FAQ
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Extensions Framework v2.0: root CA cert distribution on ActiveGate KO

Go to solution
gilles_tabary
Advisor

‎25 Jun 2024 07:47 PM

Hello.

I followed

Yet when trying to configure my signed custom extensions on my AGs I get :

 

 

ERROR Failed to assign monitoring configuration to ActiveGate. Reason: Cannot extract extension from /mypath/var/conf/dynatrace/remotepluginmodule/agent/runtime/extensions/download/my_custom_extention: checking signature failed dsfm

warning [native] SignatureVerifier: openssl error: error:2E099064:CMS routines:cms_signerinfo_verify_cert:certificate verify error : Verify error:unable to get local issuer certificate

 

 

Any idea ?

Labels:
0 Kudos
Reply
4 REPLIES 4

Go to solution
Julius_Loman
DynaMight Legend
DynaMight Legend

‎25 Jun 2024 07:53 PM

Check the extension module log if it loads the certificate, check permissions for the certificate file (ActiveGate user must be able to read it) and also its format. 

Certified Dynatrace Master | Alanata a.s., Slovakia, Dynatrace Master Partner
Reply

Go to solution
gilles_tabary
Advisor

‎25 Jun 2024 08:20 PM - edited ‎25 Jun 2024 08:29 PM

AFAIS it does load the cert i.e. no error / warning in logs. Any other way to hard check it does load it ? Like : 

   1350 2024-06-25 12:42:02.241 UTC [001f78d3] info    [native] SignatureVerifier: avaiable certificate files: cacert.pem, my-cert-root-ca.pem

File perm r--r----- dtuserag:dtuserag (no access denied error in logs)

Format is given by generating command 'dt extension genca --no-ca-passphrase'. Any thing else to check ? How-to ?

0 Kudos
Reply

Go to solution
Julius_Loman
DynaMight Legend
DynaMight Legend

‎26 Jun 2024 06:38 AM

Please double-check your extension is signed using a certificate issued by the CA you imported. 

You can also verify the signature manually (does not help to import the extension, but shows you details) https://docs.dynatrace.com/docs/shortlink/sign-extension#verify-signature

Certified Dynatrace Master | Alanata a.s., Slovakia, Dynatrace Master Partner
Reply

Go to solution
gilles_tabary
Advisor
In response to Julius_Loman

‎26 Jun 2024 03:11 PM

Thanks. Did so. 

unzip bundle.zip # Signed extension bundle

     extracting: extension.zip
     extracting: extension.zip.sig

openssl cms -verify \
-CAfile root-ca-cert.pem \           # *not* the extension leaf cert
-in extension.zip.sig \              # *not* the signed extension
-binary -content extension.zip \     # *not* the bundle, *only* the non signed extension
--inform PEM -out /dev/null

     Verification successful

My verification was not successfull showing locally (ouside of a Dynatrace Environment) the message :

20004:error:2E099064:CMS routines:cms_signerinfo_verify_cert:certificate verify error:../openssl-1.1.1g/crypto/cms/cms_smime.c:252:Verify error:unable to get local issuer certificate

Ran again the procedure and now verification says it's fine. I deleted / re-uploaded extension in my Dynatrace Environment. Hope it will be better. We will see.

0 Kudos
Reply
Ask a question

Featured Posts