Re: https ssl test

monit-general

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: https ssl test

From:	Jan-Henrik Haukeland
Subject:	Re: https ssl test
Date:	Thu, 30 May 2024 17:57:15 +0200

That’s a good idea. ssllabs.com is amazing! It might be useful to rule out any 
certificate issue for the nginx server that Monit/OpenSSL might not like. 
openssl s_client can also be helpful with that, e.g. 'openssl s_client -connect 
example.com:443 -showcerts'

In this case though it’s more likely a problem with the CA bundle on the 
FreeBSD system. Either it's a miss-configuration somewhere or the bundle are 
missing updated certificates. 

In the later case, an alternative is to get the the CA bundle from 
https://curl.se/ca/cacert.pem which is regularly updated and contains a 
collection of CA certificates converted from the Mozilla CA certificate store. 
This Monit config should do the trick:

ssl options {
        cacertificatefile : /path/to/cacert.pem
}

Anyway, that’s it from me.

> On 30 May 2024, at 17:23, Michael Thomas <wart@caltech.edu> wrote:
> 
> You might try putting your host into the HTTPS evaluator on ssllabs.com to 
> see if it reports any issues with the cert chain being offered by the web 
> server.  I've found this to be a very useful tool when debugging ssl issues 
> on web servers.
> 
> --Mike
> 
> On 5/30/24 09:35, Gerrit Kühn wrote:
>> Am Thu, 30 May 2024 15:19:00 +0200
>> schrieb Jan-Henrik Haukeland <hauk@tildeslash.com>:
>>> The error message "SSL server certificate verification error: unable to
>>> get local issuer certificate" indicates that Monit is unable to verify
>>> the server's certificate because it does not have access to necessary
>>> intermediate or root certificates. Monit will try to read CA
>>> certificates etc from '/etc/ssl' (depending on the system and
>>> compile-time settings).
>>> 
>>> If you need to load certificates to form a chain from another path see
>>> https://mmonit.com/monit/documentation/monit.html#SSL-OPTIONS and
>>> CACERTIFICATEFILE or CACERTIFICATEPATH
>> Yes, I already tried that, but the error message does not go away. My
>> server certificate is under /usr/local/etc/ssl on FreeBSD, but even adding
>> the full path to monit didn't help. OTOH, I can access the nginx pages via
>> https with my browser just fine, so there should be no intermediate
>> certificates missing, I think?
>> cu
>>   Gerrit
>

[Prev in Thread]

Current Thread

[Next in Thread]

https ssl test, Gerrit Kühn, 2024/05/29
- Re: https ssl test, Jan-Henrik Haukeland, 2024/05/29
  - Re: https ssl test, Gerrit Kühn, 2024/05/30
    - Re: https ssl test, Jan-Henrik Haukeland, 2024/05/30
    - Re: https ssl test, Jan-Henrik Haukeland, 2024/05/30
    - Re: https ssl test, Gerrit Kühn, 2024/05/30
    - Re: https ssl test, Gerrit Kühn, 2024/05/30
    - Re: https ssl test, Jan-Henrik Haukeland, 2024/05/30
    - Message not available
    - Re: https ssl test, Jan-Henrik Haukeland <=
    - Re: https ssl test, Gerrit Kühn, 2024/05/31
    - Message not available
    - Re: https ssl test, Gerrit Kühn, 2024/05/30

Prev by Date: Re: https ssl test
Next by Date: Re: https ssl test
Previous by thread: Re: https ssl test
Next by thread: Re: https ssl test
Index(es):
- Date
- Thread