Hi,
I use Monit 4.8.1-2.1 on Debian Etch (i386) on two servers forming a
cluster : ldap-a.utc.fr and ldap-b.utc.fr.
I'd like to use SSL, so in /etc/monitrc I have :
----8<------------------------------------------------
(...)
set httpd port 2812 and
ssl enable
pemfile /etc/monit/key-cert-ca-ldap_cas.utc.fr.pem
(...)
------------------------------------------------>8----
The pem file contains (concatenated) :
-the private key
-the certificate, which is a commercial certificate signed by CyberTrust
Educational CA. It is multivalued : it works for several DNS names
including ldap.utc.fr, ldap-a.utc.fr and ldap-b.utc.fr (the CN is
ldap.utc.fr, since it can only have one 'CN', but the RFC states that it
should be ignored when the certificate contains alternative DNS entries).
-the rest of the certification chain : certificates from CyberTrust
Educational CA and GTE CyberTrust Global Root.
I use these certificates with Tomcat and Apache and have no problem with
them.
This works in Monit, except I get this warning message in Firefox
(translated from french) :
"Web site certified by an unknown authority
Cannot verify the identity of ldap.utc.fr as a trusted site."
(etc.)
It seems Monit presents to the browser only the certificate for the
server, and ignores the CA and root certificates. Thus, the browser does
not see the whole certification chain and warns that it may should not
be trusted. Indeed, by default, Firefox only knows about GTE CyberTrust
Global Root, but not CyberTrust Educational CA.
Since Apache presents the whole certification chain correctly, if I
first open an HTTPS page hosted by Apache on the server, Firefox will
put the certificate from GTE CyberTrust Global Root in its memory, then
I can open https://ldap-a.utc.fr:2812/ and Firefox does not complain
anymore.
So my question is : is this a bug (Monit ignores part of the
certification chain), or am I missing something here ?
Thanks,
Eric
--
To unsubscribe:
http://lists.nongnu.org/mailman/listinfo/monit-general