On 30 May 2024, at 16:35, Gerrit Kühn <gerrit.kuehn@aei.mpg.de> wrote:
Am Thu, 30 May 2024 15:19:00 +0200schrieb Jan-Henrik Haukeland <hauk@tildeslash.com>:The error message "SSL server certificate verification error: unable to
get local issuer certificate" indicates that Monit is unable to verify
the server's certificate because it does not have access to necessary
intermediate or root certificates. Monit will try to read CA
certificates etc from '/etc/ssl' (depending on the system and
compile-time settings).
If you need to load certificates to form a chain from another path see
https://mmonit.com/monit/documentation/monit.html#SSL-OPTIONS and
CACERTIFICATEFILE or CACERTIFICATEPATH
Yes, I already tried that, but the error message does not go away. Myserver certificate is under /usr/local/etc/ssl on FreeBSD, but even addingthe full path to monit didn't help. OTOH, I can access the nginx pages viahttps with my browser just fine, so there should be no intermediatecertificates missing, I think?
Your browser has it’s own store of intermediate and root certificates. Monit don’t use that of course, but the systems certificate store. It does however indicate that your nginx server certificate is fine and that your FreeBSD systems certificate directory at '/usr/local/etc/ssl’ might have some problems. OpenSSL has particularly requirements for this directory and layout. Often setup by running the ‘c_rehash’ tool etc.
I find that it's often easier to don’t bother with the directory and just use CACERTIFICATEFILE and point it to a .pem file containing all your intermediate and root certificates. On FreeBSD I believe this file is '/usr/local/etc/ssl/cert.pem’
Hopefully you will have better success with that configuration. If not, you need to debug this on your own.
|