Re: https ssl test

monit-general

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: https ssl test

From:	Jan-Henrik Haukeland
Subject:	Re: https ssl test
Date:	Thu, 30 May 2024 16:05:57 +0200

Ps. If your ‘nginx_conn’ certificate is a self-signed certificate, I believe 
you need to create your own CA and use it to sign the certificate. Check 
internet for guides or get a free certificate from Let’s Encrypt, 
https://letsencrypt.org/

> On 30 May 2024, at 15:19, Jan-Henrik Haukeland <hauk@tildeslash.com> wrote:
> 
> The error message "SSL server certificate verification error: unable to get 
> local issuer certificate" indicates that Monit is unable to verify the 
> server's certificate because it does not have access to necessary 
> intermediate or root certificates. Monit will try to read CA certificates etc 
> from '/etc/ssl' (depending on the system and compile-time settings). 
> 
> If you need to load certificates to form a chain from another path see  
> https://mmonit.com/monit/documentation/monit.html#SSL-OPTIONS and 
> CACERTIFICATEFILE or CACERTIFICATEPATH
> 
> Best regards 
> 
>> On 30 May 2024, at 09:17, Gerrit Kühn <gerrit.kuehn@aei.mpg.de> wrote:
>> 
>> Am Wed, 29 May 2024 18:54:56 +0200
>> schrieb Jan-Henrik Haukeland <hauk@tildeslash.com>:
>> 
>> 
>>> You must also tell Monit to connect using the Fully Qualified Domain
>>> Name (FQDN) as the address. Using ‘localhost’ or an IP-address here,
>>> won’t do. When you enable ssl.verify it simply means that Monit will
>>> check that the name of the host (given in address) is the same as the
>>> SSL certificate's common name.
>> 
>> Good point. I had intended to start with something "very simple" before
>> moving over to create templated checks via orchestration tools, but this
>> was obviously "too simple".
>> 
>>> Ps. To see more debug output, start monit with the -Iv options.
>> 
>> I have added the correct dns names now:
>> 
>> ---
>> check host nginx_conn with address removed-but-valid
>> if failed port 443 protocol https and certificate valid > 30 days
>>   with ssl options { verify: enable }
>> ---
>> 
>> 
>> However, looking into the debug output, I still get
>> 
>> ---
>> Socket test failed for [10.xyz.abc.dec:443 -- SSL server certificate
>> verification error: unable to get local issuer certificate 'nginx_conn'
>> failed protocol test [HTTP] at [removed-but-valid]:443
>> [TCP/IP TLS] -- SSL server certificate verification error: unable to get
>> local issuer certificate
>> ---
>> 
>> Any ideas what I am still missing?
>> 
>> 
>> cu
>> Gerrit
>> 
> 
>

[Prev in Thread]

Current Thread

[Next in Thread]

https ssl test, Gerrit Kühn, 2024/05/29
- Re: https ssl test, Jan-Henrik Haukeland, 2024/05/29
  - Re: https ssl test, Gerrit Kühn, 2024/05/30
    - Re: https ssl test, Jan-Henrik Haukeland, 2024/05/30
    - Re: https ssl test, Jan-Henrik Haukeland <=
    - Re: https ssl test, Gerrit Kühn, 2024/05/30
    - Re: https ssl test, Gerrit Kühn, 2024/05/30
    - Re: https ssl test, Jan-Henrik Haukeland, 2024/05/30
    - Message not available
    - Re: https ssl test, Jan-Henrik Haukeland, 2024/05/30
    - Re: https ssl test, Gerrit Kühn, 2024/05/31
    - Message not available
    - Re: https ssl test, Gerrit Kühn, 2024/05/30

Prev by Date: Re: https ssl test
Next by Date: Re: https ssl test
Previous by thread: Re: https ssl test
Next by thread: Re: https ssl test
Index(es):
- Date
- Thread