cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Does Dynatrace monitor SSL certificate validation

AK
Advisor

Hi Folks,

We have a customer who wants to monitor SSL certification validation check via dynatrace.

Is it possible to monitor SSL certificate validation? I'm seeking more information from the customer about the this but this is what I got as requirement.

BR,

AK

53 REPLIES 53

alexandre_marl2
Organizer

It would be so nice to have it out of the box ! It is part of basic monitoring of the system and should be included if OneAgent is installed on the server and detect any https endpoint.

darshana2703
Newcomer

Hi Julius,

I have uploaded the plugin via dynatrace UI and unzipped the file the /opt/dynatrace/oneagent/plugin_deployment.

But I am not able to see any data .

Note : Since plugin_deplyment directory was not available by default I created this directory then proceeded with further steps.

Also i m not able to see log file for plugin in /opt/dynatrace/oneagent/log


I have tried using both 1.0 and 1.01 version but no success

Am i missing anything ?

skanchalwar2
Guide

Pls see if this Synthetic monitoring option works for you.

https://www.dynatrace.com/support/help/shortlink/http-monitor#create-an-http-monitor

Hi,

Does anyone know whether that would work for browser/clickpath monitors? At least based on my quick testing, an invalid cert didn't show the clickpath as unavailable. It's strange in a way that browser monitors are the more advanced ones (and expensive regarding DEM consumption) but appear to be missing the certificate check feature?

r_weber
Pro

I see different approaches for testing the validity of a certificate and great that there are now multiple plugins to do so, with different advantages:

OneAgent Plugin
  • only possible to check local plugins by default.
  • Certificate (SSL connect) must be on the local server where the oneagent runs
  • would not work if the certificate/ssl is e.g. hosted/terminated externally (e.g. a F5 without an agent installed)
  • could potentially check the certificate file directly instead of doing an SSL connect
ActiveGate Plugin
  • can connect to any ssl endpoint (just like a synthetic monitor)
  • obviously needs an Active Gate for plugin execution
Standard synthetic monitors
  • doesn't exist yet
  • would be integrated where it's naturally expected - with synthetic tests
  • only "valid" checks exist so far
  • an additional expiry in x days would be useful and shouldn't be too hard to build, but would add additional verification steps on every execution
  • an extra synthetic monitor that runs every 24hrs only once could be an option also - low frequency would be enough and not too costly

Just to add for the OneAgent plugin - I considered checking the files or keystores (I did similar plugin for a different monitoring tool a while ago) it has severe limitations:

  • Extensions run as non-privileged user. It's very likely extension won't have access to certificate or keystore files from the extension itself.
  • I tried to implement certfile checks in in the SSL OneAgent extension anyway, but all useful python modules required native libraries conflicting with the extension engine libraries. I simply could not get this working. Maybe I did not try hard enough.
  • A remote check can be done from OneAgent, but you cannot send events to entities outside the OneAgent monitored host or process.

Nice summary!

I would add that some HTTPS sites are not globally accessible. That might mean that Activegate and/or synthetic monitors might not reach them.

I can imagine that OneAgent plugins can also check remote servers, like Július refers to, but there might be limitations there.

There's also always the API route...

Will also be interesting to know if some type of information regarding TLS security will be available in the incoming Dynatrace security functionality...

r_weber
Pro

Plugin-less SSL Check for public sites with Dynatrace Synthetic!

I've been digging a bit more for a solution that does not require any custom agent or active gate plugins and would reuse what is already existing with the standard synthetic monitors.

I found a feasible workaround solution that at least works for public sites, which might be handy for people:

It works like this:

  • Use a basic HTTP synthetic monitor
  • in combination with a public SSL-Check site that provides an API: https://ssltools.godaddy.com/views/certChecker
  • Create a HTTP Post request in the monitor that POSTs to that API with the URL that you want to check.
  • Use a Post-Execution script to validate the response/evaluate the expiry information and eventually fail the synthetic monitor via it's api calls (see here)


I'm attaching the Synthetic monitor definition so you can post that via the config-api to create such a monitor: synthettic-monitor-http-ssl-check.json.zip
(API first - better than screenshots!)

Hope that helps all the folks out there who want to verify their certificates in Dynatrace!

r_weber
Pro

Plugin-less SSL Check for public sites with Dynatrace Synthetic!

I've been digging a bit more for a solution that does not require any custom agent or active gate plugins and would reuse what is already existing with the standard synthetic monitors.

I found a feasible workaround solution that at least works for public sites, which might be handy for people:

It works like this:

  • Use a basic HTTP synthetic monitor
  • in combination with a public SSL-Check site that provides an API: https://ssltools.godaddy.com/views/certChecker
  • Create a HTTP Post request in the monitor that POSTs to that API with the URL that you want to check.
  • Use a Post-Execution script to validate the response/evaluate the expiry information and eventually fail the synthetic monitor via it's api calls (see here)


I'm attaching the Synthetic monitor definition so you can post that via the config-api to create such a monitor: synthettic-monitor-http-ssl-check.json.zip
(API first - better than screenshots!)

Hope that helps all the folks out there who want to verify their certificates in Dynatrace!

yeshokiran_nrus
Newcomer

@Július L. Thank you for sharing the plugin. I've used 1.02 version of plugin.

I followed two steps

1. to add/upload extension -successful

2. to copy/extract the plugin to the following location

[SERVER custom.python.sslcertcheck_plugin]$ pwd

/opt/dynatrace/oneagent/plugin_deployment/custom.python.sslcertcheck_plugin

[SERVER custom.python.sslcertcheck_plugin]$ ll

total 40

drwxrwxr-x 2 root root 4096 Dec 18 17:09 asn1crypto

drwxrwxr-x 2 root root 4096 Dec 18 17:09 asn1crypto-1.4.0.dist-info

-rwxrwxr-x 1 root root 2473 Nov 12 08:56 plugin.json

drwxrwxr-x 3 root root 4096 Dec 18 17:09 pytz

drwxrwxr-x 2 root root 4096 Dec 18 17:09 pytz-2020.4.dist-info

-rw-rw-r-- 1 root root 3336 Nov 12 09:54 README.md

drwxrwxr-x 2 root root 4096 Dec 18 17:09 sslcertcheck_plugin-1.2.dist-info

-rw-rw-r-- 1 root root 11272 Dec 18 17:09 sslcertcheck_plugin.py


Then I've changed the Global Configuration and it showed me the hosts are being correctly monitored initially then shows the following error, I guess its the error due to certificate expiry date falling in the notification/error range but I couldn't get any notification and details. I couldn't find the plugin log file to get any further details. Could you suggest please?


Can you please share the log file and open a github issue?

brayden_neale
Dynatrace Helper
Dynatrace Helper

Hi All,

You can now check SSL certificate expiry directly from Dynatrace synthetic HTTP monitors.
As of cluster version 1.2.12

brayden_neale_0-1617156164481.png

This native addition is great to see but is there any way we could work with DT to enhance it a bit more.  For example instead of just saying XXX days until expiration it would be great to see what the certificates actual expiration date and time are, i have a few use cases explaining why this would avoid confusion and could share in a conversation.  Another issue is this type of Synthetic has a 60 minute max limit but we only want to do cert checks every 12 or 24 hours.

ct_27
Organizer

We've recently installed the ActiveGate version but having major stability issues.  It runs for a while without issue for checks where I enter a list of URLs in the UI's host box but we're having a problem getting the host.txt file to get picked up when creating an instance where UI's host box is empty.  Also, whenever we restart the service all the checks break and can't be updated.  Sometimes a server bounce fixes it but at the moment not even that is fixing it.  We had log statements as well up until the service restart, logs are no longer be written to.  Any thoughts?