If Customer wants to change or use their own certificate for on-prem, there is a possibility to set that.
As it is described in our documentation: https://www.instana.com/docs/self_hosted_instana/configuration/#replacing-existing-certificates
To replace existing certificates with other certificates, in the settings.hcl file update paths to your certificate files. Then the system must be updated by instana update -f /path/to/settings.hcl
.
cert {
crt = "/mnt/cert/tls.crt"
key = "/mnt/cert/tls.key"
}
Make sure that the name and path are correct.
If the customer ends up to an issue, please check that the certificate and key are in the correct format.
You can simply check this with:
file certificate_name.crt
file key_name.crt
The output should be like this:

We can check this by opening the certificate and the key file with cat or vi.
The certificate should always begin with:
-----BEGIN CERTIFICATE-----
and ends with:
-----END CERTIFICATE-----
The key should be the private one.
-----BEGIN RSA PRIVATE KEY-----
and ends with:
-----END RSA PRIVATE KEY-----
If something is wrong with the certificate the error should be visible in logs:
2020-12-15 08:24:54,703 [main] ERROR c.i.b.c.d.InstanaDropwizardApplication - Unexpected error during application startup
java.lang.IllegalStateException: /etc/instana_tls/acceptor.keystore is not a valid keystore
at org.eclipse.jetty.util.security.CertificateUtils.getKeyStore(CertificateUtils.java:50)
Comments