New Relic requires HTTPS for all traffic to APM and the New Relic REST API. The Ruby agent connects to New Relic collector servers over SSL by default. Usually, this default is enough.
Installing SSL Certificates
If you deploy a Ruby application and agent to a container or server without CA certificates installed, you must install them yourself to make HTTPS connections to New Relic servers. Version 7.0 of the agent introduced this change. You can install these CA certificates in various ways, depending on your host. The following external links are helpful guidance for testing the readiness of your host and installing CA certificates:
- Troubleshooting SSL Certificate Errors
- Automated SSL Check
- Installing CA Certificates
- How to handle Certificates in Docker
Use a custom CA bundle
In certain configurations, you may need to use a custom CA bundle. For example, you may use an HTTP proxy to intercept and decrypt SSL traffic from the agent, which then establishes a separate SSL connection to New Relic.
To configure the agent to use a custom CA bundle when validating the SSL certificate presented by a proxy, set the ca_bundle_path configuration setting in your newrelic.yml file or via the NEW_RELIC_CA_BUNDLE_PATH environment variable:
common: &default_settings ca_bundle_path: certificates/mycert.pem # ... other settings ...Specify a path to a .pem file containing each certificate you want the agent to use when validating the identity of the proxy or server. You can concatenate multiple certificates into a single .pem file.
- Relative path: If you specify a relative path, the agent will assign a path relative to the working directory of your app server process at runtime.
- Absolute path: If your working directory is
/rather than the root of your application, be sure to specify an absolute path.