Your data. Anywhere you go.

New Relic for iOS or Android


Download on the App Store    Android App on Google play


New Relic Insights App for iOS


Download on the App Store


Learn more

Close icon

Relic Solution: Using Synthetics to Monitor SSL Expiration

rfb

#41

@stefan_garnham Thanks for your help here, and for pinging me on this.

@yograj.patel -

The 403 Forbidden error is happening as we post the events to Insights. The Insights Insert API will return 403s when it cannot authenticate the API key, I replicated this by ensuring my account had no access to insights (Insights None subscription), I still used the correct API key & account ID…

When I enabled the appropriate subscription for my account the monitor ran fine…

In testing this, I also substituted a false API key, and got the same 403 error, fixing the API key fixed the error.

So this points to two possibilities;

  • Wrong API Key.
  • Most likely - I opened your account and I can’t see any insert API key listed in the SSL cert test script I can find. Could you PM me with the API key you are using and can I have your permission to test the script in your account myself?
  • Invalid subscription.
  • This makes a little less sense to me, I can see from your account that you have Insights Pro, additionally I asked our engineers to look at your account in the DB and we see the appropriate subscriptions there.

Like I mentioned, my thoughts currently are that this is an API key issue. If possible, please do PM me the API key (or link to it) so I can run a test here to validate the behaviour you are seeing.

If we can replicate this with that information we’ll get this escalated further for investigation.


#42

@RyanVeitch I have provided the api key details and the account ID info. Please verify and assist me.


#43

@yograj.patel - Thanks for sending that over. That looks like your Admin account API key.

For the Insights Insert API you’ll need a different key.

There are 2 Insights specific API keys, 1 for inserting data and 1 for querying. In this case you’ll need an Insert key which you can find here: https://insights.newrelic.com/accounts/1175115/manage/api_keys

Let me know if updating that key helps :smiley:


#44

Thanks Ryan, it worked.


#45

Thanks! That worked. I’ve tweaked it a bit to generate different error messages but in a nutshell it works!


#46

@RyanVeitch Hello there, I’m new to the community and having the same “Forbidden 403 status code” for the SSL Cert check. Could you walk me thru where to get the API keys for use? Thanks in advance


#47

Hey @markangelo.lineses - you got it! Those failures were due to the Insights API key being incorrect. There are 2 types of insights API Keys though - Insert Data, or Query Data.

You’ll need an Insert Key, which you can create here: https://insights.newrelic.com/accounts/{your_account_id}/manage/api_keys

Just fill in your account ID to that URL. Note that if you can’t create a key there, you’ll need to reach out to an admin on your account with the appropriate permissions. :slight_smile:


#48

it now worked. thank you


#49

You got it! Glad you were able to get this working :smiley:


#50

The SSL expiry check was working fine till somedays back, but getting the below error.

https://synthetics.newrelic.com/accounts/1175115/monitors/48170519-9dcb-4316-8880-d4c8fc7c65a0?tw[start]=1553526791.823&tw[end]=1553528591.823

Error: Parse Error
at Error (native)
at TLSSocket.socketOnData (_http_client.js:317:20)
at TLSSocket.emit (events.js:129:20)
at readableAddChunk (_stream_readable.js:163:16)
at TLSSocket.Readable.push (_stream_readable.js:126:10)
at TCP.onread (net.js:540:20)


#51

The SSL expiry check was working fine till somedays back, but getting the below error.

https://synthetics.newrelic.com/accounts/1175115/monitors/48170519-9dcb-4316-8880-d4c8fc7c65a0?tw[start]=1553526791.823&tw[end]=1553528591.823

Error: Parse Error
at Error (native)
at TLSSocket.socketOnData (_http_client.js:317:20)
at TLSSocket.emit (events.js:129:20)
at readableAddChunk (_stream_readable.js:163:16)
at TLSSocket.Readable.push (_stream_readable.js:126:10)
at TCP.onread (net.js:540:20)


#52

Hey @yograj.patel - That’s strange. The SSL Expiration script is still working for me. The only difference I can think of is that I’m running mine on different URLs than you are.
It’s possible that a response from one or more your websites is causing this parse error.

I would recommend removing an array of URLs and trying to validate the script with one URL at a time. This will hopefully reveal if one of the URLs is problematic.


#53

Ryan,
I am getting the issue when monitoring the https://myaccount.coxbusiness.com url which is a major application url


#54

Hi @yograj.patel - Sorry for the delay here, I had a colleague look at this as well and below is what we came up with;

Currently there is no handling for the possibility of an error in the callback, so we’d recommend that you add a few lines to do that, and you may get a more relevant error, but seems like the response data returned from that request was in an unexpected format / couldn’t be parsed correctly.
It’s hard to say if its on the Insights POST, as we see you are asynchronously firing off requests to multiple endpoints, though, in any case it’s recommended that you add error handling to the processSite function

Let us know if you can try that out. :smiley:


#55

I’m sorry to revive an old thread. I had a hard time finding a complete working script out of all the iterations in the thread, so I cobbled together a couple of the sections above, and cleaned them up into a single working script that can be configured with the Secure Credentials variables.

Here is the result, I hope it saves someone else a little time:

https://gist.github.com/adamcrews/fa009bb8f5d9c22ff7bc543a3d0d0353


Feature Idea: Simple Monitor should fail on insecure redirects
#56

Thanks for putting that together @adam.crews :smiley:


#57

Thanks @adam.crews for posting the complete working script.

It works for me, just had one question - each time the script is run, and the intent would be to run every day, it appears to create a new event. So after running twice, I get 2 events per site. I’m wondering if anyone had found a way to “clean up” events automatically.

We’ll be wanting to run this also for around 3000 end points, and believe this could be tricky due to the 3 minute limit for running scripts. I’d think we’d need to create a script per endpoint and that could get cluttered, especially if each run creates a new event.


#58

During testing/development, I definitely created lots of events that made the stats awful. Personally I just ignored them until the next day when it naturally shows the correct info. Unfortunately once you send data into insights, you can’t delete it.

However for 3000 events, a synthetic might not be the best way to invoke this. There is nothing special about this script that requires that it is kicked off from inside new relic. You could pretty easily have a jenkins job, cron job, lambda, really anything, that runs the script and does the post into insights.

If you still want synthetics to kick it off, perhaps simply having multiple versions of the script with a smaller list of urls would suffice. Then you could just use different env vars for each list.


#59

What if from the below snippet the URL is a MASSL’ed endpoint
var urlToMonitor = 'https://newrelic.com';