SSL Certificate Update for newrelic.com - FAQs
On Monday, April 9, 2018 between 10 AM - 11 AM PDT, New Relic will be updating the certificate for *.newrelic.com.
Ruby APM agents will be impacted.
- Ruby agent - versions older than 220.127.116.11 (Link to update your Ruby agent)
If you are using this version of the Ruby APM language agents action is required
What is this change?
Following industry best practice, New Relic secures communications between customers and our infrastructure using TLS. Previously Symantec’s GeoTrust was used as New Relic’s certificate provider and it will be transitioning to Digicert. This is in response to Chrome’s decision to distrust Symantec issued certificates (https://security.googleblog.com/2017/09/chromes-plan-to-distrust-symantec.html).
Why are we updating the *.newrelic.com SSL certificate?
SSL Certificates have a certain period of validity and must be replaced every couple years if not sooner. We are replacing the certificates for the domains above ahead of the Chrome 77 beta release because they are nearing their certificate expiration date. New Relic is completing this routine update to ensure connections continue to be secure and trusted by clients.
What is the timing for this change?
On Monday, April 9, 2018 New Relic will begin using a new certificate for *newrelic.com. Customers should prepare for this update, as it may require action on your end.
How will this impact me?
Customers should ensure their agents are up to date and properly configured to guarantee uninterrupted service. In most cases, New Relic agents will rely on the system’s certificate store for what certificates they should trust. However, in some cases, New Relic packages a certificate bundle in the agent and this is used in place of a system’s certificate store.
If you or your organization have security policies/procedures in place to modify what certificates your agents, browsers, etc. can trust, then you should make sure that the new chain will be trusted.
After the update is made, if your system/agent does not have the new root in it’s trust store, then data will be lost until the new root is trusted.
In order to help customers identify if they will be impacted, New Relic has set up an endpoint with this new certificate for you to test against, see below:
curl -v https://connection-test.newrelic.com/
Invoke-WebRequest -Verbose -Uri https://connection-test.newrelic.com
Thank you and feel free to ask questions below.