27 Feb 2020 09:11 AM - last edited on 24 Jun 2021 05:34 AM by MaciejNeumann
During Perform 2020, I believe it was stated that certificate expiration checks were in the works in terms of out of the box for Dynatrace if I heard it correctly. I believe it was just briefly mentioned without much detail.
We are actively moving more and more to GCP and would like to have such checks.
I know there is currently a plugin out there on GitHub by Julius Loman (thank you Julius!) to do such checks, however I have not yet tried it. Curious if because this is a plugin, if it consumes custom metrics? I am also not sure if this plugin will work in a GCP environment.
Before I do try the plugin approach, I was wondering if I am recalling that above information correctly?
If so, is there a timeline or more in depth details that will be coming soon around this functionality?
Solved! Go to Solution.
At the moment it only verifies certificates on TCP ports on the host where OneAgent is running. I'll extend it to cover also client-side keystores for certificates (jks at this time, probably also pfx/p12 in the future).
I'm not aware of any plans of Dynatrace having the check functionality built-in.
Thanks Julius! Appreciate the work on a plugin around this as well. I am 99% sure I heard something at Perform on stage specific to certificates expiring. Maybe I was hearing things which is very possible! lol.
Could be. Maybe @Jakub M. may bring some answers.
Julius - I love your approach of OneAgent plugin monitoring. I have webservers with 20+ IPs all apache instances listening to 443. GitHub readme lists the limitation: "Opened TCP port bindings are retrieved from OneAgent and only local TCP ports are checked. Listening IP address is provided by OneAgent. Currently OneAgent supplies 127.0.0.1 as the listening IP address regardless of the actual TCP port binding."
Does this mean that the plugin knows what process owns a port, and will show the right cert on the process group, but may show 127.0.0.1 as the IP? Or do you mean that for boxes with multiple IPs and processes binding to 1 IP, the plugin can not tell process has the port?
Actually.. it only shows 127.0.0.1 if the listening address is 0.0.0.0 (all interfaces). But if your service is listening on a particular IP, it will show the IP and the port.
So basically it looks like this:
This listening port information is provided by OneAgent.
Thanks for quick response, that looks great! We will give this a try, thanks for sharing!
Is there a way to check for the keystores expiry dates? Can we filter which certs we want to monitor?
Hi @kedesai ,
I've been thinking about adding the possibility to monitor keystores, but I gave up. Unfortunately, it's not that easy to do it using Dynatrace OneAgent extension, because
I've decided not to implement this functionality.
Thanks for your quick reply. How are you able to monitor the cert on google.com. Per the process, we have to put the zip in two locations. one is in the:
2.) Upload the zip file to your Dynatrace tenant in Settings > Monitoring > Monitored technologies > Custom plugins and choose Upload plugin.
The other one goes to the location in the plugin_deployment directory on the host.
3.) Unzip the zip file on OneAgents into /opt/dynatrace/oneagent/plugin_deployment directory on hosts with OneAgents or to appropriate plug_deployment directory if you have installed the agent into the non-default directory.
I have a specific case where I need to get an SSL cert expiry from a website but I am not able to get it. For example adt.com. I don't have access to VM :).
Going to be giving this one a try along with the one provided by @Leon Van Z. as well today and through tomorrow. Excited to see what both can do. Both of your contributions are VERY MUCH APPRECIATED!
It would be nice to have it out of the box !
Others competitor have it.
I completely agree.
12 Mar 2020 08:07 AM - last edited on 23 Mar 2023 03:33 AM by andre_vdveen
We have created an AG Plugin that checks Certs: https://github.com/mediro-ict/activegate_python_ssl_plugin
NOTE: the latest version uses metrics and therefore consumes DDUs.
Good stuff @Leon Van Z. ! I will check that out. It might be exactly what we are looking for and save me some work at the same time 😉
shot Larry!, let me know how We can improve it
Going to be at long last trying this out today. I will let you know the results.
cool, let me know
Nice plugin! I tested it on my dev tenant in Dynatrace Saas, which worked great. But at our customer's site we use an on-prem Dynatrace. Installation worked out fine, but when we try to open the SSL/TLS Certificates tile on the Dynatrace Technologies page, I get a 404 page (not found). The sub-call that actually returns the 404 is like https://<clustername>/e/<environment-id>/rest/processes/summary/new/processType/SSL%2FTLS%20Certificates?<variables>. Do you have any idea of what could be wrong? The 404 page showed environment version 22.214.171.12420321-160129, the activegate is version 1.235.186.
Any thoughts of what could cause this problem?
Do I understand correctly that plugins developed by @Julius L. @Leon Van Z. require deployment on both AGs and the host where OneAgent is installed and they can't be deployed on ActiveGates only?
SSL certification expiration date verification is now available with HTTP monitors: