Custom SSL certificates (Ruby)

New Relic requires HTTPS for all traffic to New Relic APM and the New Relic REST API. The Ruby agent connects to New Relic collector servers over SSL by default, and ships with a default set of SSL root certificates that it uses to validate the identity of New Relic collector servers when connecting. In most cases, this default set of certificates is sufficient.

In certain configurations, you may need to use a custom CA bundle. For example, you may use an HTTP proxy to intercept and decrypt SSL traffic from the agent, which then establishes a separate SSL connection to New Relic. Custom CA bundles are available in versions 3.9.4 or higher of the Ruby agent.

Use a custom CA bundle

To configure the agent to use a custom CA bundle when validating the SSL certificate presented by a proxy, set the ca_bundle_path configuration setting in your newrelic.yml file or via the NEW_RELIC_CA_BUNDLE_PATH environment variable:

common: &default_settings
  ca_bundle_path: certificates/mycert.pem
  # ... other settings ...

Specify a path to a .pem file containing each certificate you want the agent to use when validating the identity of the proxy or server. You can concatenate multiple certificates into a single .pem file. (For an example, see the default pem file.)

  • Relative path: If you specify a relative path, the agent will assign a path relative to the working directory of your app server process at runtime.
  • Absolute path: If your working directory is / rather than the root of your application, be sure to specify an absolute path.

For more help

Join the discussion about Ruby in the New Relic Online Technical Community! The Technical Community is a public platform to discuss and troubleshoot your New Relic toolset.

If you need additional help, get support at