cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

SSL Certification expiration checks out of the box - Details?

larry_roberts
Champion

During Perform 2020, I believe it was stated that certificate expiration checks were in the works in terms of out of the box for Dynatrace if I heard it correctly. I believe it was just briefly mentioned without much detail.

We are actively moving more and more to GCP and would like to have such checks.

I know there is currently a plugin out there on GitHub by Julius Loman (thank you Julius!) to do such checks, however I have not yet tried it. Curious if because this is a plugin, if it consumes custom metrics? I am also not sure if this plugin will work in a GCP environment.

Before I do try the plugin approach, I was wondering if I am recalling that above information correctly?

If so, is there a timeline or more in depth details that will be coming soon around this functionality?

Thanks!

16 REPLIES 16

Julius_Loman
Leader
Just my "two cents" about my plugin - it does not consume any metrics, so it's free also from Dynatrace license consumption. It only pushes events and metadata to processes.


At the moment it only verifies certificates on TCP ports on the host where OneAgent is running. I'll extend it to cover also client-side keystores for certificates (jks at this time, probably also pfx/p12 in the future).

I'm not aware of any plans of Dynatrace having the check functionality built-in.

TEMPEST a.s., Slovakia, Dynatrace Master Partner

Thanks Julius! Appreciate the work on a plugin around this as well. I am 99% sure I heard something at Perform on stage specific to certificates expiring. Maybe I was hearing things which is very possible! lol.

Could be. Maybe @Jakub M. may bring some answers.

TEMPEST a.s., Slovakia, Dynatrace Master Partner

Julius - I love your approach of OneAgent plugin monitoring. I have webservers with 20+ IPs all apache instances listening to 443. GitHub readme lists the limitation: "Opened TCP port bindings are retrieved from OneAgent and only local TCP ports are checked. Listening IP address is provided by OneAgent. Currently OneAgent supplies 127.0.0.1 as the listening IP address regardless of the actual TCP port binding."

Does this mean that the plugin knows what process owns a port, and will show the right cert on the process group, but may show 127.0.0.1 as the IP? Or do you mean that for boxes with multiple IPs and processes binding to 1 IP, the plugin can not tell process has the port?

Actually.. it only shows 127.0.0.1 if the listening address is 0.0.0.0 (all interfaces). But if your service is listening on a particular IP, it will show the IP and the port.

So basically it looks like this:


This listening port information is provided by OneAgent.

TEMPEST a.s., Slovakia, Dynatrace Master Partner

Thanks for quick response, that looks great! We will give this a try, thanks for sharing!

Going to be giving this one a try along with the one provided by @Leon Van Z. as well today and through tomorrow. Excited to see what both can do. Both of your contributions are VERY MUCH APPRECIATED!

It would be nice to have it out of the box !

Others competitor have it.

I completely agree.

leon_vanzyl
Helper

We have created an AG Plugin that checks Certs: https://github.com/mediro-ict/activegate_python_ssl_plugin

NO CUSTOM METRICS

SSLCert

Good stuff @Leon Van Z. ! I will check that out. It might be exactly what we are looking for and save me some work at the same time 😉

Thank you!

shot Larry!, let me know how We can improve it

Going to be at long last trying this out today. I will let you know the results.

cool, let me know

Hello everyone,

Do I understand correctly that plugins developed by @Julius L. @Leon Van Z. require deployment on both AGs and the host where OneAgent is installed and they can't be deployed on ActiveGates only?

Thanks

--

MaciejNeumann
Community Team
Community Team

SSL certification expiration date verification is now available with HTTP monitors:

ssl certification.png

If you have any questions about the Forum, you can contact me at maciej.neumann@dynatrace.com