monit-general
[Top][All Lists]
Advanced
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Client certificates

From: Bryan Harris
Subject: Re: Client certificates
Date: Fri, 28 Apr 2017 12:46:48 -0400
Hi all,

I think I have taken my attempt about as far as my abilities allow me to go.  I've tried a few methods but I cannot get client certificate authentication to work.  Has anyone else been able to get this to work?  Are there anyone using this feature on the current version of Monit?

Here's what I've tried for Monit versions:

* the version that comes with RHEL 6 EPEL on a RHEL 6 VM (which is v5.14)
* the version that comes with RHEL 7 EPEL on a RHEL 7 VM (also v5.14)
* 5.22.0 compiled using same EPEL SPEC file as above on a RHEL 7 VM
* 5.22.0 x86_64 pre-built binaries which I downloaded from mmonit.com website on RHEL 7 VM
* 5.22.0 built from slackbuilds on a Slackware 14.2 VM
* And somewhere I got 5.23.0 and built that --- maybe from the git repo.  My memory is fuzzy.  This was on Slackware also.

Here's my approach for the server & client certificate.  Actual commands used are below.

Note: everything is in PEM format for Monit config

* pemfile config option: points to combo of key + cert for server cert (self signed, no ca)
* clientpemfile config option: points to cert only of client cert (self signed, no ca)
* selfsigned config option: is set to allow

After above steps, I create the p12 file for the client cert and import it into my browser.

Note: one thing I have also tried (which I don't think is needed) is to also put the private key into the clientpemfile similar to the way it is done for the pemfile.  I don't think that is needed though, but I tried it and got same results.

When I fire up the browser and point to my VM, I get the certificate dialog box.  When I choose the certificate I see these lines in the debug output of monit.

SSL: read error -- error:140940E5:SSL routines:ssl3_read_bytes:ssl handshake failure
SSL: write error -- error:1409E0E5:SSL routines:ssl3_write_bytes:ssl handshake failure
HttpRequest: error -- client [192.168.80.1]: HTTP/1.0 400 No request found
SSL: read error -- error:140940E5:SSL routines:ssl3_read_bytes:ssl handshake failure
SSL: write error -- error:1409E0E5:SSL routines:ssl3_write_bytes:ssl handshake failure
HttpRequest: error -- client [192.168.80.1]: HTTP/1.0 400 No request found
SSL: cannot get application dataSSL client certificate verification error: error number 1

If I remove the clientpemfile option out of the monit configuration and restart monit, then SSL connection works fine (with the exception of I have to type a user/password instead of client certificate).

Is this possibly a bug?

Here are the ways I'm generating certificates.  If this is incorrect --- what is the right way?

SERVER CERT
cd /etc/ssl
openssl req -x509 -newkey rsa:4096 -keyout private/monit.pem -out certs/monit.pem -days 365 -nodes
cat private/monit.pem certs/monit.pem > private/monit-combined.pem
-> And the pemfile option points to monit-combined.pem.

CLIENT CERT
openssl req -x509 -newkey rsa:4096 -keyout private/test.key -out certs/test.cer -days 365 -nodes
-> And the clientpemfile option points to test.cer

CONVERT FOR BROWSER
openssl pkcs12 -export -in certs/test.cer -inkey private/test.key -out /home/sqltest/test.p12 -name "test"
-> And the p12 file is imported into browser.




Any help is appreciated of course.

V/r,
Bryan



On Thu, Apr 27, 2017 at 6:55 PM, Bryan Harris <address@hidden> wrote:
Hi all,

I seem to have found a way to get the certificate to appear in the browser pop-up dialog box.  It only appears in the browser if I also put the CA into the PEM file that I feed to Monit.  Below is how I got it to display, and I will attach a capture (not sure if mailing list accepts attachments).  Unfortunately, when I select the certificate and attempt to login it still fails with another error message.

cat test.cer ca.cer > monit.cer

Then in monitrc:

set httpd port 443
    with SSL {
        pemfile:       /etc/pki/tls/certs/server.cer
        clientpemfile: /etc/pki/tls/certs/monit.cer
selfsigned: allow
    }
    allow admin:monit

Here is the error.

SSL: cannot get application dataSSL accept error: error:140890B2:SSL routines:SSL3_GET_CLIENT_CERTIFICATE:no certificate returned
SSL: read error -- error:140940E5:SSL routines:SSL3_READ_BYTES:ssl handshake failure
SSL: write error -- error:1409E0E5:SSL routines:SSL3_WRITE_BYTES:ssl handshake failure
HttpRequest: error -- client [192.168.80.1]: HTTP/1.0 400 No request found
SSL: read error -- error:140940E5:SSL routines:SSL3_READ_BYTES:ssl handshake failure
SSL: write error -- error:1409E0E5:SSL routines:SSL3_WRITE_BYTES:ssl handshake failure
HttpRequest: error -- client [192.168.80.1]: HTTP/1.0 400 No request found
SSL: read error -- error:140940E5:SSL routines:SSL3_READ_BYTES:ssl handshake failure
SSL: write error -- error:1409E0E5:SSL routines:SSL3_WRITE_BYTES:ssl handshake failure
HttpRequest: error -- client [192.168.80.1]: HTTP/1.0 400 No request found
SSL: cannot get application dataSSL accept error: error:140890B2:SSL routines:SSL3_GET_CLIENT_CERTIFICATE:no certificate returned

Thanks for any help.

V/r,
Bryan

On Thu, Apr 27, 2017 at 4:15 PM, Bryan Harris <address@hidden> wrote:
Well, I gave it a try (building 5.22.0 from source) and still a similar issue but a different error message (more descriptive now).  I attempted with a couple of different browsers.



Any ideas what I got wrong?

address@hidden rpmbuild]# monit -Iv
Adding credentials for user 'admin'
Runtime constants:
 Control file       = /etc/monitrc
 Log file           = /var/log/monit.log
 Pid file           = /run/monit.pid
 Id file            = /root/.monit.id
 State file         = /root/.monit.state
 Debug              = True
 Log                = True
 Use syslog         = False
 Is Daemon          = True
 Use process engine = True
 Limits             = {
                    =   programOutput:     512 B
                    =   sendExpectBuffer:  256 B
                    =   fileContentBuffer: 512 B
                    =   httpContentBuffer: 1024 kB
                    =   networkTimeout:    5 s
                    =   programTimeout:    5 m
                    =   stopTimeout:       30 s
                    =   startTimeout:      30 s
                    =   restartTimeout:    30 s
                    = }
 On reboot          = start
 Poll time          = 30 seconds with start delay 0 seconds
 Start monit httpd  = True
 httpd bind address = 192.168.80.130
 httpd portnumber   = 443
 httpd encryption   = selfsigned: allow, pemfile: /etc/pki/tls/certs/server.cer, clientpemfile: /etc/pki/tls/certs/test.cer
 httpd signature    = Enabled
 httpd auth. style  = Basic Authentication

The service list contains the following entries:

System Name           = right.laptop
 Monitoring mode      = active
 On reboot            = start
 Swap usage limit     = if greater than 25.0% then alert
 Memory usage limit   = if greater than 75.0% then alert
 CPU usage limit      = if greater than 95.0% for 10 cycles then alert
 Load avg. (5min)     = if greater than 2.0 then alert
 Load avg. (1min)     = if greater than 4.0 then alert

-------------------------------------------------------------------------------
pidfile '/run/monit.pid' does not exist
Starting Monit 5.22.0 daemon with http interface at [192.168.80.130]:443
Starting Monit HTTP server at [192.168.80.130]:443
Monit HTTP server started
'right.laptop' Monit 5.22.0 started
'right.laptop' swap usage check succeeded [current swap usage = 0.0%]
'right.laptop' mem usage check succeeded [current mem usage = 17.1%]
'right.laptop' cpu usage check succeeded [current cpu usage = 0.0%]
'right.laptop' loadavg(5min) check succeeded [current loadavg(5min) = 0.4]
'right.laptop' loadavg(1min) check succeeded [current loadavg(1min) = 0.3]
'right.laptop' swap usage check succeeded [current swap usage = 0.0%]
'right.laptop' mem usage check succeeded [current mem usage = 17.1%]
'right.laptop' cpu usage check succeeded [current cpu usage = 1.1%]
'right.laptop' loadavg(5min) check succeeded [current loadavg(5min) = 0.3]
'right.laptop' loadavg(1min) check succeeded [current loadavg(1min) = 0.2]
SSL: read error -- error:140940E5:SSL routines:SSL3_READ_BYTES:ssl handshake failure
SSL: write error -- error:1409E0E5:SSL routines:SSL3_WRITE_BYTES:ssl handshake failure
HttpRequest: error -- client [192.168.80.1]: HTTP/1.0 400 No request found
SSL: read error -- error:140940E5:SSL routines:SSL3_READ_BYTES:ssl handshake failure
SSL: write error -- error:1409E0E5:SSL routines:SSL3_WRITE_BYTES:ssl handshake failure
HttpRequest: error -- client [192.168.80.1]: HTTP/1.0 400 No request found
SSL accept error: error:140890C7:SSL routines:SSL3_GET_CLIENT_CERTIFICATE:peer did not return a certificate
'right.laptop' swap usage check succeeded [current swap usage = 0.0%]
'right.laptop' mem usage check succeeded [current mem usage = 17.1%]
'right.laptop' cpu usage check succeeded [current cpu usage = 1.1%]
'right.laptop' loadavg(5min) check succeeded [current loadavg(5min) = 0.3]
'right.laptop' loadavg(1min) check succeeded [current loadavg(1min) = 0.1]
SSL accept error: error:140890C7:SSL routines:SSL3_GET_CLIENT_CERTIFICATE:peer did not return a certificate
'right.laptop' swap usage check succeeded [current swap usage = 0.0%]
'right.laptop' mem usage check succeeded [current mem usage = 22.1%]
'right.laptop' cpu usage check succeeded [current cpu usage = 25.6%]
'right.laptop' loadavg(5min) check succeeded [current loadavg(5min) = 0.3]
'right.laptop' loadavg(1min) check succeeded [current loadavg(1min) = 0.5]
SSL: read error -- error:140940E5:SSL routines:SSL3_READ_BYTES:ssl handshake failure
SSL: write error -- error:1409E0E5:SSL routines:SSL3_WRITE_BYTES:ssl handshake failure
HttpRequest: error -- client [192.168.80.1]: HTTP/1.0 400 No request found
SSL: read error -- error:140940E5:SSL routines:SSL3_READ_BYTES:ssl handshake failure
SSL: write error -- error:1409E0E5:SSL routines:SSL3_WRITE_BYTES:ssl handshake failure
HttpRequest: error -- client [192.168.80.1]: HTTP/1.0 400 No request found
SSL: read error -- error:140940E5:SSL routines:SSL3_READ_BYTES:ssl handshake failure
SSL: write error -- error:1409E0E5:SSL routines:SSL3_WRITE_BYTES:ssl handshake failure
HttpRequest: error -- client [192.168.80.1]: HTTP/1.0 400 No request found
SSL: read error -- error:140940E5:SSL routines:SSL3_READ_BYTES:ssl handshake failure
SSL: write error -- error:1409E0E5:SSL routines:SSL3_WRITE_BYTES:ssl handshake failure
HttpRequest: error -- client [192.168.80.1]: HTTP/1.0 400 No request found
SSL: read error -- error:140940E5:SSL routines:SSL3_READ_BYTES:ssl handshake failure
SSL: write error -- error:1409E0E5:SSL routines:SSL3_WRITE_BYTES:ssl handshake failure
HttpRequest: error -- client [192.168.80.1]: HTTP/1.0 400 No request found
'right.laptop' swap usage check succeeded [current swap usage = 0.0%]
'right.laptop' mem usage check succeeded [current mem usage = 21.7%]
'right.laptop' cpu usage check succeeded [current cpu usage = 15.8%]
'right.laptop' loadavg(5min) check succeeded [current loadavg(5min) = 0.5]
'right.laptop' loadavg(1min) check succeeded [current loadavg(1min) = 0.8]
SSL: read error -- error:140940E5:SSL routines:SSL3_READ_BYTES:ssl handshake failure
SSL: write error -- error:1409E0E5:SSL routines:SSL3_WRITE_BYTES:ssl handshake failure
HttpRequest: error -- client [192.168.80.1]: HTTP/1.0 400 No request found
SSL accept error: error:140890C7:SSL routines:SSL3_GET_CLIENT_CERTIFICATE:peer did not return a certificate
'right.laptop' swap usage check succeeded [current swap usage = 0.0%]
'right.laptop' mem usage check succeeded [current mem usage = 21.7%]
'right.laptop' cpu usage check succeeded [current cpu usage = 3.1%]
'right.laptop' loadavg(5min) check succeeded [current loadavg(5min) = 0.4]
'right.laptop' loadavg(1min) check succeeded [current loadavg(1min) = 0.5]
'right.laptop' swap usage check succeeded [current swap usage = 0.0%]
'right.laptop' mem usage check succeeded [current mem usage = 21.6%]
'right.laptop' cpu usage check succeeded [current cpu usage = 5.1%]
'right.laptop' loadavg(5min) check succeeded [current loadavg(5min) = 0.4]
'right.laptop' loadavg(1min) check succeeded [current loadavg(1min) = 0.3]
'right.laptop' swap usage check succeeded [current swap usage = 0.0%]
'right.laptop' mem usage check succeeded [current mem usage = 17.7%]
'right.laptop' cpu usage check succeeded [current cpu usage = 7.7%]
'right.laptop' loadavg(5min) check succeeded [current loadavg(5min) = 0.4]
'right.laptop' loadavg(1min) check succeeded [current loadavg(1min) = 0.3]
'right.laptop' swap usage check succeeded [current swap usage = 0.0%]
'right.laptop' mem usage check succeeded [current mem usage = 17.7%]
'right.laptop' cpu usage check succeeded [current cpu usage = 7.2%]
'right.laptop' loadavg(5min) check succeeded [current loadavg(5min) = 0.3]
'right.laptop' loadavg(1min) check succeeded [current loadavg(1min) = 0.2]
^CShutting down Monit HTTP server
Monit HTTP server stopped
Monit daemon with pid [4010] stopped
'right.laptop' Monit 5.22.0 stopped



On Thu, Apr 27, 2017 at 2:52 PM, Bryan Harris <address@hidden> wrote:
Well I'm not sure if I did it right.  Here is what I did.

yumdownloader --source monit
cd /root/rpmbuild
yum groupinstall "Development Tools"
yum install openssl-devel pam-devel

Now I edit the 5.14 version in monit.spec instead to say 5.22.0.  And I have to download the new source file because yumdownloader got the old one.

Then after that I could do a rpmbuild -ba monit.spec and the build succeeds to make a package.  I will have to test out the build since right now I am just about to get off work and drive home.  Hopefully it will work fine.

I don't know if it's right or not.  I guess I shall see.

V/r,
Bryan

On Thu, Apr 27, 2017 at 2:38 PM, SZÉPE Viktor <address@hidden> wrote:
Hello Brian!

Try rebuilding monit:
http://pkgs.fedoraproject.org/cgit/rpms/monit.git/

Contact me if you need help.


All the best!
(contacts below)


Idézem/Quoting Bryan Harris <address@hidden>:


I see.  Thanks for the help, I will give that a try first.  I do wish the
EPEL folks kept newer versions but they are sometimes behind on things.


SZÉPE Viktor
https://github.com/szepeviktor/debian-server-tools/blob/master/CV.md
--
+36-20-4242498  address@hidden  skype: szepe.viktor
Budapest, III. kerület








reply via email to
[Prev in Thread] Current Thread [Next in Thread]