dynatrace!
Plugin-less SSL Check for public sites with Dynatrace Synthetic!
I've been digging a bit more for a solution that does not require any custom agent or active gate plugins and would reuse what is already existing with the standard synthetic monitors.
I found a feasible workaround solution that at least works for public sites, which might be handy for people:
It works like this:
I'm attaching the Synthetic monitor definition so you can post that via the config-api to create such a monitor: synthettic-monitor-http-ssl-check.json.zip
(API first - better than screenshots!)
Hope that helps all the folks out there who want to verify their certificates in Dynatrace!
@Július L. Thank you for sharing the plugin. I've used 1.02 version of plugin.
I followed two steps
1. to add/upload extension -successful
2. to copy/extract the plugin to the following location
[SERVER custom.python.sslcertcheck_plugin]$ pwd
/opt/dynatrace/oneagent/plugin_deployment/custom.python.sslcertcheck_plugin
[SERVER custom.python.sslcertcheck_plugin]$ ll
total 40
drwxrwxr-x 2 root root 4096 Dec 18 17:09 asn1crypto
drwxrwxr-x 2 root root 4096 Dec 18 17:09 asn1crypto-1.4.0.dist-info
-rwxrwxr-x 1 root root 2473 Nov 12 08:56 plugin.json
drwxrwxr-x 3 root root 4096 Dec 18 17:09 pytz
drwxrwxr-x 2 root root 4096 Dec 18 17:09 pytz-2020.4.dist-info
-rw-rw-r-- 1 root root 3336 Nov 12 09:54 README.md
drwxrwxr-x 2 root root 4096 Dec 18 17:09 sslcertcheck_plugin-1.2.dist-info
-rw-rw-r-- 1 root root 11272 Dec 18 17:09 sslcertcheck_plugin.py
Then I've changed the Global Configuration and it showed me the hosts are being correctly monitored initially then shows the following error, I guess its the error due to certificate expiry date falling in the notification/error range but I couldn't get any notification and details. I couldn't find the plugin log file to get any further details. Could you suggest please?
Can you please share the log file and open a github issue?
Hi All,
You can now check SSL certificate expiry directly from Dynatrace synthetic HTTP monitors.
As of cluster version 1.2.12
This native addition is great to see but is there any way we could work with DT to enhance it a bit more. For example instead of just saying XXX days until expiration it would be great to see what the certificates actual expiration date and time are, i have a few use cases explaining why this would avoid confusion and could share in a conversation. Another issue is this type of Synthetic has a 60 minute max limit but we only want to do cert checks every 12 or 24 hours.
during configuration it says it requires ActiveGate 1.235 for private locations, but how do I set this to work from ActiveGate? Seems like it works only from some cities around the world and it's not possible to check internal site which is not publicly accessible.
We've recently installed the ActiveGate version but having major stability issues. It runs for a while without issue for checks where I enter a list of URLs in the UI's host box but we're having a problem getting the host.txt file to get picked up when creating an instance where UI's host box is empty. Also, whenever we restart the service all the checks break and can't be updated. Sometimes a server bounce fixes it but at the moment not even that is fixing it. We had log statements as well up until the service restart, logs are no longer be written to. Any thoughts?