Add an SSL certificate to Dynatrace Managed cluster TrustStore

There may be times when you need to manually add an SSL certificate to the Dynatrace Managed cluster TrustStores, for example if your cluster refuses to accept the SSL certificate when sending emails or WebHook notifications. This typically happens when a self-signed certificate is used.

How to know when your cluster isn't accepting certificates

If a cluster is having trouble sending notifications, look for any files in the log directory of your cluster node installation that have the name pattern Server.*.*.log.

If any files with this naming pattern exist in the log folder, search through those log files for the following entry:

sun.security.validator.ValidatorException: PKIX path building failed:
sun.security.provider.certpath.SunCertPathBuilderException

Log entries such as the example above indicate that the certificate provided by the notification receiver wasn't accepted by the cluster node. The reason for this is usually that the certificate isn't trusted.

Add a custom certificate to the cluster node TrustStore

You can use the Java KeyTool to enter commands to create the KeyStore. Dynatrace redistributes Java Keytool as part of the JRE installed with Dynatrace Server. By default, this tool is available in <dynatrace-managed-installation-directory>/server/jre/bin.

Open a command prompt and switch to the directory where the Java KeyTool is located.

Optional Create the KeyStore for the custom certificate.
See Generating a KeyStore and TrustStore for information on creating a Java KeyStore.

Export the custom certificate in CER format.

Say, for example, that you want to export a certificate from the Java keystore on your machine, located at /usr/java/jre/lib/security/cacerts. At the same time, you want to name the certificate customcertificate.cer specifying a password and alias. To do this, enter a command similar to the following:
keytool -export -storepass passwd -alias dynatracealias -keystore /usr/java/jre/lib/security/cacerts -file /tmp/customcertificate.cer

Note: You must insert your organization's file paths, file names, and password into these commands in place of the included sample values.

Import trusted certificate into Dynatrace Managed keystore.

  1. Create the import_trusted_certificate.sh script file:
  1. Make the import_trusted_certificate.sh script executable:
chmod +x import_trusted_certificate.sh
  1. Run the import_trusted_certificate.sh script to import the certificate:
import_trusted_certificate.sh <full_path_to_cer_file> <alias_for_certificate>

Restart Dynatrace Server.

/opt/dynatrace-managed/launcher/dynatrace.sh restart