New Relic requires HTTPS for all traffic to APM and the New Relic REST API. The Ruby agent connects to New Relic collector servers over SSL by default, and uses a system/host installed set of SSL certificate to validate the identity of the collector servers when connecting. In most cases, this default set of certificates is sufficient.
In certain configurations, you may need to use a custom CA bundle. For example, you may use an HTTP proxy to intercept and decrypt SSL traffic from the agent, which then establishes a separate SSL connection to New Relic. Custom CA bundles are available in versions 3.9.4 or higher of the Ruby agent.
Use a custom CA bundle
To configure the agent to use a custom CA bundle when validating the SSL certificate presented by a proxy, set the ca_bundle_path configuration setting in your newrelic.yml file or via the NEW_RELIC_CA_BUNDLE_PATH environment variable:
common: &default_settings ca_bundle_path: certificates/mycert.pem # ... other settings ...Specify a path to a .pem file containing each certificate you want the agent to use when validating the identity of the proxy or server. You can concatenate multiple certificates into a single .pem file.
- Relative path: If you specify a relative path, the agent will assign a path relative to the working directory of your app server process at runtime.
- Absolute path: If your working directory is
/rather than the root of your application, be sure to specify an absolute path.
Installing SSL Certificates
If you're deploying a Ruby application and agent to a container or server that does not have CA certificates installed, you need to ensure they're now installed for 7.0 or highter releases of the agent to make successful HTTPS connections to New Relic servers. These CA certificates may be installed in various ways, depending on your host. The following external links are helpful guidiance for testing the readiness of your host and installing CA certificates: