2017-12-01 Monit Self-Signed Certificate Expired

Monit runs a web server on a separate port so it doesn’t depend on your “real” web server. That also means it uses its own certificate. I just discovered that mine had expired.

Monit

Kallobombus Monit explains the basic setup. The main config file is this: `/etc/monit/conf.d/monit.conf`.

Kallobombus Monit

set httpd port 2812 and
    SSL ENABLE
    PEMFILE /etc/ssl/localcerts/monit.pem
    allow admin:*secret*

I wrote a note to myself in `/etc/ssl/localcerts/README`.

https://wiki.debian.org/Self-Signed_Certificate
https://www.howtoforge.com/server-monitoring-with-munin-and-monit-on-debian-wheezy-p2

sudo openssl req -new -x509 -days 365 -nodes -config monit.cnf -out monit.pem -keyout monit.pem
sudo chown root.root monit.pem
sudo chmod 0700 monit.pem
sudo service monit restart
sudo openssl x509 -noout -in monit.pem -fingerprint -sha256

The content of my `monit.cnf` file just provides some defaults.

# http://www.howtoforge.com/server-monitoring-with-munin-and-monit-on-debian-wheezy-p2
# create RSA certs - Server

RANDFILE = ./openssl.rnd

[ req ]
default_bits = 2048
encrypt_key = yes
distinguished_name = req_dn
x509_extensions = cert_type

[ req_dn ]
countryName = Country Name (2 letter code)
countryName_default = CH

stateOrProvinceName             = State or Province Name (full name)
stateOrProvinceName_default     = Zürich

localityName                    = Locality Name (eg, city)
localityName_default            = Zürich

organizationName                = Organization Name (eg, company)
organizationName_default        = Alex Schroeder

organizationalUnitName          = Organizational Unit Name (eg, section)
organizationalUnitName_default  = Head Desk

commonName                      = Common Name (FQDN of your server)
commonName_default              = alexschroeder.ch

emailAddress                    = Email Address
emailAddress_default            = alex@gnu.org

[ cert_type ]
nsCertType = server

The last command gives me the new fingerprint of the service. When I reconnect to my monit, I’ll still get an error telling me that the cert authority is invalid, which it obviously is, since I self-signed this certificate.

Firefox uses it’s own certificate store. Thus, click on *Advanced*, *Add Exception*, *View Certificate*, and compare the SHA-256 fingerprint with what I just got on the server itself.

`SHA256 Fingerprint=51:C8:A6:5E:2F:FB:F6:06:07:FE:B7:62:C3:03:4B:B8:BC:0D:43:AC:25:3C:40:B3:06:75:2F:70:5E:93:AC:78`

This looks ok, so close this window and *Permanently Accept* the exception. Yay!

​#Monit ​#Cryptography ​#Administration