Author: Christian Hopp and the Monit team
- Basic configuration
- Generating a self-signed server certificate for testing
- Client-certificate based authentication
Basic configuration
To enable SSL in Monit's HTTP GUI, add the SSL option to the SET HTTPD statement and specify the location of the PEM encoded server certificate using the PEMFILE option:
SET HTTPD PORT 2812 WITH SSL { PEMFILE: /etc/ssl/certs/monit.pem } ALLOW myuser:mypassword
The PEMFILE should contain the server's private key and certificate. See Generating a self-signed certificate for testing if you don't have a CA signed certificate yet.
Start Monit and connect to the Monit HTTP GUI with SSL via this url:
https://localhost:2812/
Generating a self-signed server certificate for testing
You can use a self-signed server certificate for testing.
Warning: Using a self-signed certificate in production is not recommended, as in such case the client cannot verify that it talks to the correct server (vulnerable to man-in-the-middle attacks and DNS-hijacking).
Prepare an OpenSSL configuration file.
Example:
# create RSA certs - Server RANDFILE = ./openssl.rnd [ req ] default_bits = 2048 default_md = sha256 encrypt_key = yes distinguished_name = req_dn x509_extensions = cert_type [ req_dn ] countryName = Country Name (2 letter code) countryName_default = NO stateOrProvinceName = State or Province Name (full name) stateOrProvinceName_default = Oslo localityName = Locality Name (eg, city) localityName_default = Oslo organizationName = Organization Name (eg, company) organizationName_default = Tildeslash Ltd. organizationalUnitName = Organizational Unit Name (eg, section) organizationalUnitName_default = Services commonName = Common Name (FQDN of your server) commonName_default = server.tildeslash.com emailAddress = Email Address emailAddress_default = mmonit@tildeslash.com [ cert_type ] nsCertType = server
Run these commands to generate the pemfile :
# Generates the private key and the certificate openssl req -new -x509 -days 365 -nodes \ -config ./monit.cnf -out /etc/ssl/certs/monit.pem \ -keyout /etc/ssl/certs/monit.pem # Generates the Diffie-Hellman Parameters openssl dhparam -2 2048 >> /etc/ssl/certs/monit.pem # Set mode chmod 600 /etc/ssl/certs/monit.pem # Prints out the certificate information openssl x509 -text -noout -in /etc/ssl/certs/monit.pem
Important: The Monit CLI works on a client-server basis and uses the Monit HTTP GUI to collect status from the Monit daemon and pass commands like start/stop to it. As self-signed certificates are rejected by default for security reasons, the CLI won't work unless you explicitly allow it by using the SELFSIGNED: ALLOW option:
SET HTTPD PORT 2812 WITH SSL { PEMFILE: /etc/ssl/certs/monit.pem SELFSIGNED: ALLOW }
Client-certificate based authentication
Monit configuration (server)
Monit access control supports a client-certificate based authentication option in addition to traditional credentials and IP based ACL.
With client-certificate authentication enabled, if a browser wants to connect to Monit, the browser has to present a certificate known to Monit. If it is not known, Monit will refuse the connection.
The certificate sent by the client (browser) is checked against a PEM encoded database file, which contains list of allowed client certificates plus all necessary CA certificates.
To enable the client-certificate based authentication, specify a path to the certificates database using the CLIENTPEMFILE option:
SET HTTPD PORT 2812 WITH SSL { PEMFILE: /etc/ssl/certs/monit.pem CLIENTPEMFILE: /etc/ssl/certs/monit-client.pem }
Self-signed client certificates note: By default, a self-signed client certificate is rejected for security reasons, but you may explicitly allow it by using the SELFSIGNED: ALLOW option.
Importing a client certificate into a browser (client)
In addition to certificate, you have to also provide the private key. This key SHOULD be different from the key used by the Monit's http server.
You will need a key with a "client" purpose (in OpenSSL it is "nsCertType=client") or a key with no explicit purpose. Otherwise your browser will not send the certificate.
Firefox requires certificates encoded in the PKCS12 format. If you have your client certificate file PEM encoded you will need to convert it to PKCS12.
You can use OpenSSL to convert a PEM encoded certificate to the PKCS12 format:
openssl pkcs12 -export -in monit_client.pem \ -out monit_client.p12 \ -name "Monit"
Finally you must import the certificate into your browser. In Firefox you should use: Preferences->Advanced, select the Certificates tab and click on View Certificates. In the window that pops up, click on the Import button, then import the monit_client.p12 file.