Thanks Julius! Appreciate the work on a plugin around this as well. I am 99% sure I heard something at Perform on stage specific to certificates expiring. Maybe I was hearing things which is very possible! lol.

Could be. Maybe @Jakub M. may bring some answers.

Julius - I love your approach of OneAgent plugin monitoring. I have webservers with 20+ IPs all apache instances listening to 443. GitHub readme lists the limitation: "Opened TCP port bindings are retrieved from OneAgent and only local TCP ports are checked. Listening IP address is provided by OneAgent. Currently OneAgent supplies 127.0.0.1 as the listening IP address regardless of the actual TCP port binding."

Does this mean that the plugin knows what process owns a port, and will show the right cert on the process group, but may show 127.0.0.1 as the IP? Or do you mean that for boxes with multiple IPs and processes binding to 1 IP, the plugin can not tell process has the port?

Actually.. it only shows 127.0.0.1 if the listening address is 0.0.0.0 (all interfaces). But if your service is listening on a particular IP, it will show the IP and the port.

So basically it looks like this:

This listening port information is provided by OneAgent.

Thanks for quick response, that looks great! We will give this a try, thanks for sharing!

Hi Julius,

Is there a way to check for the keystores expiry dates? Can we filter which certs we want to monitor? 

Thanks,

Ketan

Hi @kedesai ,
I've been thinking about adding the possibility to monitor keystores, but I gave up. Unfortunately, it's not that easy to do it using Dynatrace OneAgent extension, because

• extensions run as unprivileged users, so there will be issues with accessing the keystore file which is typically owned by some application user
• many keystore types (JKS/CMS), require a JVM or a specific JVM (IBM JVM) to open them.
• you would need to configure the paths to the keystores anyway

I've decided not to implement this functionality.

Hi Julius,

Thanks for your quick reply. How are you able to monitor the cert on google.com. Per the process, we have to put the zip in two locations. one is in the:
2.) Upload the zip file to your Dynatrace tenant in Settings > Monitoring > Monitored technologies > Custom plugins and choose Upload plugin.

The other one goes to the location in the plugin_deployment directory on the host.

3.) Unzip the zip file on OneAgents into /opt/dynatrace/oneagent/plugin_deployment directory on hosts with OneAgents or to appropriate plug_deployment directory if you have installed the agent into the non-default directory.

I have a specific case where I need to get an SSL cert expiry from a website but I am not able to get it. For example adt.com. I don't have access to VM :).

Thanks again,

Ketan

Going to be giving this one a try along with the one provided by @Leon Van Z. as well today and through tomorrow. Excited to see what both can do. Both of your contributions are VERY MUCH APPRECIATED!

It would be nice to have it out of the box !

Others competitor have it.

I completely agree.

Good stuff @Leon Van Z. ! I will check that out. It might be exactly what we are looking for and save me some work at the same time 😉

Thank you!

shot Larry!, let me know how We can improve it

Going to be at long last trying this out today. I will let you know the results.

cool, let me know

Nice plugin! I tested it on my dev tenant in Dynatrace Saas, which worked great. But at our customer's site we use an on-prem Dynatrace. Installation worked out fine, but when we try to open the SSL/TLS Certificates tile on the Dynatrace Technologies page, I get a 404 page (not found). The sub-call that actually returns the 404 is like https://<clustername>/e/<environment-id>/rest/processes/summary/new/processType/SSL%2FTLS%20Certificates?<variables>. Do you have any idea of what could be wrong? The 404 page showed environment version 1.236.119.20220321-160129, the activegate is version 1.235.186.

Any thoughts of what could cause this problem?

Thanks, Marcel