Your data. Anywhere you go.

New Relic for iOS or Android


Download on the App Store    Android App on Google play


New Relic Insights App for iOS


Download on the App Store


Learn more

Close icon

Relic Solution: Custom certificates for ping monitors


#1

Do you use your own internal Certificate Authority (CA)? Does that CA sign the certificates? Does that break your ability to use Synthetics monitors against your internal sites? Well we may be able to help…

Prerequisites

  • You’ll need to be using Private Locations,
  • This won’t work for scripted monitors, only pings.
  • Scripted monitors run in a docker instance with no access to the OS’s certificate store.
  • These steps assume you already have your custom .crt file.

Solution

You’ll need to add your certificates to the Ubuntu certificate store, so below is exactly how to do that.

  1. Open a terminal and navigate locally to the directory you saved the .crt
  2. Launch sftp with sftp synthetics@{minion_ip} password: synthetics
  3. Upload the certificate using put cert-name-here.crt

This uploads the certificate to the home directory on the minion, /home/synthetics. Next we’ll need to get the cert to the Ubuntu certificate store: /etc/ssl/certs

  1. Add the .crt file to the directory: /usr/local/share/ca-certificates
  2. Run the command: sudo update-ca-certificates

The above command should concat the certificate to the file /etc/ssl/certs/ca-certificates.crt


Verification

When you tick the ‘Verify SSL’ checkbox, the minion running those checks simply runs the command:

openssl s_client -servername {YOUR_HOSTNAME} -connect {YOUR_HOSTNAME}:443 -CApath /etc/ssl/certs -verify_hostname {YOUR_HOSTNAME} > /dev/null

So to test the custom cert is working, you can run that command against your endpoint from within the private minion.

Note that if you upgrade your minions you’ll need to re-do this process. Since currently updating minions involves a full new machine image.

Good news though is that greater support for custom certificates is something our product development teams are hoping to include in the containerised minion that is on their roadmap.


Thanks to @Michel_L for providing this solution :smiley: