SSL Tests

Overview

SSL tests allow you to proactively monitor the validity and expiration of your SSL/TLS certificates to ensure secure connections between your key services and users. If your certificate is about to expire or becomes compromised, Datadog sends you an alert with details on the failure, allowing you to quickly pinpoint the root cause of the issue and fix it.

SSL tests can run from both managed and private locations depending on your preference for running the test from outside or inside your network. SSL tests can run on a schedule, on-demand, or directly within your CI/CD pipelines.

Configuration

After choosing to create a SSL test, define your test’s request.

Define request

  1. Specify the Host and the Port to run your test on. By default, the port is set to 443.
  2. Add Advanced Options (optional) to your test:
    • Accept self-signed certificates: Bypasses any server error related to a self-signed certificate.
    • Fail on revoked certificate in stapled OCSP: Fail the test if the certificate is labeled as revoked by the OCSP stapling.
    • Timeout: Specify the amount of time in seconds before the test times out.
    • Server Name: Specifies on which server you want to initiate the TLS handshake, allowing the server to present one of multiple possible certificates on the same IP address and TCP port number. By default, the parameter is filled by the Host value.
    • Client certificate: Authenticates through mTLS by uploading your client certificate (.crt) and the associated private key (.key) in PEM format. Note: You can use the openssl library to convert your certificates. For example, convert a PKCS12 certificate to PEM formatted private keys and certificates.
openssl pkcs12 -in <CERT>.p12 -out <CERT_KEY>.key -nodes -nocerts
openssl pkcs12 -in <CERT>.p12 -out <CERT>.cert -nokeys
  1. Name your SSL test.

  2. Add env Tags as well as any other tag to your SSL test. You can then use these tags to quickly filter through your Synthetic tests on the Synthetic Monitoring homepage.

Define SSL request

Click Test URL to try out the request configuration. A response preview is displayed on the right side of your screen.

Define assertions

Assertions define what an expected test result is. After you click Test URL, basic assertions on certificate validity, expiration data, TLS version, and response time are added based on the response that was obtained. You must define at least one assertion for your test to monitor.

TypeOperatorValue type
certificateexpires in more than, expires in less thanInteger (number of days)
propertycontains, does not contain, is, is not,
matches, does not match
String
Regex
response timeis less thanInteger (ms)
maximum TLS versionis less than, is less than or equal, is, is more than, is more than or equalDecimal
minimum TLS versionis more than, is more than or equalDecimal

You can create up to 20 assertions per API test by clicking New Assertion or by clicking directly on the response preview:

Define assertions for your SSL test to succeed or fail on

To perform OR logic in an assertion, use the matches regex or does not match regex comparators to define a regex with multiple expected values for the same assertion type like (0|100). The test result is successful if the property assertion’s value is 0 or 100.

If a test does not contain an assertion on the response body, the body payload drops and returns an associated response time for the request within the timeout limit set by the Synthetics Worker.

If a test contains an assertion on the response body and the timeout limit is reached, an Assertions on the body/response cannot be run beyond this limit error appears.

Select locations

Select the Locations to run your SSL test from. SSL tests can run from both managed and private locations depending on whether you want to monitor certificates from outside or inside your network.

Specify test frequency

SSL tests can run:

  • On a schedule to ensure your SSL/TLS certificates are always valid and that a secure connection is ensured to the users of your key services. Select the frequency at which you want Datadog to run your SSL test.
  • Within your CI/CD pipelines.
  • On-demand to run your tests whenever makes the most sense for your team.

Define alert conditions

Set alert conditions to determine the circumstances under which you want a test to fail and trigger an alert.

Alerting rule

When you set the alert conditions to: An alert is triggered if your test fails for X minutes from any n of N locations, an alert is triggered only if these two conditions are true:

  • At least one location was in failure (at least one assertion failed) during the last X minutes.
  • At one moment during the last X minutes, at least n locations were in failure.

Fast retry

Your test can trigger retries X times after Y ms in case of a failed test result. Customize the retry interval to suit your alerting sensibility.

Location uptime is computed on a per-evaluation basis (whether the last test result before evaluation was up or down). The total uptime is computed based on the configured alert conditions. Notifications sent are based on the total uptime.

Notify your team

A notification is sent by your test based on the alerting conditions previously defined. Use this section to define how and what message to send to your teams.

  1. Similar to how you configure monitors, select users and/or services that should receive notifications either by adding a @notificationto the message or by searching for team members and connected integrations with the drop-down box.

  2. Enter the notification message for your test. This field allows standard Markdown formatting and supports the following conditional variables:

    Conditional VariableDescription
    {{#is_alert}}Show when the test alerts.
    {{^is_alert}}Show unless the test alerts.
    {{#is_recovery}}Show when the test recovers from an alert.
    {{^is_recovery}}Show unless the test recovers from an alert.
    {{#is_renotify}}Show when the monitor renotifies.
    {{^is_renotify}}Show unless the monitor renotifies.
    {{#is_priority}}Show when the monitor matches priority (P1 to P5).
    {{^is_priority}}Show unless the monitor matches priority (P1 to P5).
  3. Specify how often you want your test to re-send the notification message in case of test failure. To prevent renotification on failing tests, leave the option as Never renotify if the monitor has not been resolved.

Click Save to save your test and have Datadog start executing it.

Variables

Create local variables

You can create local variables by clicking Create Local Variable at the top right hand corner of your test configuration form. You can define their values from one of the below available builtins:

{{ numeric(n) }}
Generates a numeric string with n digits.
{{ alphabetic(n) }}
Generates an alphabetic string with n letters.
{{ alphanumeric(n) }}
Generates an alphanumeric string with n characters.
{{ date(n, format) }}
Generates a date in one of our accepted formats with a value of the date the test is initiated + n days.
{{ timestamp(n, unit) }}
Generates a timestamp in one of our accepted units with a value of the timestamp the test is initiated at +/- n chosen unit.

Use variables

You can use the global variables defined in the Settings in the URL, Advanced Options, and assertions of your SSL tests.

To display your list of variables, type {{ in your desired field:

Test failure

A test is considered FAILED if it does not satisfy one or more assertions or if the request prematurely failed. In some cases, the test can fail without testing the assertions against the endpoint.

These reasons include the following:

CONNRESET
The connection was abruptly closed by the remote server. Possible causes include the web server encountering an error or crashing while responding, or loss of connectivity of the web server.
DNS
DNS entry not found for the test URL. Possible causes include misconfigured test URL or the wrong configuration of your DNS entries.
INVALID_REQUEST
The configuration of the test is invalid (for example, a typo in the URL).
SSL
The SSL connection couldn’t be performed. See the dedicated error page for more information.
TIMEOUT
The request couldn’t be completed in a reasonable time. Two types of TIMEOUT can happen:
  • TIMEOUT: The request couldn’t be completed in a reasonable time. indicates that the request duration hit the test defined timeout (default is set to 60s). For each request only the completed stages for the request are displayed in the network waterfall. For example, in the case of Total response time only being displayed, the timeout occurred during the DNS resolution.
  • TIMEOUT: Overall test execution couldn't be completed in a reasonable time. indicates that the test duration (request + assertions) hits the maximum duration (60.5s).

Permissions

By default, only users with the Datadog Admin and Datadog Standard roles can create, edit, and delete Synthetic SSL tests. To get create, edit, and delete access to Synthetic SSL tests, upgrade your user to one of those two default roles.

If you are using the custom role feature, add your user to any custom role that includes synthetics_read and synthetics_write permissions.

Restrict access

Access restriction is available for customers using custom roles on their accounts.

You can restrict access to an SSL test based on the roles in your organization. When creating an SSL test, choose which roles (in addition to your user) can read and write your test.

Set permissions for your test

Further Reading