This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Boris_Karnaukh
Contributor
‎2026-01-14 01:55 AM

opentelemetry datadog export fail on server certificate validation

CheckPoint VSX R81.20, JHF Take 120

Skyline with export to Datadog as follows:

{
"enabled": true,
"export-targets": {
"add": [
{
"enabled": true,
"type": "datadog",
"name": "datadog-fu-tls-01",
"url": "datadoghq.eu",
"client-auth": {
"token": {
"custom-header": {
"key": "apikey",
"value": "########################"
}
}
},
"server-auth": {
"ca-public-key": {
"type": "PEM-X509",
"value": "-----BEGIN CERTIFICATE-----MIIG4TCCBcmgAwIBAgIQC8cT6g8vNGiyaJazoXT0fjANBgkqhkiG9w0BAQsFADBZMQswCQYDVQQGEwJVUzEVMBMGA1UEChMMRGlnaUNlcnQgSW5jMTMwMQYDVQQDEypEaWdpQ2VydCBHbG9iYWwgRzIgVExTIFJTQS
BTSEEyNTYgMjAyMCBDQTEwHhcNMjUwNjA5MDAwMDAwWhcNMjYwNzEwMjM1OTU5WjBkMQswCQYDVQQGEwJVUzERMA8GA1UECBMITmV3IFlvcmsxETAPBgNVBAcTCE5ldyBZb3JrMRYwFAYDVQQKEw1EYXRhZG9nLCBJbmMuMRcwFQYDVQQDDA4qLmRhdGFkb2docS5ldTCCASIwDQYJK
oZIhvcNAQEBBQADggEPADCCAQoCggEBAOJuZyQhXlV08CmXdMlMt/iaKLlK5Z5it9Fh8erJeL3yvcNlK6hLlXOglBU9u8OtpIRuc17k7h1EA+qQCrt75ZEXDxGxHqpbKWaYNob9Vk7L40c+ijKg2LFlElvNhTEihJ2Ru0tkUkX2kNOUsLbcWdODb79FFVmrd05LGSbiubDQeLD1aSKX
jNnsa63wlXg0lfeV4bA7n7zzG1QGl9G3beLYN0IhKF5vnwQ687E18BGiwRadYcNkPb4XmM3AsaXVrmW1dDdKbpmCJVonz0b2j115EcupEm9FEruXrOeYsgj7sBPeDReYAarsIn3XKGfHg6CawyyB9109iiMw44GIelMCAwEAAaOCA5gwggOUMB8GA1UdIwQYMBaAFHSFgMBmx9833s+
9KTeqAx2+7c0XMB0GA1UdDgQWBBSSY4n5ZnOMdNBW98Ybu8q/gnWYGTAnBgNVHREEIDAegg4qLmRhdGFkb2docS5ldYIMZGF0YWRvZ2hxLmV1MD4GA1UdIAQ3MDUwMwYGZ4EMAQICMCkwJwYIKwYBBQUHAgEWG2h0dHA6Ly93d3cuZGlnaWNlcnQuY29tL0NQUzAOBgNVHQ8BAf8EBA
MCBaAwHQYDVR0lBBYwFAYIKwYBBQUHAwEGCCsGAQUFBwMCMIGfBgNVHR8EgZcwgZQwSKBGoESGQmh0dHA6Ly9jcmwzLmRpZ2ljZXJ0LmNvbS9EaWdpQ2VydEdsb2JhbEcyVExTUlNBU0hBMjU2MjAyMENBMS0xLmNybDBIoEagRIZCaHR0cDovL2NybDQuZGlnaWNlcnQuY29tL0RpZ
2lDZXJ0R2xvYmFsRzJUTFNSU0FTSEEyNTYyMDIwQ0ExLTEuY3JsMIGHBggrBgEFBQcBAQR7MHkwJAYIKwYBBQUHMAGGGGh0dHA6Ly9vY3NwLmRpZ2ljZXJ0LmNvbTBRBggrBgEFBQcwAoZFaHR0cDovL2NhY2VydHMuZGlnaWNlcnQuY29tL0RpZ2lDZXJ0R2xvYmFsRzJUTFNSU0FT
SEEyNTYyMDIwQ0ExLTEuY3J0MAwGA1UdEwEB/wQCMAAwggF+BgorBgEEAdZ5AgQCBIIBbgSCAWoBaAB1ANgJVTuUT3r/yBYZb5RPhauw+Pxeh1UmDxXRLnK7RUsUAAABl1PrKFQAAAQDAEYwRAIgDYHDKG+sA3fLlClAa8yBZJiBSv/UksAZppq/2thq77wCIHYEiBBYuJmTflc6w6T
6k6plTdGsh0o6fds2wQImATOqAHYAwjF+V0UZo0XufzjespBB68fCIVoiv3/Vta12mtkOUs0AAAGXU+soRwAABAMARzBFAiEAoYa59cqUaHC/6+CftYRzJO6g9aQUGc4i6GtHBKZ1Mt0CIHiNlO9HutgxM47pAZhE/115E7jCKq3hYI/M9WK8gp6iAHcAlE5Dh/rswe+B8xkkJqgYZQ
HH0184AgE/cmd9VTcuGdgAAAGXU+soXAAABAMASDBGAiEA9bq6VuHODCaM2cKRQJMhUEn38smq1QgluLvm7LEw3+UCIQDpI4rguI6lJi0qCsFk9mJZpsAVqvoys85iQrqX0Jj2VDANBgkqhkiG9w0BAQsFAAOCAQEAvAeXIn3dRigdlNajFlQzyaVtRpGAK9IeLwnX6Pl16/TNaaT7t
BmhqehT2eFGspc3bd+YZA/SirDeN1e9rsNRNQpvzLdvC0gU4SCHHarlwYLdmf7G4GOYCTmqfQj0T9p5YG2iv3lwYyBc3HQ+AODwDttcDKUAqsOGYhuTwdBF3P3/lsX98dptFqzEl8UDQoH0OSp9Kab05tlH9DsvVFaJxZ+2Iwo3gZCPH+yySi698Q/VRNzmUKp4LPHgiMAmmWCDcpTk
aUdDPhgoXJBWjBNViCtaAPhSIo9mc3UDfvLbidam48MDw0CnwXdCGcODM3HzgN+zNCxbRaJbExt8aRgH1Q==-----END CERTIFICATE-----"
}
}
}
]
}
}

Datadog connection fails on server certificate verification:

2026-01-14T10:21:07.086+0200 error internal/queue_sender.go:103 Exporting failed. Dropping data. Try enabling retry_on_failure config option to retry on retryable errors. {"kind": "exporter", "data_
type": "metrics", "name": "datadog/datadog-fu-tls-01", "error": "max elapsed time expired Post \"https://api.datadoghq.eu/api/v2/series\": tls: failed to verify certificate: x509: certificate signed by unknown a
uthority", "dropped_items": 199}

As I can understand, Datadog cloud sends partial certificate chain: it contains server certificate and certificate authority intermediate certificate. Root certificate is omitted.

I have tried setting in JSON file root CA certificate for Datadog, it didn't work either.

Leaving server-auth on defaults does not help too.

Anyone succeeded in making Datadog export work with Skyline?

12 Replies
the_rock
MVP Diamond
MVP Diamond
4 weeks ago

Maybe @Duane_Toler can comment on this?

Best,
Andy
0 Kudos
Vincent_Bacher
MVP Silver
MVP Silver
4 weeks ago

We don't use Datadog, but Prometheus, but I think it should look the same as ours in this case.
We also had this problem, and it was only when we integrated the server CERT of the root CA, i.e. built a cert with the complete chain, that remote write worked.

and now to something completely different - CCVS, CCAS, CCTE, CCCS, CCSM elite
0 Kudos
Duane_Toler
MVP Silver
MVP Silver
4 weeks ago

The error in your output above explicitly says that your certificate chain is untrusted.  I haven't used Datadog personally, yet, but I can say that your certificate issuer is:

issuer=C = US, O = DigiCert Inc, CN = DigiCert Global G2 TLS RSA SHA256 2020 CA1

This is the newer root CA from your certificate provider, so be sure you have this updated root CA installed on the host receiving this connection.  Sectigo and DigiCert (in particular) rolled out new CAs recently, and many folks are getting surprised by it.

As @Vincent_Bacher   said, you may also need to build the whole CA chain in one bundle and make that your "certificate".  If you do, then this has to be done in the correct order:

  • First the base root CA
  • All of the intermediate CAs (in order)
  • Finally, your certificate for the host/service

This is a concatenated list of the PEM certificates; for example:

(cat root.pem; cat ca-bundle.crt; cat server.crt) > cert_chain.pem

Then use "cert_chain.pem" as your "certificate" in the configuration.

I hope this helps!

 

[edit: correct the credit ...  oops!  coffee hasn't fully circulated yet!]

 

--
Ansible for Check Point APIs series: https://www.youtube.com/@EdgeCaseScenario and Substack
Vincent_Bacher
MVP Silver
MVP Silver
4 weeks ago
In response to Duane_Toler

Hey, that was me who said you have to put all the certificates in the chain into one certificate 😄

and now to something completely different - CCVS, CCAS, CCTE, CCCS, CCSM elite
Duane_Toler
MVP Silver
MVP Silver
4 weeks ago
In response to Vincent_Bacher

Argh!! Apologies!  I corrected it.  Thank you!  (now back to my morning coffee...)

--
Ansible for Check Point APIs series: https://www.youtube.com/@EdgeCaseScenario and Substack
the_rock
MVP Diamond
MVP Diamond
4 weeks ago
In response to Duane_Toler

Kudos to both of you!

Best,
Andy
0 Kudos
Boris_Karnaukh
Contributor
3 weeks ago
In response to Duane_Toler

Hi Duane,

I have found the root cert you are referring to under /opt/CPshrd-R81.20/conf/ca-bundle.crt, simple test with 'curl_cli -I --cacert $CPDIR/conf/ca-bundle.crt ...' confirms that CheckPoint certificate repository indeed contains proper DigiCert certificate.

It just seems to me that by default log exporter looks for trusted CA bundle somewhere else.

I have tried approach with cat root.pem subca.pem server.pem > chain.pem, but it didn't work properly in my case.

Vincent_Bacher
MVP Silver
MVP Silver
3 weeks ago
In response to Boris_Karnaukh

I'm not 100% sure, but looking at your openssl output, I think I see what might be going wrong:

Just tried to download the cert chaiin. It looks like Datadog is only sending 2 certificates in the chain:

  1. Server Cert: *.datadoghq.eu
  2. Intermediate CA: DigiCert Global G2 TLS RSA SHA256 2020 CA1
  3. Missing: DigiCert Global Root G2 (Root CA)

That's probably why you're getting "unable to get local issuer certificate".

Maybe you could try extracting the missing Root CA and adding it to your chain? Something like:

Option 1 - Extract Root CA from Check Point's bundle:

grep -A 30 "DigiCert Global Root G2" $CPDIR/conf/ca-bundle.crt | \  sed -n '/-----BEGIN CERTIFICATE-----/,/-----END CERTIFICATE-----/p' > digicert-root-g2.pem

Option 2 - Download it from DigiCert:

curl_cli -o digicert-root-g2.pem https://cacerts.digicert.com/DigiCertGlobalRootG2.crt.pem

Then try creating a complete chain:

cpopenssl s_client -connect api.datadoghq.eu:443 -showcerts 2>/dev/null < /dev/null | \  sed -n '/-----BEGIN CERTIFICATE-----/,/-----END CERTIFICATE-----/p' > datadog-chain.pemcat digicert-root-g2.pem >> datadog-chain.pem


Now datadog-chain.pem should have all 3 certificates. Put that into your Skyline server-auth config and see if it works?

Not entirely sure if this will solve it, but it might be worth a try.

and now to something completely different - CCVS, CCAS, CCTE, CCCS, CCSM elite
0 Kudos
Boris_Karnaukh
Contributor
3 weeks ago
In response to Vincent_Bacher

Hi Vincent,

Unfortunately, importing full certificate chain like this still doesn't solve the problem:

"server-auth": {
"ca-public-key": {
"type": "PEM-X509",
"value": "-----BEGIN CERTIFICATE-----MIIG4TCCBcmgAwIBAgIQC8cT6g8vNGiyaJazoXT0fjANBgkqhkiG9w0BAQsFADBZMQswCQYDVQQGEwJVUzEVMBMGA1UEChMMRGlnaUNlcnQgSW5jMTMwMQYDVQQDEypEaWdpQ2VydCBHbG9iYWwgRzIgVExTIF
JTQSBTSEEyNTYgMjAyMCBDQTEwHhcNMjUwNjA5MDAwMDAwWhcNMjYwNzEwMjM1OTU5WjBkMQswCQYDVQQGEwJVUzERMA8GA1UECBMITmV3IFlvcmsxETAPBgNVBAcTCE5ldyBZb3JrMRYwFAYDVQQKEw1EYXRhZG9nLCBJbmMuMRcwFQYDVQQDDA4qLmRhdGFkb2docS5ldTCCASI
wDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAOJuZyQhXlV08CmXdMlMt/iaKLlK5Z5it9Fh8erJeL3yvcNlK6hLlXOglBU9u8OtpIRuc17k7h1EA+qQCrt75ZEXDxGxHqpbKWaYNob9Vk7L40c+ijKg2LFlElvNhTEihJ2Ru0tkUkX2kNOUsLbcWdODb79FFVmrd05LGSbiubDQ
eLD1aSKXjNnsa63wlXg0lfeV4bA7n7zzG1QGl9G3beLYN0IhKF5vnwQ687E18BGiwRadYcNkPb4XmM3AsaXVrmW1dDdKbpmCJVonz0b2j115EcupEm9FEruXrOeYsgj7sBPeDReYAarsIn3XKGfHg6CawyyB9109iiMw44GIelMCAwEAAaOCA5gwggOUMB8GA1UdIwQYMBaAFHSFg
MBmx9833s+9KTeqAx2+7c0XMB0GA1UdDgQWBBSSY4n5ZnOMdNBW98Ybu8q/gnWYGTAnBgNVHREEIDAegg4qLmRhdGFkb2docS5ldYIMZGF0YWRvZ2hxLmV1MD4GA1UdIAQ3MDUwMwYGZ4EMAQICMCkwJwYIKwYBBQUHAgEWG2h0dHA6Ly93d3cuZGlnaWNlcnQuY29tL0NQUzAOBg
NVHQ8BAf8EBAMCBaAwHQYDVR0lBBYwFAYIKwYBBQUHAwEGCCsGAQUFBwMCMIGfBgNVHR8EgZcwgZQwSKBGoESGQmh0dHA6Ly9jcmwzLmRpZ2ljZXJ0LmNvbS9EaWdpQ2VydEdsb2JhbEcyVExTUlNBU0hBMjU2MjAyMENBMS0xLmNybDBIoEagRIZCaHR0cDovL2NybDQuZGlnaWN
lcnQuY29tL0RpZ2lDZXJ0R2xvYmFsRzJUTFNSU0FTSEEyNTYyMDIwQ0ExLTEuY3JsMIGHBggrBgEFBQcBAQR7MHkwJAYIKwYBBQUHMAGGGGh0dHA6Ly9vY3NwLmRpZ2ljZXJ0LmNvbTBRBggrBgEFBQcwAoZFaHR0cDovL2NhY2VydHMuZGlnaWNlcnQuY29tL0RpZ2lDZXJ0R2xv
YmFsRzJUTFNSU0FTSEEyNTYyMDIwQ0ExLTEuY3J0MAwGA1UdEwEB/wQCMAAwggF+BgorBgEEAdZ5AgQCBIIBbgSCAWoBaAB1ANgJVTuUT3r/yBYZb5RPhauw+Pxeh1UmDxXRLnK7RUsUAAABl1PrKFQAAAQDAEYwRAIgDYHDKG+sA3fLlClAa8yBZJiBSv/UksAZppq/2thq77wCI
HYEiBBYuJmTflc6w6T6k6plTdGsh0o6fds2wQImATOqAHYAwjF+V0UZo0XufzjespBB68fCIVoiv3/Vta12mtkOUs0AAAGXU+soRwAABAMARzBFAiEAoYa59cqUaHC/6+CftYRzJO6g9aQUGc4i6GtHBKZ1Mt0CIHiNlO9HutgxM47pAZhE/115E7jCKq3hYI/M9WK8gp6iAHcAlE
5Dh/rswe+B8xkkJqgYZQHH0184AgE/cmd9VTcuGdgAAAGXU+soXAAABAMASDBGAiEA9bq6VuHODCaM2cKRQJMhUEn38smq1QgluLvm7LEw3+UCIQDpI4rguI6lJi0qCsFk9mJZpsAVqvoys85iQrqX0Jj2VDANBgkqhkiG9w0BAQsFAAOCAQEAvAeXIn3dRigdlNajFlQzyaVtRpG
AK9IeLwnX6Pl16/TNaaT7tBmhqehT2eFGspc3bd+YZA/SirDeN1e9rsNRNQpvzLdvC0gU4SCHHarlwYLdmf7G4GOYCTmqfQj0T9p5YG2iv3lwYyBc3HQ+AODwDttcDKUAqsOGYhuTwdBF3P3/lsX98dptFqzEl8UDQoH0OSp9Kab05tlH9DsvVFaJxZ+2Iwo3gZCPH+yySi698Q/V
RNzmUKp4LPHgiMAmmWCDcpTkaUdDPhgoXJBWjBNViCtaAPhSIo9mc3UDfvLbidam48MDw0CnwXdCGcODM3HzgN+zNCxbRaJbExt8aRgH1Q==-----END CERTIFICATE----------BEGIN CERTIFICATE-----MIIEyDCCA7CgAwIBAgIQDPW9BitWAvR6uFAsI8zwZjANBgkqh
kiG9w0BAQsFADBhMQswCQYDVQQGEwJVUzEVMBMGA1UEChMMRGlnaUNlcnQgSW5jMRkwFwYDVQQLExB3d3cuZGlnaWNlcnQuY29tMSAwHgYDVQQDExdEaWdpQ2VydCBHbG9iYWwgUm9vdCBHMjAeFw0yMTAzMzAwMDAwMDBaFw0zMTAzMjkyMzU5NTlaMFkxCzAJBgNVBAYTAlVTMR
UwEwYDVQQKEwxEaWdpQ2VydCBJbmMxMzAxBgNVBAMTKkRpZ2lDZXJ0IEdsb2JhbCBHMiBUTFMgUlNBIFNIQTI1NiAyMDIwIENBMTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAMz3EGJPprtjb+2QUlbFbSd7ehJWivH0+dbn4Y+9lavyYEEVcNsSAPonCrVXOFt9slG
TcZUOakGUWzUb+nv6u8W+JDD+Vu/E832X4xT1FE3LpxDyFuqrIvAxIhFhaZAmunjZlx/jfWardUSVc8is/+9dCopZQ+GssjoP80j812s3wWPc3kbW20X+fSP9kOhRBx5Ro1/tSUZUfyyIxfQTnJcVPAPooTncaQwywa8WV0yUR0J8osicfebUTVSvQpmowQTCd5zWSOTOEeAqgJnw
Q3DPP3Zr0UxJqyRewg2C/Uaoq2yTzGJSQnWS+Jr6Xl6ysGHlHx+5fwmY6D36g39HaaECAwEAAaOCAYIwggF+MBIGA1UdEwEB/wQIMAYBAf8CAQAwHQYDVR0OBBYEFHSFgMBmx9833s+9KTeqAx2+7c0XMB8GA1UdIwQYMBaAFE4iVCAYlebjbuYP+vq5Eu0GF485MA4GA1UdDwEB/
wQEAwIBhjAdBgNVHSUEFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIwdgYIKwYBBQUHAQEEajBoMCQGCCsGAQUFBzABhhhodHRwOi8vb2NzcC5kaWdpY2VydC5jb20wQAYIKwYBBQUHMAKGNGh0dHA6Ly9jYWNlcnRzLmRpZ2ljZXJ0LmNvbS9EaWdpQ2VydEdsb2JhbFJvb3RHMi5jcn
QwQgYDVR0fBDswOTA3oDWgM4YxaHR0cDovL2NybDMuZGlnaWNlcnQuY29tL0RpZ2lDZXJ0R2xvYmFsUm9vdEcyLmNybDA9BgNVHSAENjA0MAsGCWCGSAGG/WwCATAHBgVngQwBATAIBgZngQwBAgEwCAYGZ4EMAQICMAgGBmeBDAECAzANBgkqhkiG9w0BAQsFAAOCAQEAkPFwyyi
XaZd8dP3A+iZ7U6utzWX9upwGnIrXWkOH7U1MVl+twcW1BSAuWdH/SvWgKtiwla3JLko716f2b4gp/DA/JIS7w7d7kwcsr4drdjPtAFVSslme5LnQ89/nD/7d+MS5EHKBCQRfz5eeLjJ1js+aWNJXMX43AYGyZm0pGrFmCW3RbpD0ufovARTFXFZkAdl9h6g4U5+LXUZtXMYnhIHU
foyMo5tS58aI7Dd8KvvwVVo4chDYABPPTHPbqjc1qCmBaZx2vN4Ye5DUys/vZwP9BFohFrH/6j/f3IL16/RZkiMNJCqVJUzKoZHm1Lesh3Sz8W2jmdv51b2EQJ8HmA==-----END CERTIFICATE----------BEGIN CERTIFICATE-----MIIDjjCCAnagAwIBAgIQAzrx5qcRq
aC7KGSxHQn65TANBgkqhkiG9w0BAQsFADBhMQswCQYDVQQGEwJVUzEVMBMGA1UEChMMRGlnaUNlcnQgSW5jMRkwFwYDVQQLExB3d3cuZGlnaWNlcnQuY29tMSAwHgYDVQQDExdEaWdpQ2VydCBHbG9iYWwgUm9vdCBHMjAeFw0xMzA4MDExMjAwMDBaFw0zODAxMTUxMjAwMDBaMG
ExCzAJBgNVBAYTAlVTMRUwEwYDVQQKEwxEaWdpQ2VydCBJbmMxGTAXBgNVBAsTEHd3dy5kaWdpY2VydC5jb20xIDAeBgNVBAMTF0RpZ2lDZXJ0IEdsb2JhbCBSb290IEcyMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAuzfNNNx7a8myaJCtSnX/RrohCgiN9RlUyfu
I2/Ou8jqJkTx65qsGGmvPrC3oXgkkRLpimn7Wo6h+4FR1IAWsULecYxpsMNzaHxmx1x7e/dfgy5SDN67sH0NO3Xss0r0upS/kqbitOtSZpLYl6ZtrAGCSYP9PIUkY92eQq2EGnI/yuum06ZIya7XzV+hdG82MHauVBJVJ8zUtluNJbd134/tJS7SsVQepj5WztCO7TG1F8PapspUw
tP1MVYwnSlcUfIKdzXOS0xZKBgyMUNGPHgm+F6HmIcr9g+UQvIOlCsRnKPZzFBQ9RnbDhxSJITRNrw9FDKZJobq7nMWxM4MphQIDAQABo0IwQDAPBgNVHRMBAf8EBTADAQH/MA4GA1UdDwEB/wQEAwIBhjAdBgNVHQ4EFgQUTiJUIBiV5uNu5g/6+rkS7QYXjzkwDQYJKoZIhvcNA
QELBQADggEBAGBnKJRvDkhj6zHd6mcY1Yl9PMWLSn/pvtsrF9+wX3N3KjITOYFnQoQj8kVnNeyIv/iPsGEMNKSuIEyExtv4NeF22d+mQrvHRAiGfzZ0JFrabA0UWTW98kndth/Jsw1HKj2ZL7tcu7XUIOGZX1NGFdtom/DzMNU+MeKNhJ7jitralj41E6Vf8PlwUHBHQRFXGU7Aj6
4GxJUTFy8bJZ918rGOmaFvE7FBcf6IKshPECBV1/MUReXgRPTqh5Uykw7+U0b6LJ3/iyK5S9kJRaTepLiaWN0bfVKfjllDiIGknibVb63dDcY3fe0Dkhvld1927jyNxF1WW6LZZm6zNTflMrY=-----END CERTIFICATE-----"
}
}

That's exactly what I have started with.

0 Kudos
Vincent_Bacher
MVP Silver
MVP Silver
3 weeks ago
In response to Boris_Karnaukh

Oh, i am sorry, i mixed up the use-cases. In this case i checked my Skyline config and viewed the certificate and i saw that i just used the intermediate CA cert of our organization. 
Sorry for confusing.

I had a look at your chain.
First cert:

 
-----BEGIN CERTIFICATE-----MIIG4TCCBcmgAwIBAgIQC8cT6g8vNGiyaJazoXT0fjANBgkqhkiG9w0BAQsFADBZMQswCQYDVQQGEwJVUzEVMBMGA1UEChMMRGlnaUNlcnQgSW5jMTMwMQYDVQQDEypEaWdpQ2VydCBHbG9iYWwgRzIgVExTIF
JTQSBTSEEyNTYgMjAyMCBDQTEwHhcNMjUwNjA5MDAwMDAwWhcNMjYwNzEwMjM1OTU5WjBkMQswCQYDVQQGEwJVUzERMA8GA1UECBMITmV3IFlvcmsxETAPBgNVBAcTCE5ldyBZb3JrMRYwFAYDVQQKEw1EYXRhZG9nLCBJbmMuMRcwFQYDVQQDDA4qLmRhdGFkb2docS5ldTCCASI
wDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAOJuZyQhXlV08CmXdMlMt/iaKLlK5Z5it9Fh8erJeL3yvcNlK6hLlXOglBU9u8OtpIRuc17k7h1EA+qQCrt75ZEXDxGxHqpbKWaYNob9Vk7L40c+ijKg2LFlElvNhTEihJ2Ru0tkUkX2kNOUsLbcWdODb79FFVmrd05LGSbiubDQ
eLD1aSKXjNnsa63wlXg0lfeV4bA7n7zzG1QGl9G3beLYN0IhKF5vnwQ687E18BGiwRadYcNkPb4XmM3AsaXVrmW1dDdKbpmCJVonz0b2j115EcupEm9FEruXrOeYsgj7sBPeDReYAarsIn3XKGfHg6CawyyB9109iiMw44GIelMCAwEAAaOCA5gwggOUMB8GA1UdIwQYMBaAFHSFg
MBmx9833s+9KTeqAx2+7c0XMB0GA1UdDgQWBBSSY4n5ZnOMdNBW98Ybu8q/gnWYGTAnBgNVHREEIDAegg4qLmRhdGFkb2docS5ldYIMZGF0YWRvZ2hxLmV1MD4GA1UdIAQ3MDUwMwYGZ4EMAQICMCkwJwYIKwYBBQUHAgEWG2h0dHA6Ly93d3cuZGlnaWNlcnQuY29tL0NQUzAOBg
NVHQ8BAf8EBAMCBaAwHQYDVR0lBBYwFAYIKwYBBQUHAwEGCCsGAQUFBwMCMIGfBgNVHR8EgZcwgZQwSKBGoESGQmh0dHA6Ly9jcmwzLmRpZ2ljZXJ0LmNvbS9EaWdpQ2VydEdsb2JhbEcyVExTUlNBU0hBMjU2MjAyMENBMS0xLmNybDBIoEagRIZCaHR0cDovL2NybDQuZGlnaWN
lcnQuY29tL0RpZ2lDZXJ0R2xvYmFsRzJUTFNSU0FTSEEyNTYyMDIwQ0ExLTEuY3JsMIGHBggrBgEFBQcBAQR7MHkwJAYIKwYBBQUHMAGGGGh0dHA6Ly9vY3NwLmRpZ2ljZXJ0LmNvbTBRBggrBgEFBQcwAoZFaHR0cDovL2NhY2VydHMuZGlnaWNlcnQuY29tL0RpZ2lDZXJ0R2xv
YmFsRzJUTFNSU0FTSEEyNTYyMDIwQ0ExLTEuY3J0MAwGA1UdEwEB/wQCMAAwggF+BgorBgEEAdZ5AgQCBIIBbgSCAWoBaAB1ANgJVTuUT3r/yBYZb5RPhauw+Pxeh1UmDxXRLnK7RUsUAAABl1PrKFQAAAQDAEYwRAIgDYHDKG+sA3fLlClAa8yBZJiBSv/UksAZppq/2thq77wCI
HYEiBBYuJmTflc6w6T6k6plTdGsh0o6fds2wQImATOqAHYAwjF+V0UZo0XufzjespBB68fCIVoiv3/Vta12mtkOUs0AAAGXU+soRwAABAMARzBFAiEAoYa59cqUaHC/6+CftYRzJO6g9aQUGc4i6GtHBKZ1Mt0CIHiNlO9HutgxM47pAZhE/115E7jCKq3hYI/M9WK8gp6iAHcAlE
5Dh/rswe+B8xkkJqgYZQHH0184AgE/cmd9VTcuGdgAAAGXU+soXAAABAMASDBGAiEA9bq6VuHODCaM2cKRQJMhUEn38smq1QgluLvm7LEw3+UCIQDpI4rguI6lJi0qCsFk9mJZpsAVqvoys85iQrqX0Jj2VDANBgkqhkiG9w0BAQsFAAOCAQEAvAeXIn3dRigdlNajFlQzyaVtRpG
AK9IeLwnX6Pl16/TNaaT7tBmhqehT2eFGspc3bd+YZA/SirDeN1e9rsNRNQpvzLdvC0gU4SCHHarlwYLdmf7G4GOYCTmqfQj0T9p5YG2iv3lwYyBc3HQ+AODwDttcDKUAqsOGYhuTwdBF3P3/lsX98dptFqzEl8UDQoH0OSp9Kab05tlH9DsvVFaJxZ+2Iwo3gZCPH+yySi698Q/V
RNzmUKp4LPHgiMAmmWCDcpTkaUdDPhgoXJBWjBNViCtaAPhSIo9mc3UDfvLbidam48MDw0CnwXdCGcODM3HzgN+zNCxbRaJbExt8aRgH1Q==-----END CERTIFICATE-----

Certificate Information:

Common Name: *.datadoghq.eu
Subject Alternative Names: *.datadoghq.eu, datadoghq.eu
Organization: Datadog, Inc.
Organization Unit:
Locality: New York
State: New York
Country: US
Valid From: June 8, 2025
Valid To: July 10, 2026
Issuer: DigiCert Global G2 TLS RSA SHA256 2020 CA1, DigiCert Inc Write review of DigiCert
Serial Number: 0bc713ea0f2f3468b26896b3a174f47e


Second Cert
-----BEGIN CERTIFICATE-----MIIEyDCCA7CgAwIBAgIQDPW9BitWAvR6uFAsI8zwZjANBgkqh
kiG9w0BAQsFADBhMQswCQYDVQQGEwJVUzEVMBMGA1UEChMMRGlnaUNlcnQgSW5jMRkwFwYDVQQLExB3d3cuZGlnaWNlcnQuY29tMSAwHgYDVQQDExdEaWdpQ2VydCBHbG9iYWwgUm9vdCBHMjAeFw0yMTAzMzAwMDAwMDBaFw0zMTAzMjkyMzU5NTlaMFkxCzAJBgNVBAYTAlVTMR
UwEwYDVQQKEwxEaWdpQ2VydCBJbmMxMzAxBgNVBAMTKkRpZ2lDZXJ0IEdsb2JhbCBHMiBUTFMgUlNBIFNIQTI1NiAyMDIwIENBMTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAMz3EGJPprtjb+2QUlbFbSd7ehJWivH0+dbn4Y+9lavyYEEVcNsSAPonCrVXOFt9slG
TcZUOakGUWzUb+nv6u8W+JDD+Vu/E832X4xT1FE3LpxDyFuqrIvAxIhFhaZAmunjZlx/jfWardUSVc8is/+9dCopZQ+GssjoP80j812s3wWPc3kbW20X+fSP9kOhRBx5Ro1/tSUZUfyyIxfQTnJcVPAPooTncaQwywa8WV0yUR0J8osicfebUTVSvQpmowQTCd5zWSOTOEeAqgJnw
Q3DPP3Zr0UxJqyRewg2C/Uaoq2yTzGJSQnWS+Jr6Xl6ysGHlHx+5fwmY6D36g39HaaECAwEAAaOCAYIwggF+MBIGA1UdEwEB/wQIMAYBAf8CAQAwHQYDVR0OBBYEFHSFgMBmx9833s+9KTeqAx2+7c0XMB8GA1UdIwQYMBaAFE4iVCAYlebjbuYP+vq5Eu0GF485MA4GA1UdDwEB/
wQEAwIBhjAdBgNVHSUEFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIwdgYIKwYBBQUHAQEEajBoMCQGCCsGAQUFBzABhhhodHRwOi8vb2NzcC5kaWdpY2VydC5jb20wQAYIKwYBBQUHMAKGNGh0dHA6Ly9jYWNlcnRzLmRpZ2ljZXJ0LmNvbS9EaWdpQ2VydEdsb2JhbFJvb3RHMi5jcn
QwQgYDVR0fBDswOTA3oDWgM4YxaHR0cDovL2NybDMuZGlnaWNlcnQuY29tL0RpZ2lDZXJ0R2xvYmFsUm9vdEcyLmNybDA9BgNVHSAENjA0MAsGCWCGSAGG/WwCATAHBgVngQwBATAIBgZngQwBAgEwCAYGZ4EMAQICMAgGBmeBDAECAzANBgkqhkiG9w0BAQsFAAOCAQEAkPFwyyi
XaZd8dP3A+iZ7U6utzWX9upwGnIrXWkOH7U1MVl+twcW1BSAuWdH/SvWgKtiwla3JLko716f2b4gp/DA/JIS7w7d7kwcsr4drdjPtAFVSslme5LnQ89/nD/7d+MS5EHKBCQRfz5eeLjJ1js+aWNJXMX43AYGyZm0pGrFmCW3RbpD0ufovARTFXFZkAdl9h6g4U5+LXUZtXMYnhIHU
foyMo5tS58aI7Dd8KvvwVVo4chDYABPPTHPbqjc1qCmBaZx2vN4Ye5DUys/vZwP9BFohFrH/6j/f3IL16/RZkiMNJCqVJUzKoZHm1Lesh3Sz8W2jmdv51b2EQJ8HmA==-----END CERTIFICATE-----


Certificate Information:

Common Name: DigiCert Global G2 TLS RSA SHA256 2020 CA1
Subject Alternative Names:
Organization: DigiCert Inc
Organization Unit:
Locality:
State:
Country: US
Valid From: March 29, 2021
Valid To: March 29, 2031
Issuer: DigiCert Global Root G2, DigiCert Inc Write review of DigiCert
Serial Number: 0cf5bd062b5602f47ab8502c23ccf066




Would try just to use second one as you see that this is the issuer of the datahog server cert.

 

and now to something completely different - CCVS, CCAS, CCTE, CCCS, CCSM elite
0 Kudos
Boris_Karnaukh
Contributor
Tuesday
In response to Vincent_Bacher

Thank you for replying. I have found that datadog configuration translates into something like this:

sklnctl otelcol config | jq .exporters
{
"datadog/datadog-tls-01": {
"api": {
"key": "#####################",
"site": "datadoghq.eu"
},
"tls": {
"ca_file": "/var/log/otlp_certs/ca-bundle.crt"
}
},
"s1cdtexporter": {
"access_keys_file": "$FWDIR/conf/s1c-metrics-keys.conf",
"debug": false,
"dry_run": false
},
"unix": {
"format": "json",
"path": "/home/admin/mytest.sock",
"transport": "unixgram"
}
}

I have tried populating file /var/log/otlp_certs/ca-bundle.crt with all certificates in the chain, but it seems to me that it doesn't get fully used by Open Telemetry collector.

0 Kudos
Vincent_Bacher
MVP Silver
MVP Silver
Tuesday
In response to Boris_Karnaukh

Interesting Json output.

On our side using Prometheus remote write it was easy going so I would now prefer creating a sr for tac support.

Better than to wait if anyone here has an idea of a solution.

and now to something completely different - CCVS, CCAS, CCTE, CCCS, CCSM elite
0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events