[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [monit] SSL - Monit ignores part of the certification chain ?

From: Jan-Henrik Haukeland
Subject: Re: [monit] SSL - Monit ignores part of the certification chain ?
Date: Wed, 21 May 2008 14:50:38 +0200


I haven't had time to dig into the code, but your are probably right. Most, are likely using a self signed certificate and this is the reason we haven't come across/heard about this problem before.

I'll look into this when I get my head above the water, I'm well under at the moment so it will not be at the top of my list, especially since this is a "minor" thing and does not prevent using SSL with Monit. However, the nice thing about open source is that one can fix it oneself[1] Patches are always welcome :)


[1] Though unfortunately it seldom happens

On 21. mai. 2008, at 14.17, Eric Marin wrote:


no idea about this problem ? I haven't found anything about it on this list or on the web.
Maybe I wasn't clear in the description ?
The servers aren't in production yet, so I could do some tests more easily.

Thanks in advance !

Eric Marin a écrit :
I use Monit 4.8.1-2.1 on Debian Etch (i386) on two servers forming a cluster : and
I'd like to use SSL, so in /etc/monitrc I have :
set httpd port 2812 and
   ssl enable
   pemfile /etc/monit/
The pem file contains (concatenated) :
-the private key
-the certificate, which is a commercial certificate signed by CyberTrust Educational CA. It is multivalued : it works for several DNS names including, and (the CN is, since it can only have one 'CN', but the RFC states that it should be ignored when the certificate contains alternative DNS entries). -the rest of the certification chain : certificates from CyberTrust Educational CA and GTE CyberTrust Global Root. I use these certificates with Tomcat and Apache and have no problem with them. This works in Monit, except I get this warning message in Firefox (translated from french) :
"Web site certified by an unknown authority
Cannot verify the identity of as a trusted site."
It seems Monit presents to the browser only the certificate for the server, and ignores the CA and root certificates. Thus, the browser does not see the whole certification chain and warns that it may should not be trusted. Indeed, by default, Firefox only knows about GTE CyberTrust Global Root, but not CyberTrust Educational CA. Since Apache presents the whole certification chain correctly, if I first open an HTTPS page hosted by Apache on the server, Firefox will put the certificate from GTE CyberTrust Global Root in its memory, then I can open and Firefox does not complain anymore. So my question is : is this a bug (Monit ignores part of the certification chain), or am I missing something here ?

reply via email to

[Prev in Thread] Current Thread [Next in Thread]