Hi,
I know this might be trivial, but it often happens that the ActiveGate can’t establish a TLS connection to the target domain/URL. You know, DNS, routing,firewall, proxy. Or, if you try reach kubernetess Ingress you can hitting the wrong certificate because SNI isn’t applied correctly
SSL Certificate Monitor extension
in this documentation Dynatrace explicitly notes that for remote monitoring the ActiveGate must have access to the provided URLs/domains and firewall/network changes may be required.
Test from the ActiveGate host do something like that nslookup your.domain or openssl s_client -connect your.domain:443 -servername your.domain </dev/null 2>/dev/null | openssl x509 -noout -subject -issuer -dates or just curl -vkI https://your.domain
It could be also SNI for Kubernetes Ingress - in documentation
Additional SNI domains
An optional setting to configure additional Server Name Indication domains:
Add domain. An advanced setting to provide a list of domains to use in with Server Name Indication. SNI is an extension to the TLS protocol which is used in HTTPS. Use this setting to specify the domain name of a website during the initial TLS Handshake instead of when the HTTPS connection opens after the handshake.when multiple hostnames/certs share the same IP/LB; otherwise you may get the default cert or fail to extract the expected one. Also check that you monitor correct FQDN used by the Ingress.
Another option - Enable the certificate status metric
You can also Enable debug + domain discovery error alerts
From documentation:
Activate debug—check this box to activate debug level logging. Logs are available (by default) on Linux at: /var/lib/dynatrace/remotepluginmodule/log/extensions/datasources and on Windows at: C:\ProgramData\dynatrace\remotepluginmodule\log\extensions\datasources.If all this checks look fine open a support ticket
Featured Posts
