1

I'm trying to use a StartSSL (free) SSL certificate with monit.

I followed the wizard on startssl.com to generate first a private key, then a certificate. I then downloaded the sub.class1.server.ca.pem and ca.pem files. I combined them all into one single file like so:

cat ssl.key ssl.crt sub.class1.server.ca.pem ca.pem > server.pem

I then set that file in monitrc as the pemfile. The resulting setup works fine in chrome / IE, but displays the (Error code: sec_error_unknown_issuer) message in Firefox. I get the same result if I leave out the StartSSL intermediate CA certificates, like so:

cat ssl.key ssl.crt > server.pem

Could it be that monit only supports a single certificate and not a chain of certificates?

How can I get monit to recognise the certificate chain and display without error in firefox?

user9517
  • 114,104
  • 20
  • 206
  • 289
chmac
  • 977
  • 1
  • 7
  • 16

1 Answers1

0

Chances are high that you're missing a chain certificate or have them in the wrong order, and that Chrome/IE already knows the chains when Firefox doesn't.

You can use openssl s_client to debug this, but it's a bit clunky and nasty. I quite like the free tool on sslshopper for testing SSL cert deployments. Give that a try and report back what you get!

SimonJGreen
  • 3,195
  • 5
  • 30
  • 55
  • sslshopper handles the 2812 port, thanks for that. Other tools I've seen default to port 443 so they're no use. It reports that an intermediary certificate is missing. However, I believe that the certificate are in place and in the correct order. Do you know if monit will support a certificate chain rather than a single cert? – chmac Jan 07 '12 at 16:04
  • I can't say for certain, however I would be amazed if it didn't. Most applications that use SSL in *nix land are built on openssl and it's libraries, and support for chain certificates is part of openssl. It's extremely common and best practice to use intermediary certificates, if it didn't support them it wouldn't support most certificate suppliers on the market. – SimonJGreen Jan 07 '12 at 16:36
  • I think it's more likely that you aren't generating the PEM file correctly. For example I don't see in your copy/paste you generating the DH params to go in the PEM file. Try running: `openssl gendh 512 >> server.pem` – SimonJGreen Jan 07 '12 at 16:38
  • Apologies, I have done `openssl gendh 512 > ~/dh && cat ~/dh | sudo tee -a server.pem > /dev/null` already, but I forgot to include it in the question. I'm pretty stumped by this, I assumed it would "just work". I read up on combining certs into pem files and I believe I've got the order correct. – chmac Jan 08 '12 at 17:01
  • perhaps you're missing one of the chain files, or you're using the wrong chain file. there is nothing more to it than what you've done i'm afraid! i have found it can be quite confusing finding exactly the right set of intermediary certificates to use from a suppliers website some times. you could get in contact with the supplier and ask if they'll send you exactly what you need for that cert? – SimonJGreen Jan 08 '12 at 20:54
  • I'm 99.9% sure I have the correct chain file. It's a class 1 certificate, that's the only chain file that was offered for download while I generated the certificate (as in, they were offered in tandem). I've tried the monit mailing list and StartSSL forum, nothing yet, but here's hoping... :-) – chmac Jan 09 '12 at 22:38
  • You're absolutely right, I had appended 2 files when I needed only 1. The correct command was `cat cat ssl.key ssl.crt sub.class1.server.ca.pem dh > server.pem` without the ca.pem. It's always the simple ones eh! – chmac Jan 17 '12 at 14:21
  • Actually, ignore that, the certificate works in Apache but not in Monit. oh well, I'll post back if I ever figure it out. :-) – chmac Jan 17 '12 at 14:24