Hi
I haven't had time to dig into the code, but your are probably right.
Most, are likely using a self signed certificate and this is the reason
we haven't come across/heard about this problem before.
I'll look into this when I get my head above the water, I'm well under
at the moment so it will not be at the top of my list, especially since
this is a "minor" thing and does not prevent using SSL with Monit.
However, the nice thing about open source is that one can fix it
oneself[1] Patches are always welcome :)
Jan-Henrik
[1] Though unfortunately it seldom happens
On 21. mai. 2008, at 14.17, Eric Marin wrote:
Hello,
no idea about this problem ? I haven't found anything about it on this
list or on the web.
Maybe I wasn't clear in the description ?
The servers aren't in production yet, so I could do some tests more
easily.
Thanks in advance !
Eric Marin a écrit :
Hi,
I use Monit 4.8.1-2.1 on Debian Etch (i386) on two servers forming a
cluster : ldap-a.utc.fr and ldap-b.utc.fr.
I'd like to use SSL, so in /etc/monitrc I have :
----8<------------------------------------------------
(...)
set httpd port 2812 and
ssl enable
pemfile /etc/monit/key-cert-ca-ldap_cas.utc.fr.pem
(...)
------------------------------------------------>8----
The pem file contains (concatenated) :
-the private key
-the certificate, which is a commercial certificate signed by
CyberTrust Educational CA. It is multivalued : it works for several
DNS names including ldap.utc.fr, ldap-a.utc.fr and ldap-b.utc.fr (the
CN is ldap.utc.fr, since it can only have one 'CN', but the RFC
states that it should be ignored when the certificate contains
alternative DNS entries).
-the rest of the certification chain : certificates from CyberTrust
Educational CA and GTE CyberTrust Global Root.
I use these certificates with Tomcat and Apache and have no problem
with them.
This works in Monit, except I get this warning message in Firefox
(translated from french) :
"Web site certified by an unknown authority
Cannot verify the identity of ldap.utc.fr as a trusted site."
(etc.)
It seems Monit presents to the browser only the certificate for the
server, and ignores the CA and root certificates. Thus, the browser
does not see the whole certification chain and warns that it may
should not be trusted. Indeed, by default, Firefox only knows about
GTE CyberTrust Global Root, but not CyberTrust Educational CA.
Since Apache presents the whole certification chain correctly, if I
first open an HTTPS page hosted by Apache on the server, Firefox will
put the certificate from GTE CyberTrust Global Root in its memory,
then I can open https://ldap-a.utc.fr:2812/ and Firefox does not
complain anymore.
So my question is : is this a bug (Monit ignores part of the
certification chain), or am I missing something here ?
Thanks,
Eric
--
To unsubscribe:
http://lists.nongnu.org/mailman/listinfo/monit-general