Re: https ssl test

[Jan-Henrik Haukeland]

The error message "SSL server certificate verification error: unable to get 
local issuer certificate" indicates that Monit is unable to verify the server's 
certificate because it does not have access to necessary intermediate or root 
certificates. Monit will try to read CA certificates etc from '/etc/ssl' 
(depending on the system and compile-time settings). 

If you need to load certificates to form a chain from another path see  
https://mmonit.com/monit/documentation/monit.html#SSL-OPTIONS and 
CACERTIFICATEFILE or CACERTIFICATEPATH

Best regards 

> On 30 May 2024, at 09:17, Gerrit Kühn <gerrit.kuehn@aei.mpg.de> wrote:
> 
> Am Wed, 29 May 2024 18:54:56 +0200
> schrieb Jan-Henrik Haukeland <hauk@tildeslash.com>:
> 
> 
>> You must also tell Monit to connect using the Fully Qualified Domain
>> Name (FQDN) as the address. Using ‘localhost’ or an IP-address here,
>> won’t do. When you enable ssl.verify it simply means that Monit will
>> check that the name of the host (given in address) is the same as the
>> SSL certificate's common name.
> 
> Good point. I had intended to start with something "very simple" before
> moving over to create templated checks via orchestration tools, but this
> was obviously "too simple".
> 
>> Ps. To see more debug output, start monit with the -Iv options.
> 
> I have added the correct dns names now:
> 
> ---
> check host nginx_conn with address removed-but-valid
>  if failed port 443 protocol https and certificate valid > 30 days
>    with ssl options { verify: enable }
> ---
> 
> 
> However, looking into the debug output, I still get
> 
> ---
> Socket test failed for [10.xyz.abc.dec:443 -- SSL server certificate
> verification error: unable to get local issuer certificate 'nginx_conn'
> failed protocol test [HTTP] at [removed-but-valid]:443
> [TCP/IP TLS] -- SSL server certificate verification error: unable to get
> local issuer certificate
> ---
> 
> Any ideas what I am still missing?
> 
> 
> cu
>  Gerrit
>