Your data. Anywhere you go.

New Relic for iOS or Android


Download on the App Store    Android App on Google play


New Relic Insights App for iOS


Download on the App Store


Learn more

Close icon

SSL Certificate Update for newrelic.com - FAQs


#8

Hi @ashraf.jaddo, @vipul, @szymansm, @reto.lehmann -

To clarify, Infrastructure, Synthetics, Servers, and Mobile will not be affected by this update. They all use the built-in certificate store.

Java agents may be impacted if you have altered the configuration to the JVM trust store in a way that is not standard. You can read more about configuring your SSL certificates here.

Regarding the node agent: previous to v1.4.0, the Node agent did not have SSL support. Beginning with v1.4.0 the Node agent bundles it’s own certificate bundle, which we have confirmed has the correct root certificate. You can view the node release notes here.


#9

Hi,
What about .net agent? We still have few 5.12.13 that are hard to update rapidly.
From what .net agent version the certificate was bundle in the agent?
Thx


#10

Hi @cperellis

I believe the v1.4.0 is for the Node.js node agent.
Can you please share the version for the java node agent that has this bundled as well?

Thanks
Kirti


#11

Hi @guy_roy and @Kirti.Lalwani -

For the Java agent, the default JVM trust store has contained the Digicert cert by default for all versions of Java beginning with v1.6. You can view the Java release notes here.

.NET uses the systems built in trust store, and there is no certificate bundled with it. We highly recommend .NET customers that customize the system built in trust store to verify their system trust store contains the Digicert root certificate by running the connection test mentioned above.


#12

PST is not active right now. Is the change occurring at 10 AM PST or 10 AM PDT?


#13

There was a banner on the site last week that referenced this change (I opted to hide it), but others on my team never saw it. Was the banner removed already?


#14

Good catch, @cgerken! The update will begin at 10 AM PDT. The post has been updated to reflect that time. Additionally, we’ll be continuing to post banner notifications for a few days at a time leading up to the update, but the banner has been removed at this time.


#15

Hey there,

Will this affect the Python agent too?


#16

Hi @kirkiris - Customers using Python agent versions greater than v2.58.2 (released in November 2015) should not be impacted by this update.


#17

We are using Newrelic PHP agents, servers and infrastructure. Is there any impact on PHP newrelic agent ? All servers are ubuntu & Amazon linux
Newrelic rpm versions
New Relic Version 7.0.0.186 (“pipher” - “22bc2bd494bc”)
New Relic Version 7.7.0.203 (“yershova” - “5fedc700f64a”)
New Relic Version 5.4.0.150 (“driscoll” -


#18
  1. We have some custom plugin agent’s using the ruby plugin SDK , would that be affected .
  2. We are using defaults for Java agent so have not configured anything related to SSL , can you tell me what is the default value for property ‘use_private_ssl’.

#19

Hi there - Ruby’s default behavior is to default to the system certificate store. There is no impact to Ruby plugins as long as your system default certificate contains Digicert. You can test this using the connection test linked above.

The default behavior for use_private_ssl is false, and the default JVM certificate store included with Java contains the necessary certificate. As long as you’re not customizing the JVM certificate store, no action should be necessary.


#20

The cert bundle has been in our PHP agent since 2014, so you should be all set! No action required for those versions.


#21

Hi @cperellis We are using newrelic Java agent version - 3.31.0 for our APM, I ran the connection test using curl, Are we good?

curl -v https://connection-test.newrelic.com/
Connected to connection-test.newrelic.com () port 443 (#0)

  • Initializing NSS with certpath: sql:/etc/pki/nssdb
  • CAfile: /etc/pki/tls/certs/ca-bundle.crt
    CApath: none
  • SSL connection using TLS_RSA_WITH_RC4_128_SHA
  • Server certificate:
  •   subject: CN=*.newrelic.com,O="New Relic, Inc.",L=San Francisco,ST=California,C=US
    
  •   start date: Jan 19 00:00:00 2018 GMT
    
  •   expire date: Apr 16 12:00:00 2021 GMT
    
  •   common name: *.newrelic.com
    
  •   issuer: CN=GeoTrust RSA CA 2018,OU=www.digicert.com,O=DigiCert Inc,C=US
    

GET / HTTP/1.1
User-Agent: curl/7.29.0
Host: connection-test.newrelic.com
Accept: /

< HTTP/1.1 200 OK
< Connection: Keep-Alive
< Content-Length: 66
<
client_ip:
tls_version: TLSv1.2
cipher: RC4-SHA


#22

Hi there - yes, there is no SSL error. Please see comments above related to Java agent and JVM certificate store for more information.


#23

Thanks! @cperellis for the clarification.


#24

Hi @cperellis. We have a number of Ruby agents with version < 3.9.4.245 that cannot be readily updated due to outdated Ruby/Rails versions which are tangled in some legacy applications. That said, all of these machines already recognize Digicert via their system store. Is there some work around that you know of to get the agents to recognize the new certificate without having to update?

Thanks in advance.


#25

Hi there @aaron.b - We think we may need to do some investigating with you so we’ve opened a ticket for you to work on directly with Cara and our team. Please be on the lookout for an email.

If we come up with anything that is useful to other Ruby users, we will share back here!


#26

This update has been made.

If you are experiencing any issues check out the thread above for agent specific information.

We are encouraging conversation in this thread:

Please let us know what questions you have for us regarding this update in the thread linked above so we can keep this thread focused on FAQs.

Thanks,
Ty


#27