diff --git a/newrelic-agent/src/main/java/com/newrelic/agent/transport/apache/ApacheSSLManager.java b/newrelic-agent/src/main/java/com/newrelic/agent/transport/apache/ApacheSSLManager.java index 16c1b8beaa..7df219a74b 100644 --- a/newrelic-agent/src/main/java/com/newrelic/agent/transport/apache/ApacheSSLManager.java +++ b/newrelic-agent/src/main/java/com/newrelic/agent/transport/apache/ApacheSSLManager.java @@ -7,6 +7,7 @@ package com.newrelic.agent.transport.apache; +import com.google.common.collect.ImmutableList; import com.newrelic.agent.Agent; import org.apache.http.ssl.SSLContextBuilder; @@ -31,8 +32,9 @@ import java.util.logging.Level; public class ApacheSSLManager { - private static final String NEW_RELIC_CERT = "META-INF/newrelic-com.pem"; - + private static final String NEW_RELIC_CERTS_PATH = "META-INF/certs/"; + private static final Collection NEW_RELIC_CERTS = ImmutableList.of("newrelic-com.pem", + "eu-newrelic-com.pem", "eu01-nr-data-net.pem"); public static SSLContext createSSLContext(String caBundlePath) { SSLContextBuilder sslContextBuilder = new SSLContextBuilder(); @@ -49,30 +51,36 @@ public static SSLContext createSSLContext(String caBundlePath) { } } - private static void addNewRelicCertToTrustStore(SSLContextBuilder sslContextBuilder) - throws KeyStoreException, CertificateException, NoSuchAlgorithmException { - KeyStore keystore = KeyStore.getInstance(KeyStore.getDefaultType()); - URL nrCertUrl = ApacheSSLManager.class.getClassLoader().getResource(NEW_RELIC_CERT); - if (nrCertUrl != null) { - try (InputStream is = nrCertUrl.openStream()) { - CertificateFactory cf = CertificateFactory.getInstance("X.509"); - X509Certificate cert = (X509Certificate) cf.generateCertificate(is); - boolean sslCertIsValid = isSslCertValid(cert); - if (sslCertIsValid) { - logIfExpiringSoon(cert.getNotAfter()); - // Initialize keystore and add valid New Relic certificate - keystore.load(null, null); - keystore.setCertificateEntry("newrelic", cert); - Agent.LOG.log(Level.FINEST, "Installed New Relic ssl certificate at alias: newrelic. "); - Agent.LOG.log(Level.FINEST, "SSL Certificate expires on: {0}", cert.getNotAfter()); + private static void addNewRelicCertToTrustStore(SSLContextBuilder sslContextBuilder) { + // Initialize keystore and add valid New Relic certificates + try { + KeyStore keystore = KeyStore.getInstance(KeyStore.getDefaultType()); + keystore.load(null, null); + CertificateFactory cf = CertificateFactory.getInstance("X.509"); + for (String file : NEW_RELIC_CERTS) { + URL nrCertUrl = ApacheSSLManager.class.getClassLoader().getResource(NEW_RELIC_CERTS_PATH + file); + if (nrCertUrl != null) { + try (InputStream is = nrCertUrl.openStream()) { + X509Certificate cert = (X509Certificate) cf.generateCertificate(is); + boolean sslCertIsValid = isSslCertValid(cert); + if (sslCertIsValid) { + logIfExpiringSoon(cert.getNotAfter()); + String alias = file.split("\\.pem")[0]; + keystore.setCertificateEntry(alias, cert); + Agent.LOG.log(Level.FINEST, "Installed New Relic ssl certificate at alias: " + alias); + Agent.LOG.log(Level.FINEST, "SSL Certificate expires on: {0}", cert.getNotAfter()); + } + } catch (IOException e) { + Agent.LOG.log(Level.INFO, "Unable to add bundled New Relic ssl certificate.", e); + } + } else { + Agent.LOG.log(Level.INFO, "Unable to find bundled New Relic ssl certificates."); } - } catch (IOException e) { - Agent.LOG.log(Level.INFO, "Unable to add bundled New Relic ssl certificate.", e); } - } else { - Agent.LOG.log(Level.INFO, "Unable to find bundled New Relic ssl certificate."); + sslContextBuilder.loadTrustMaterial(keystore, null); + } catch (IOException | CertificateException | NoSuchAlgorithmException | KeyStoreException e) { + Agent.LOG.log(Level.INFO, "Unable to add bundled New Relic ssl certificate.", e); } - sslContextBuilder.loadTrustMaterial(keystore, null); } private static void logIfExpiringSoon(Date expiry) { diff --git a/newrelic-agent/src/main/resources/META-INF/certs/eu-newrelic-com.pem b/newrelic-agent/src/main/resources/META-INF/certs/eu-newrelic-com.pem new file mode 100644 index 0000000000..f35bf08082 --- /dev/null +++ b/newrelic-agent/src/main/resources/META-INF/certs/eu-newrelic-com.pem @@ -0,0 +1,41 @@ +-----BEGIN CERTIFICATE----- +MIIHLTCCBhWgAwIBAgIQAbm2WL12atsmJFQ7SjYkfDANBgkqhkiG9w0BAQsFADBN +MQswCQYDVQQGEwJVUzEVMBMGA1UEChMMRGlnaUNlcnQgSW5jMScwJQYDVQQDEx5E +aWdpQ2VydCBTSEEyIFNlY3VyZSBTZXJ2ZXIgQ0EwHhcNMjAwODE5MDAwMDAwWhcN +MjIxMTIyMDAwMDAwWjBwMQswCQYDVQQGEwJVUzETMBEGA1UECBMKQ2FsaWZvcm5p +YTEWMBQGA1UEBxMNU2FuIEZyYW5jaXNjbzEYMBYGA1UEChMPTmV3IFJlbGljLCBJ +bmMuMRowGAYDVQQDDBEqLmV1Lm5ld3JlbGljLmNvbTCCASIwDQYJKoZIhvcNAQEB +BQADggEPADCCAQoCggEBAMZXnx2CbaFxMmYV2T2IQJPDB6DkRsRsN05oQU0i4oQi +6FBc/UMSZ0CFjX8/5s3yb5a/b4W9ZrwjKMSfiF7LraIZ29RFvCrOetZkpyQT6FWq +DTPW3EYl/D+n73jutScsf2qsPcwnMQnq2XeX8/3kkfS5LdeKjYA4Tf1iQuP98dgP +dSKZpJe+taFNGJMFg2LjtO5z4hGY/6dFLjzjWIf87RWbzoaotZFRrOt+tdrG3G67 +bbaVGKAZnD9QMyy0l0mp1YIGFmoADmzyweVlkyL/lu1AV878Vw1p1txDbh3FbNql +mYmXhOMMrdPgvR8D8XpJfbTDnuEpdAfwuJGgHY4cVkUCAwEAAaOCA+QwggPgMB8G +A1UdIwQYMBaAFA+AYRyCMWHVLyjnjUY4tCzhxtniMB0GA1UdDgQWBBQxQ+aRxwSg +OQj3564dwJiw4WHXpjAtBgNVHREEJjAkghEqLmV1Lm5ld3JlbGljLmNvbYIPZXUu +bmV3cmVsaWMuY29tMA4GA1UdDwEB/wQEAwIFoDAdBgNVHSUEFjAUBggrBgEFBQcD +AQYIKwYBBQUHAwIwawYDVR0fBGQwYjAvoC2gK4YpaHR0cDovL2NybDMuZGlnaWNl +cnQuY29tL3NzY2Etc2hhMi1nNi5jcmwwL6AtoCuGKWh0dHA6Ly9jcmw0LmRpZ2lj +ZXJ0LmNvbS9zc2NhLXNoYTItZzYuY3JsMEwGA1UdIARFMEMwNwYJYIZIAYb9bAEB +MCowKAYIKwYBBQUHAgEWHGh0dHBzOi8vd3d3LmRpZ2ljZXJ0LmNvbS9DUFMwCAYG +Z4EMAQICMHwGCCsGAQUFBwEBBHAwbjAkBggrBgEFBQcwAYYYaHR0cDovL29jc3Au +ZGlnaWNlcnQuY29tMEYGCCsGAQUFBzAChjpodHRwOi8vY2FjZXJ0cy5kaWdpY2Vy +dC5jb20vRGlnaUNlcnRTSEEyU2VjdXJlU2VydmVyQ0EuY3J0MAwGA1UdEwEB/wQC +MAAwggH3BgorBgEEAdZ5AgQCBIIB5wSCAeMB4QB3ACl5vvCeOTkh8FZzn2Old+W+ +V32cYAr4+U1dJlwlXceEAAABdAfCybMAAAQDAEgwRgIhALGcb8jP7a7R1mSpAZWX +QkiGLor/QxqwNdqFr3hIjRUVAiEA2kBrYq9eUFPTwS02WAkbWvlgSrbvzYLr2Wxh +P7wPHAkAdgBByMqx3yJGShDGoToJQodeTjGLGwPr60vHaPCQYpYG9gAAAXQHwsla +AAAEAwBHMEUCIGhkFbGd5QtNUNvj1M150dDCeH1hxbbFJmCIPhfc2YgxAiEAqEXL +idwpIWMHg8jwIlh6wMBgD3uVVb7R3+6tOkTJb94AdQBGpVXrdfqRIDC1oolp9PN9 +ESxBdL79SbiFq/L8cP5tRwAAAXQHwsoOAAAEAwBGMEQCIFjseSIg1NKi2enOjxDI +mzi3gVQh8uv2KQa5LeErXNjDAiBp7CE17PwYc3zQA3qWMcbC/GgR0k9F3EFqVPNz +pccWzwB3AG9Tdqwx8DEZ2JkApFEV/3cVHBHZAsEAKQaNsgiaN9kTAAABdAfCy3oA +AAQDAEgwRgIhAP7IC3qsW75WOMBPJ9Rg3Kuf/70DFq4sZkyVynW0pb4OAiEAmBoP +bRCpBIrWdqrChFaGow9hok/GR3ZhJ+YaTohragowDQYJKoZIhvcNAQELBQADggEB +ABYfSelCt9reHKchYmPro3NdrxCCQ5YFcnFYS3FiBTIm9bD4oTL7X7F2ZKQk1gjj +A2U1382FOGFvNb6B//iP2QPZ2dnqdI6QaWD3YUX/JuIxxqPdJZXfZJAHOxzLri8g +OhHDneyCmlH7fRtCErUc43Sqdx0wSQVgcT4rEPnDx66bg2kKb7Yz8SmnpNnDO8Yn +D21m/On0+WOvQeNWqZiEJZRwvYQofKGFuWDgneK5KWAcW2DYu7f3ORUK8YF9BjA0 +vSO4Fd184eeVquJeWRfvtoTzD1m4yqMW0QxuiTcnkDcA0J4kE4qTkYy3H9rXn0nI +EKGikOyOmtaLWus3AA3jKoo= +-----END CERTIFICATE----- diff --git a/newrelic-agent/src/main/resources/META-INF/certs/eu01-nr-data-net.pem b/newrelic-agent/src/main/resources/META-INF/certs/eu01-nr-data-net.pem new file mode 100644 index 0000000000..4c268c78ec --- /dev/null +++ b/newrelic-agent/src/main/resources/META-INF/certs/eu01-nr-data-net.pem @@ -0,0 +1,38 @@ +-----BEGIN CERTIFICATE----- +MIIGtzCCBZ+gAwIBAgIQCBflwGdmH3qAeNydtCm8ZDANBgkqhkiG9w0BAQsFADBN +MQswCQYDVQQGEwJVUzEVMBMGA1UEChMMRGlnaUNlcnQgSW5jMScwJQYDVQQDEx5E +aWdpQ2VydCBTSEEyIFNlY3VyZSBTZXJ2ZXIgQ0EwHhcNMjAwMjA0MDAwMDAwWhcN +MjIwMjA4MTIwMDAwWjBxMQswCQYDVQQGEwJVUzETMBEGA1UECBMKQ2FsaWZvcm5p +YTEWMBQGA1UEBxMNU2FuIEZyYW5jaXNjbzEYMBYGA1UEChMPTmV3IFJlbGljLCBJ +bmMuMRswGQYDVQQDDBIqLmV1MDEubnItZGF0YS5uZXQwggEiMA0GCSqGSIb3DQEB +AQUAA4IBDwAwggEKAoIBAQDWQq63H7zKI5sQ0LJIMOjHzCQ5R96PFe75mtF/uN/Q +El5ao5IZcispqxLRRNZNivyW9n6w+oGWcuhQWOnLHkNuU1O4bK1HPHXNZMjgX4ss +ZJpalCVx74U+uC3ta4ywNHgiPlwwGBXn9ow+wfi8OAlN/jG0RW+s/6wRRHhBNpWt +d9y8uKH8LPUKmct0JNMKHb3pigUY9piJf1xExR8FpmdbCtOgP/319lmcfHje8TMB +cJ9Kl/BnWu6QGustndZ4gkx0Kl4T1VzAl2Pzzzs/OR69rgax4FIWeYXpiAHNSSxB +AEsO152NZvEU/4bVG7rCfXLokkP+m4C+mH7sfWPVNVlXAgMBAAGjggNtMIIDaTAf +BgNVHSMEGDAWgBQPgGEcgjFh1S8o541GOLQs4cbZ4jAdBgNVHQ4EFgQULbvrib1J +0IoiGqhwMimtNiEzjC4wLwYDVR0RBCgwJoISKi5ldTAxLm5yLWRhdGEubmV0ghBl +dTAxLm5yLWRhdGEubmV0MA4GA1UdDwEB/wQEAwIFoDAdBgNVHSUEFjAUBggrBgEF +BQcDAQYIKwYBBQUHAwIwawYDVR0fBGQwYjAvoC2gK4YpaHR0cDovL2NybDMuZGln +aWNlcnQuY29tL3NzY2Etc2hhMi1nNi5jcmwwL6AtoCuGKWh0dHA6Ly9jcmw0LmRp +Z2ljZXJ0LmNvbS9zc2NhLXNoYTItZzYuY3JsMEwGA1UdIARFMEMwNwYJYIZIAYb9 +bAEBMCowKAYIKwYBBQUHAgEWHGh0dHBzOi8vd3d3LmRpZ2ljZXJ0LmNvbS9DUFMw +CAYGZ4EMAQICMHwGCCsGAQUFBwEBBHAwbjAkBggrBgEFBQcwAYYYaHR0cDovL29j +c3AuZGlnaWNlcnQuY29tMEYGCCsGAQUFBzAChjpodHRwOi8vY2FjZXJ0cy5kaWdp +Y2VydC5jb20vRGlnaUNlcnRTSEEyU2VjdXJlU2VydmVyQ0EuY3J0MAwGA1UdEwEB +/wQCMAAwggF+BgorBgEEAdZ5AgQCBIIBbgSCAWoBaAB3AO5Lvbd1zmC64UJpH6vh +nmajD35fsHLYgwDEe4l6qP3LAAABcBHGnuIAAAQDAEgwRgIhAKCkr4VpbYxrrdyn +vq5cX9oGpr0q3xqBk2mFhOwUffcVAiEAv/yHaJj+YSGij3mv5KDk5ojyC13okxIl +rvtEo63YYL0AdQBRo7D1/QF5nFZtuDd4jwykeswbJ8v3nohCmg3+1IsF5QAAAXAR +xp8QAAAEAwBGMEQCIG0nWPBfAoXDmCy64liAYaDS0dvWPeCyhUr3KB77pa9VAiBW +6G8Jpqjl8/PAkPXkM6ebHkSsaR/qDiy+8cf7BRRtbQB2AEHIyrHfIkZKEMahOglC +h15OMYsbA+vrS8do8JBilgb2AAABcBHGnlcAAAQDAEcwRQIhANuXCyiTRLmT1gJi +vs2Ycy49Dg8LK5/yjJDEdvLh1MEVAiAbxb0p/oo4lXvQPnRG9MlbCm71qvLQbgwl +Tzyx6G/GBzANBgkqhkiG9w0BAQsFAAOCAQEAEy0GufbczPZukMkcRrYV/SYEwnMg +KT5YgTWZFNwF05xRzL/ulC26ptU6xvqv6nCMsl887mn2CaHG3biA6zTMc2kwIV/G +rbNTWYAcrZRJG8t5EY57PCAsOPGDlUT1nwW4SrGaj4zwuktMhprniYAkwOdiRhdT +4mRAUoInma5BCzYyqjkk+yHTGETVk6mMcI0UzUDfZkFNSv48H6AbIKtKjMa31Wzp +x1Rn7uRrErIgkvZNQ+FjIPHy/IWhWvslC4yXYDM90pKmw+E7OwOQIpYIYzSqf4mS +K71Fy4eq+qre35KveASXlie75iJDsdmUyhljy4VohwqzrFg6o1Z8miCj1A== +-----END CERTIFICATE----- \ No newline at end of file diff --git a/newrelic-agent/src/main/resources/META-INF/newrelic-com.pem b/newrelic-agent/src/main/resources/META-INF/certs/newrelic-com.pem similarity index 100% rename from newrelic-agent/src/main/resources/META-INF/newrelic-com.pem rename to newrelic-agent/src/main/resources/META-INF/certs/newrelic-com.pem