Hi folks,
I am using the Monit package from RHEL 7: monit-5.14-1.el7.x86_64, and running into an issue with client certificate authentication.
I've tried two methods to setup client certificates and each way I get the error message in monit log. The browser never asked me to select a certificate.
SSL: client didn't send a client certificate
In my first attempt, I exported one of my CAC certificates (it does not allow exporting the key, just the certificate). It comes in DER format, so I converted to PEM and gave that file to monit. I also used the ALLOWSELFCERTIFICATION option.
OpenSSL commands:
cd /etc/pki/tls/certs
openssl x509 -in mycert.der -inform der -out mycert.cer -outform pem
Monit config like so:
set httpd port 443 and
use address 192.168.80.130 # only accept connection from localhost
ssl enable
pemfile /etc/pki/tls/certs/server.cer
clientpemfile /etc/pki/tls/certs/mycert.cer
allowselfcertification
allow admin:monit
The browser did not ask me to supply a certificate and monit gave the error.
SSL: client didn't send a client certificate
In the next situation I generated my own CA and used it to sign a certificate. That caused the same result: the browser never asked for a cert, and monit gave the error above.
OpenSSL commands:
cd /etc/pki/tls
openssl genrsa -out private/ca.key 4096
openssl req -new -x509 -days 365 -key private/ca.key -out certs/ca.cer
openssl x509 -req -days 365 -in misc/test.csr -CA certs/ca.cer -CAkey private/ca.key -set_serial 01 -out certs/test.cer
Convert to p12 so I can import into Opera/Firefox/Chrome:
openssl pkcs12 -export -in certs/test.cer -inkey private/test.key -out /home/sqltest/test.p12 -name "test"
Monit config like so:
set httpd port 443 and
use address 192.168.80.130 # only accept connection from localhost
ssl enable
pemfile /etc/pki/tls/certs/server.cer
clientpemfile /etc/pki/tls/certs/test.cer
allowselfcertification
allow admin:monit
Anytime I try to connect (I have tried a few browsers) I only get the error message in the logs. But the browser never lets me choose any cert I want to send. It seems as if Monit is not asking for a cert in the first place.
Does anybody have any ideas why this might happen?
Any help is appreciated.
V/r,
Bryan