Author: Christian Hopp
- Where to get OpenSSL
- How do I turn on SSL support in Monit?
- How do I get my client certificate into a browser?
- I have turned off client certification but Monit still complains
- But... but... OpenSSL had so many problems lately
- Generating a "pemfile"
- How do I learn more about OpenSSL
You can get the newest version of OpenSSL at: http://www.openssl.org In many cases your operating system already has a binary version of OpenSSL installed.
To start Monit's http server with SSL support, use the standard SET HTTPD statement and add the keywords SSL ENABLE and specify the location of the PEM encoded server certificate. This file should contain the server's private key and certificate (see also: Generating a "pemfile").
SET HTTPD PORT 2812 ADDRESS localhost SSL ENABLE PEMFILE /var/certs/monit.pem
Start Monit and connect to the Monit http server over SSL via this url: https://localhost:2812/
You may also utilize SSL to allow Monit to test a network connection to a SSL enabled server. To do so, simply replace the TCP token with the TCPSSL token. For instance, to check a web server running over SSL (https) you can use the following command:
check process https with pidfile /var/run/httpds.pid if failed port 443 type tcpSSL protocol http then alert
Port 443 is the standard HTTPS port.
You can also setup Monit to only allow clients with a certain certificate. In other words, if a browser wants to connect to Monit, the browser will need to present a certificate known by Monit. If it is not known, Monit will not accept the connection. The certificate obtained from the client (browser) is checked against certificates in a database file. This database file can be specified via the CLIENTPEMFILE statement. It might look like this:
SET HTTPD PORT 2812 SSL ENABLE PEMFILE /var/certs/monit.pem CLIENTPEMFILE /var/certs/monit-client.pem ALLOWSELFCERTIFICATION
The database file contains client certificates which are allowed to access the Monit httpd server.
A certificate may also be self-signed. Normally a self-signed certificate is not allowed, but you may explicit allow it by using the ALLOWSELFCERTIFICATION statement.
If you want to switch off SSL support for a while, you can replace the ENABLE keyword with DISABLE (without having to remove any other SSL statements in the Monit control file). Like so:
SET HTTPD PORT 2812 SSL DISABLE PEMFILE /var/certs/monit.pem
Finally, an overview of the HTTPD with SSL statement in Monit:
SET HTTPD [PORT portnumber] ADDRESS hostname [SSL [ENABLE | DISABLE] PEMFILE filename [CLIENTPEMFILE filename]] ALLOWSELFCERTIFICATION ALLOW [user:passwd|host] [ALLOW ...]
Here, the tricky part starts because we are dealing with a program other than Monit. (-:
First, it is not just the certificate, you also have to provide the private key of the certificate. This key SHOULD be different from the key used by the Monit's http server.
You will need a key with a "client" purpose (in OpenSSL it is "nsCertType=client") or a key with no explicit purpose. Otherwise your browser will not send the certificate.
Netscape and its relatives (like Galeon or Mozilla) likes certificates encoded in the PKCS12 format. If you have your client certificate file PEM encoded you will need to convert it to PKCS12.
So how do you convert a PEM encoded certificate to the PKCS12 format and import it into your browser? Simply use the OpenSSL tool to convert it:
openssl pkcs12 -export -in monit_client.pem \ -out monit_client.p12 \ -name "Monit"
Finally you must import the certificate into your browser. In Firefox you should use: Preferences->Advanced, select the Encryption tab and click on View Certificates. In the window that pops up, click on the Import button, then import the monit_client.p12 file.
If you turn of client certification in Monit and a client is sending a certificate then the Monit server may complain with an error like this:
[MET Nov 4 14:41:10] SSL VERIFY ERROR: depth=0, error= 'unable to get local issuer certificate': foo Subject [MET Nov 4 14:41:10] HTTPD connection denied! [MET Nov 4 14:41:10] Accept with SSL service has failed! [MET Nov 4 14:41:10] http server: Cannot establish SSL connection -- Error 0
This simply means that the client provided a cert but Monit wasn't able to verify it. You can solve this by:
- Configure your client not to send this certificate (e.g. delete it from the Browser).
- Turn on client certification and provide the certificate plus all necessary CA certificates to Monit in X.509 format (as pemfile).
First of all, you can of course disable all SSL support in Monit and run Monit without SSL if you are in doubt. If you want to build Monit without any SSL support, just run configure with
If Monit was already compiled with SSL support you don't need to use it if you don't want to. Simply use
SET HTTPD PORT 2812
SET HTTPD PORT 2812 SSL ENABLE PEMFILE <FILE>
And remember, for security related software it is always wise to keep it up to date. You should also keep an eye on advisories from cert (CA) and other sources.
First generate an OpenSSL configuration (or if you have one use it). It might look for example like this:
# create RSA certs - Server RANDFILE = ./openssl.rnd [ req ] default_bits = 1024 encrypt_key = yes distinguished_name = req_dn x509_extensions = cert_type [ req_dn ] countryName = Country Name (2 letter code) countryName_default = NO stateOrProvinceName = State or Province Name (full name) stateOrProvinceName_default = Oslo localityName = Locality Name (eg, city) localityName_default = Oslo organizationName = Organization Name (eg, company) organizationName_default = Tildeslash Ltd. organizationalUnitName = Organizational Unit Name (eg, section) organizationalUnitName_default = Services commonName = Common Name (FQDN of your server) commonName_default = server.tildeslash.com emailAddress = Email Address emailAddress_default = email@example.com [ cert_type ] nsCertType = server
In order to generate the actual pemfile just run these commands:
# Generates the private key and the certificate /usr/bin/openssl req -new -x509 -days 365 -nodes \ -config ./monit.cnf -out /var/certs/monit.pem \ -keyout /var/certs/monit.pem # Generates the Diffie-Hellman Parameters /usr/bin/openssl gendh 512 >> /var/certs/monit.pem # Prints out the certificate information /usr/bin/openssl x509 -subject -dates -fingerprint -noout -in /var/certs/monit.pem
See documentation at OpenSSL.org: