monit-general
[Top][All Lists]
Advanced
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Client certificates

From: Bryan Harris
Subject: Client certificates
Date: Thu, 27 Apr 2017 14:04:48 -0400
Hi folks,

I am using the Monit package from RHEL 7: monit-5.14-1.el7.x86_64, and running into an issue with client certificate authentication.

I've tried two methods to setup client certificates and each way I get the error message in monit log.  The browser never asked me to select a certificate.

SSL: client didn't send a client certificate

In my first attempt, I exported one of my CAC certificates (it does not allow exporting the key, just the certificate).  It comes in DER format, so I converted to PEM and gave that file to monit.  I also used the ALLOWSELFCERTIFICATION option.

OpenSSL commands:

cd /etc/pki/tls/certs
openssl x509 -in mycert.der -inform der -out mycert.cer -outform pem

Monit config like so:
set httpd port 443 and
    use address 192.168.80.130  # only accept connection from localhost
    ssl enable
    pemfile /etc/pki/tls/certs/server.cer
    clientpemfile /etc/pki/tls/certs/mycert.cer
    allowselfcertification
    allow admin:monit

The browser did not ask me to supply a certificate and monit gave the error.

SSL: client didn't send a client certificate

In the next situation I generated my own CA and used it to sign a certificate.  That caused the same result: the browser never asked for a cert, and monit gave the error above.

OpenSSL commands:

cd /etc/pki/tls
openssl genrsa -out private/ca.key 4096
openssl req -new -x509 -days 365 -key private/ca.key -out certs/ca.cer
openssl x509 -req -days 365 -in misc/test.csr -CA certs/ca.cer -CAkey private/ca.key -set_serial 01 -out certs/test.cer

Convert to p12 so I can import into Opera/Firefox/Chrome:

openssl pkcs12 -export -in certs/test.cer -inkey private/test.key -out /home/sqltest/test.p12 -name "test"

Monit config like so:

set httpd port 443 and
    use address 192.168.80.130  # only accept connection from localhost
    ssl enable
    pemfile /etc/pki/tls/certs/server.cer
    clientpemfile /etc/pki/tls/certs/test.cer
    allowselfcertification
    allow admin:monit

Anytime I try to connect (I have tried a few browsers) I only get the error message in the logs.  But the browser never lets me choose any cert I want to send.  It seems as if Monit is not asking for a cert in the first place.

Does anybody have any ideas why this might happen?

Any help is appreciated.

V/r,
Bryan
reply via email to
[Prev in Thread] Current Thread [Next in Thread]