 |
VOOZH | about |
|
VOOZH | about |
SSL tests allow you to proactively monitor the validity and expiration of your SSL/TLS certificates to ensure secure connections between your key services and users. If your certificate is about to expire or becomes compromised, Datadog sends you an alert with details on the failure, allowing you to pinpoint the root cause of the issue and fix it.
SSL tests can run from both managed and private locations depending on your preference for running the test from outside or inside your network. SSL tests can run on a schedule, on-demand, or directly within your CI/CD pipelines.
You may create a test using one of the following options:
Create a test from a template:
Build a test from scratch:
To build a test from scratch, click the + Start from scratch template, then select the SSL request type.
Specify the Host and the Port to run your test on. The default SSL port is 443.
Add Advanced Options (optional) to your test:
.crt) and the associated private key (.key) in PEM format.You can use the openssl library to convert your certificates. For example, convert a PKCS12 certificate to PEM formatted private keys and certificates.
openssl pkcs12 -in <CERT>.p12 -out <CERT_KEY>.key -nodes -nocerts
openssl pkcs12 -in <CERT>.p12 -out <CERT>.cert -nokeys
Name your SSL test.
Add Environment Tags as well as any other tag to your SSL test. You can then use these tags to filter through your Synthetic tests on the Synthetic Monitoring & Continuous Testing page.
Click Test Certificate to try out the request configuration. A response preview is displayed on the right side of your screen.
Click Create Test to submit your API test.
When setting up a new Synthetic Monitoring API test, use snippets to automatically fill in basic auth, performance, and regions, rather than selecting these options manually. The following snippets are available:
Basic Auth: Automatically test your APIs using pre-populated basic auth headers, JavaScript, bearer token, and API/app key auth variables.
Performance: Automatically configure a test with the shortest frequency (one minute), perform a gRPC health check, and test for overall response time latency with a breakdown of network timing.
Regions: Automatically test your API endpoint against a location in each of the three primary geographic regions (AMER, APAC and EMEA).
Assertions define what an expected test result is. After you click Test URL, basic assertions on certificate validity, expiration data, TLS version, and response time are added based on the response that was obtained. You must define at least one assertion for your test to monitor.
| Type | Operator | Value type |
|---|---|---|
| certificate | expires in more than, expires in less than | Integer (number of days) |
| property | contains, does not contain, is, is not,matches, does not match | String Regex |
| response time | is less than | Integer (ms) |
| maximum TLS version | is less than, is less than or equal, is, is more than, is more than or equal | Decimal |
| minimum TLS version | is more than, is more than or equal | Decimal |
You can create up to 20 assertions per API test by clicking New Assertion or by clicking directly on the response preview:
To perform OR logic in an assertion, use the matches regex or does not match regex comparators to define a regex with multiple expected values for the same assertion type like (0|100). The test result is successful if the property assertion’s value is 0 or 100.
If a test does not contain an assertion on the response body, the body payload drops and returns an associated response time for the request within the timeout limit set by the Synthetics Worker.
If a test contains an assertion on the response body and the timeout limit is reached, an Assertions on the body/response cannot be run beyond this limit error appears.
Select the Locations to run your SSL test from. SSL tests can run from both managed and private locations depending on your preference for monitoring certificates from outside or inside your network.
Datadog’s out-of-the-box managed locations allow you to test public-facing websites and endpoints from regions where your customers are located.
AWS:
| Americas | Asia Pacific | EMEA |
|---|---|---|
| Canada Central | Hong Kong | Bahrain |
| Northern California | Jakarta | Cape Town |
| Northern Virginia | Mumbai | Frankfurt |
| Ohio | Osaka | Ireland |
| Oregon | Seoul | London |
| São Paulo | Singapore | Milan |
| Sydney | Paris | |
| Tokyo | Stockholm |
GCP:
| Americas | Asia Pacific | EMEA |
|---|---|---|
| Dallas | Tokyo | Frankfurt |
| Los Angeles | ||
| Oregon | ||
| Virginia |
Azure:
| Region | Location |
|---|---|
| Americas | Virginia |
The Datadog for Government site (US1-FED) uses the following managed location:
| Region | Location |
|---|---|
| Americas | US-West |
SSL tests can run:
Set alert conditions to determine the circumstances under which you want a test to fail and trigger an alert.
When you set the alert conditions to: An alert is triggered if any assertion fails for X minutes from any n of N locations, an alert is triggered only if these two conditions are true:
Your test can trigger retries X times after Y ms in case of a failed test result. Customize the retry interval to suit your alerting sensibility.
Location uptime is computed on a per-evaluation basis (whether the last test result before evaluation was up or down). The total uptime is computed based on the configured alert conditions. Notifications sent are based on the total uptime.
A notification is sent by your test based on the alerting conditions previously defined. Use this section to define how and what to message your team.
Similar to how you configure monitors, select users and/or services that should receive notifications either by adding an @notification to the message or by searching for team members and connected integrations with the dropdown menu.
Enter the notification message for your test or use pre-filled monitor messages. This field allows standard Markdown formatting and supports the following conditional variables:
| Conditional Variable | Description |
|---|---|
{{#is_alert}} | Show when the test alerts. |
{{^is_alert}} | Show unless the test alerts. |
{{#is_recovery}} | Show when the test recovers from alert. |
{{^is_recovery}} | Show unless the test recovers from alert. |
{{#is_renotify}} | Show when the monitor renotifies. |
{{^is_renotify}} | Show unless the monitor renotifies. |
{{#is_priority}} | Show when the monitor matches priority (P1 to P5). |
{{^is_priority}} | Show unless the monitor matches priority (P1 to P5). |
Notification messages include the message defined in this section and information about the failing locations. Pre-filled monitor messages are included in the message body section:
Specify how often you want your test to re-send the notification message in case of test failure. To prevent renotification on failing tests, check the option Stop re-notifying on X occurrences.
Click Save & Start Recording to save your test configuration and monitor.
For more information, see Synthetic Monitoring notifications.
To pause test execution during planned maintenance windows, select an existing Scheduled downtime in the Downtimes section. The test automatically pauses during the downtime’s scheduled time slots.
Note: You cannot create a new downtime from the test creation form. To create one, navigate to Settings > Downtimes.
To create a local variable, click + All steps > Variables. You can select one of the following available builtins to add to your variable string:
n digits.n letters.n characters.n units.n units.To obfuscate local variable values in test results, select Hide and obfuscate variable value. Once you have defined the variable string, click Add Variable.
You can use the global variables defined on the Settings page in the URL, advanced options, and assertions of your SSL tests.
To display your list of variables, type {{ in your desired field.
A test is considered FAILED if it does not satisfy one or more assertions or if the request prematurely failed. In some cases, the test can fail without testing the assertions against the endpoint.
For a complete list of SSL error codes, see API Testing Errors.
By default, only users with the Datadog Admin and Datadog Standard roles can create, edit, and delete Synthetic SSL tests. To get create, edit, and delete access to Synthetic SSL tests, upgrade your user to one of those two default roles.
If you are using the custom role feature, add your user to any custom role that includes synthetics_read and synthetics_write permissions.
Use granular access control to limit who has access to your test based on roles, teams, or individual users:
| Access level | View test configuration | Edit test configuration | View test results | Run test |
|---|---|---|---|---|
| No access | ||||
| Viewer | Yes | Yes | ||
| Editor | Yes | Yes | Yes | Yes |
Additional helpful documentation, links, and articles:
| |
