monit-general
[Top][All Lists]
Advanced

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [monit] SSL - Monit ignores part of the certification chain ?


From: Eric Marin
Subject: Re: [monit] SSL - Monit ignores part of the certification chain ?
Date: Wed, 21 May 2008 14:17:55 +0200
User-agent: Thunderbird 2.0.0.14 (X11/20080502)

Hello,

no idea about this problem ? I haven't found anything about it on this list or on the web.
Maybe I wasn't clear in the description ?
The servers aren't in production yet, so I could do some tests more easily.

Thanks in advance !

Eric Marin a écrit :
Hi,

I use Monit 4.8.1-2.1 on Debian Etch (i386) on two servers forming a cluster : ldap-a.utc.fr and ldap-b.utc.fr.

I'd like to use SSL, so in /etc/monitrc I have :
----8<------------------------------------------------
(...)
set httpd port 2812 and
    ssl enable
    pemfile /etc/monit/key-cert-ca-ldap_cas.utc.fr.pem
(...)
------------------------------------------------>8----

The pem file contains (concatenated) :
-the private key
-the certificate, which is a commercial certificate signed by CyberTrust Educational CA. It is multivalued : it works for several DNS names including ldap.utc.fr, ldap-a.utc.fr and ldap-b.utc.fr (the CN is ldap.utc.fr, since it can only have one 'CN', but the RFC states that it should be ignored when the certificate contains alternative DNS entries). -the rest of the certification chain : certificates from CyberTrust Educational CA and GTE CyberTrust Global Root.

I use these certificates with Tomcat and Apache and have no problem with them.

This works in Monit, except I get this warning message in Firefox (translated from french) :
"Web site certified by an unknown authority
Cannot verify the identity of ldap.utc.fr as a trusted site."
(etc.)

It seems Monit presents to the browser only the certificate for the server, and ignores the CA and root certificates. Thus, the browser does not see the whole certification chain and warns that it may should not be trusted. Indeed, by default, Firefox only knows about GTE CyberTrust Global Root, but not CyberTrust Educational CA.

Since Apache presents the whole certification chain correctly, if I first open an HTTPS page hosted by Apache on the server, Firefox will put the certificate from GTE CyberTrust Global Root in its memory, then I can open https://ldap-a.utc.fr:2812/ and Firefox does not complain anymore.

So my question is : is this a bug (Monit ignores part of the certification chain), or am I missing something here ?

Thanks,
Eric


--
To unsubscribe:
http://lists.nongnu.org/mailman/listinfo/monit-general




reply via email to

[Prev in Thread] Current Thread [Next in Thread]