During Perform 2020, I believe it was stated that certificate expiration checks were in the works in terms of out of the box for Dynatrace if I heard it correctly. I believe it was just briefly mentioned without much detail.
We are actively moving more and more to GCP and would like to have such checks.
I know there is currently a plugin out there on GitHub by Julius Loman (thank you Julius!) to do such checks, however I have not yet tried it. Curious if because this is a plugin, if it consumes custom metrics? I am also not sure if this plugin will work in a GCP environment.
Before I do try the plugin approach, I was wondering if I am recalling that above information correctly?
If so, is there a timeline or more in depth details that will be coming soon around this functionality?
Solved! Go to Solution.
At the moment it only verifies certificates on TCP ports on the host where OneAgent is running. I'll extend it to cover also client-side keystores for certificates (jks at this time, probably also pfx/p12 in the future).
I'm not aware of any plans of Dynatrace having the check functionality built-in.
Julius - I love your approach of OneAgent plugin monitoring. I have webservers with 20+ IPs all apache instances listening to 443. GitHub readme lists the limitation: "Opened TCP port bindings are retrieved from OneAgent and only local TCP ports are checked. Listening IP address is provided by OneAgent. Currently OneAgent supplies 127.0.0.1 as the listening IP address regardless of the actual TCP port binding."
Does this mean that the plugin knows what process owns a port, and will show the right cert on the process group, but may show 127.0.0.1 as the IP? Or do you mean that for boxes with multiple IPs and processes binding to 1 IP, the plugin can not tell process has the port?
Actually.. it only shows 127.0.0.1 if the listening address is 0.0.0.0 (all interfaces). But if your service is listening on a particular IP, it will show the IP and the port.
So basically it looks like this:
This listening port information is provided by OneAgent.
Hi @kedesai ,
I've been thinking about adding the possibility to monitor keystores, but I gave up. Unfortunately, it's not that easy to do it using Dynatrace OneAgent extension, because
I've decided not to implement this functionality.
Thanks for your quick reply. How are you able to monitor the cert on google.com. Per the process, we have to put the zip in two locations. one is in the:
2.) Upload the zip file to your Dynatrace tenant in Settings > Monitoring > Monitored technologies > Custom plugins and choose Upload plugin.
The other one goes to the location in the plugin_deployment directory on the host.
3.) Unzip the zip file on OneAgents into /opt/dynatrace/oneagent/plugin_deployment directory on hosts with OneAgents or to appropriate plug_deployment directory if you have installed the agent into the non-default directory.
I have a specific case where I need to get an SSL cert expiry from a website but I am not able to get it. For example adt.com. I don't have access to VM :).
Going to be giving this one a try along with the one provided by @Leon Van Z. as well today and through tomorrow. Excited to see what both can do. Both of your contributions are VERY MUCH APPRECIATED!
Nice plugin! I tested it on my dev tenant in Dynatrace Saas, which worked great. But at our customer's site we use an on-prem Dynatrace. Installation worked out fine, but when we try to open the SSL/TLS Certificates tile on the Dynatrace Technologies page, I get a 404 page (not found). The sub-call that actually returns the 404 is like https://<clustername>/e/<environment-id>/rest/processes/summary/new/processType/SSL%2FTLS%20Certificates?<variables>. Do you have any idea of what could be wrong? The 404 page showed environment version 22.214.171.12420321-160129, the activegate is version 1.235.186.
Any thoughts of what could cause this problem?