Author: Christian Hopp

1. Where to get OpenSSL

You can get the newest version of OpenSSL at: http://www.openssl.org In many cases your operating system already has a binary version of OpenSSL installed.

2. How do I turn on SSL support in Monit

To start Monit's http server with SSL support, use the standard SET HTTPD statement and add the keywords SSL ENABLE and specify the location of the PEM encoded server certificate. This file should contain the server's private key and certificate (see also: Generating a "pemfile").

  SET HTTPD PORT 2812 ADDRESS localhost
      SSL ENABLE
      PEMFILE  /var/certs/monit.pem

Start Monit and connect to the Monit http server over SSL via this url: https://localhost:2812/

You may also utilize SSL to allow Monit to test a network connection to a SSL enabled server. To do so, simply replace the TCP token with the TCPSSL token. For instance, to check a web server running over SSL (https) you can use the following command:

  check process https with pidfile /var/run/httpds.pid
        if failed port 443 
           type tcpSSL protocol http 
        then alert

Port 443 is the standard HTTPS port.

You can also setup Monit to only allow clients with a certain certificate. In other words, if a browser wants to connect to Monit, the browser will need to present a certificate known by Monit. If it is not known, Monit will not accept the connection. The certificate obtained from the client (browser) is checked against certificates in a database file. This database file can be specified via the CLIENTPEMFILE statement. It might look like this:

  SET HTTPD PORT 2812
      SSL ENABLE 
      PEMFILE  /var/certs/monit.pem
      CLIENTPEMFILE  /var/certs/monit-client.pem
      ALLOWSELFCERTIFICATION

The database file contains client certificates which are allowed to access the Monit httpd server.

A certificate may also be self-signed. Normally a self-signed certificate is not allowed, but you may explicit allow it by using the ALLOWSELFCERTIFICATION statement.

If you want to switch off SSL support for a while, you can replace the ENABLE keyword with DISABLE (without having to remove any other SSL statements in the Monit control file). Like so:

  SET HTTPD PORT 2812
      SSL DISABLE
      PEMFILE  /var/certs/monit.pem

Finally, an overview of the HTTPD with SSL statement in Monit:

  SET HTTPD [PORT portnumber] ADDRESS hostname
      [SSL [ENABLE | DISABLE]
      PEMFILE filename
      [CLIENTPEMFILE  filename]]
      ALLOWSELFCERTIFICATION
      ALLOW [user:passwd|host]
      [ALLOW ...]

3. How do I get my client certificate into a browser

Here, the tricky part starts because we are dealing with a program other than Monit. (-:

First, it is not just the certificate, you also have to provide the private key of the certificate. This key SHOULD be different from the key used by the Monit's http server.

You will need a key with a "client" purpose (in OpenSSL it is "nsCertType=client") or a key with no explicit purpose. Otherwise your browser will not send the certificate.

Netscape and its relatives (like Galeon or Mozilla) likes certificates encoded in the PKCS12 format. If you have your client certificate file PEM encoded you will need to convert it to PKCS12.

So how do you convert a PEM encoded certificate to the PKCS12 format and import it into your browser? Simply use the OpenSSL tool to convert it:

openssl pkcs12 -export -in monit_client.pem \
        -out monit_client.p12 \
        -name "Monit" 

Finally you must import the certificate into your browser. In Firefox you should use: Preferences->Advanced, select the Encryption tab and click on View Certificates. In the window that pops up, click on the Import button, then import the monit_client.p12 file.

4. I have turned off client certification but Monit still complains

If you turn of client certification in Monit and a client is sending a certificate then the Monit server may complain with an error like this:

 [MET Nov  4 14:41:10] SSL VERIFY ERROR: depth=0, error=[20] 'unable to get local issuer certificate': foo Subject
 [MET Nov  4 14:41:10] HTTPD connection denied!
 [MET Nov  4 14:41:10] Accept with SSL service has failed!
 [MET Nov  4 14:41:10] http server: Cannot establish SSL connection -- Error 0

This simply means that the client provided a cert but Monit wasn't able to verify it. You can solve this by:

  1. Configure your client not to send this certificate (e.g. delete it from the Browser).
  2. Turn on client certification and provide the certificate plus all necessary CA certificates to Monit in X.509 format (as pemfile).

5. But... but... OpenSSL had so many problems lately

First of all, you can of course disable all SSL support in Monit and run Monit without SSL if you are in doubt. If you want to build Monit without any SSL support, just run configure with

  ./configure --without-SSL

If Monit was already compiled with SSL support you don't need to use it if you don't want to. Simply use

  SET HTTPD PORT 2812

instead of

  SET HTTPD PORT 2812
      SSL ENABLE
      PEMFILE <FILE>

And remember, for security related software it is always wise to keep it up to date. You should also keep an eye on advisories from cert (CA) and other sources.

6. Generating a "pemfile"

First generate an OpenSSL configuration (or if you have one use it). It might look for example like this:

  # create RSA certs - Server

  RANDFILE = ./openssl.rnd

  [ req ]
  default_bits = 1024
  encrypt_key = yes
  distinguished_name = req_dn
  x509_extensions = cert_type

  [ req_dn ]
  countryName = Country Name (2 letter code)
  countryName_default = NO

  stateOrProvinceName             = State or Province Name (full name)
  stateOrProvinceName_default     = Oslo

  localityName                    = Locality Name (eg, city)
  localityName_default            = Oslo

  organizationName                = Organization Name (eg, company)
  organizationName_default        = Tildeslash Ltd.

  organizationalUnitName          = Organizational Unit Name (eg, section)
  organizationalUnitName_default  = Services

  commonName                      = Common Name (FQDN of your server)
  commonName_default              = server.tildeslash.com

  emailAddress                    = Email Address
  emailAddress_default            = mmonit@tildeslash.com

  [ cert_type ]
  nsCertType = server

In order to generate the actual pemfile just run these commands:

  # Generates the private key and the certificate
  /usr/bin/openssl req -new -x509 -days 365 -nodes \
    -config ./monit.cnf -out /var/certs/monit.pem \
    -keyout /var/certs/monit.pem

  # Generates the  Diffie-Hellman Parameters
  /usr/bin/openssl gendh 512 >> /var/certs/monit.pem

  # Prints out the certificate information
  /usr/bin/openssl x509 -subject -dates -fingerprint -noout -in /var/certs/monit.pem

7. How can I learn more about OpenSSL?

See documentation at OpenSSL.org:

Page last modified on July 10, 2013, at 08:19 AM CEST

Copyright © 2014 Tildeslash Ltd. All Rights Reserved.