SSL Tests
Incident Management is now generally available! Incident Management is now generally available!

SSL Tests

Overview

SSL tests allow you to proactively monitor the validity and expiration of your SSL/TLS certificates to ensure secure connections between your key services and your users. If your certificate is about to expire or becomes compromised, Datadog sends you an alert with details on the failure, allowing you to quickly pinpoint the root cause of the issue and fix it. SSL tests can run from managed and private locations depending on whether you are willing to monitor certificates of public or internal hosts.

Configuration

After choosing the type of test you are willing to create (HTTP, SSL, TCP, or DNS test), you can define your test’s request.

Define request

  1. Specify the Host and the Port to run your test on. By default, the port is set to 443.

  2. Add Advanced Options (optional) to your test:

    • Accept self-signed certificates: Bypass any server error related to a self-signed certificate.
    • Client certificate: Authenticate through mTLS by uploading your client certificate and associated private key.
  3. Name your SSL test.

  4. Add env Tags as well as any other tag to your SSL test. You can then use these tags to quickly filter through your Synthetic tests on the Synthetic Monitoring homepage.

  5. Select the Locations to run your SSL test from: SSL tests can run from managed and private locations depending on whether you are willing to monitor certificates from outside or inside your network.

Click on Test URL to try out the request configuration. You should see a response preview show up on the right side of your screen.

Specify test frequency

SSL tests can run:

  • On a schedule to ensure your SSL/TLS certificates are always valid and that a secure connections is ensured to the users of your key services. Select the frequency you want Datadog to run your SSL test.

Define assertions

Assertions define what an expected test result is. When hitting Test URL basic assertions on certificate validity, expiration data, TLS version, and response time are added based on the response that was obtained. You must define at least one assertion for your test to monitor.

TypeOperatorValue type
certificateexpires in more than, expires in less thanInteger (number of days)
propertycontains, does not contain, is, is not,
matches, does not match
String
Regex
response timeis less thanInteger (ms)
TLS versionis less than, is less than or equal, is, is more than, is more than or equalDecimal

You can create up to 10 assertions per API test by clicking on New Assertion or by clicking directly on the response preview:

Define alert conditions

Set alert conditions to determine the circumstances under which you want a test to fail and trigger an alert.

Alerting rule

When you set the alert conditions to: An alert is triggered if any assertion fails for X minutes from any n of N locations, an alert is triggered only if these two conditions are true:

  • At least one location was in failure (at least one assertion failed) during the last X minutes;
  • At one moment during the last X minutes, at least n locations were in failure.

Fast retry

Your test can trigger retries in case of failed test result. By default, the retries are performed 300 ms after the first failed test result-this interval can be configured via the API.

Location uptime is computed on a per-evaluation basis (whether the last test result before evaluation was up or down). The total uptime is computed based on the configured alert conditions. Notifications sent are based on the total uptime.

Notify your team

A notification is sent by your test based on the alerting conditions previously defined. Use this section to define how and what message to send to your teams.

  1. Similar to monitors, select users and/or services that should receive notifications either by adding an @notificationto the message or by searching for team members and connected integrations with the drop-down box.

  2. Enter the notification message for your test. This field allows standard Markdown formatting and supports the following conditional variables:

    Conditional VariableDescription
    {{#is_alert}}Show when the test alerts.
    {{^is_alert}}Show unless the test alerts.
    {{#is_recovery}}Show when the test recovers from alert.
    {{^is_recovery}}Show unless the test recovers from alert.
  3. Specify how often you want your test to re-send the notification message in case of test failure. To prevent renotification on failing tests, leave the option as Never renotify if the monitor has not been resolved.

Email notifications include the message defined in this section as well as a summary of failed assertions. Notifications example:

Click on Save to save your test and have Datadog start executing it.

Variables

Create local variables

You can create local variables by defining their values from one of the below available builtins:

PatternDescription
{{ numeric(n) }}Generates a numeric string with n digits.
{{ alphabetic(n) }}Generates an alphabetic string with n letters.
{{ alphanumeric(n) }}Generates an alphanumeric string with n characters.
{{ date(n, format) }}Generates a date in one of our accepted formats with a value of the date the test is initiated + n days.
{{ timestamp(n, unit) }}Generates a timestamp in one of our accepted units with a value of the timestamp the test is initiated at +/- n chosen unit.

Use variables

You can use the global variables defined in the Settings and the locally defined variables in the URL, Advanced Options, and assertions of your HTTP tests. To display your list of variables, type {{ in your desired field:

Test failure

A test is considered FAILED if it does not satisfy one or several assertions or if the request prematurely failed. In some cases, the test can indeed fail without being able to test the assertions against the endpoint, these reasons include:

ErrorDescription
CONNRESETThe connection was abruptly closed by the remote server. Possible causes include the webserver encountering an error or crashing while responding, or loss of connectivity of the webserver.
DNSDNS entry not found for the test URL. Possible causes include misconfigured test URL, wrong configuration of your DNS entries, etc.
INVALID_REQUESTThe configuration of the test is invalid (for example, a typo in the URL).
SSLThe SSL connection couldn’t be performed. See the dedicated error page for more information.
TIMEOUTThe request couldn’t be completed in a reasonable time. Two types of TIMEOUT can happen.
- TIMEOUT: The request couldn’t be completed in a reasonable time. indicates that the timeout happened at the TCP socket connection level.
- TIMEOUT: Retrieving the response couldn’t be completed in a reasonable time. indicates that the timeout happened on the overall run (which includes TCP socket connection, data transfer, and assertions).

Further Reading