monit with ssl (https)

Question

I recently installed monit (on debian) and everything is working fine. Now I would like to enable ssl support. I did what I found in the documentation:

set httpd port 2812
  ssl enable
  pemfile /etc/ssl/certs/ssl-cert-snakeoil.pem

Now not only can I not reach the server through the web with https://myserver.com:2812, but the communication between the monit daemon and the monit command fails as well:

$# monit status
monit: Openssl read timeout error!
monit: error connecting to the monit daemon

What is your question? – Andrew Schulman Jan 15 '14 at 15:18 — Andrew Schulman, Jan 15 '14 at 15:18
How can I get it working? ;) – Georg Pfolz Jan 15 '14 at 21:07 — Georg Pfolz, Jan 15 '14 at 21:07
The problem is missing `allow user:pass` line. – misacek007 Jan 03 '18 at 10:16 — misacek007, Jan 03 '18 at 10:16

score 8 · Accepted Answer · edited Mar 20 '20 at 22:27

Seems you did not generate a SSL certificate. Here some pointers (i've done it on my Ubuntu).

Ensure Openssl is available on your system, if not apt-get install openssl

Create folder /var/certs
Navigate to this folder cd /var/certs
create a file named monit.cnf and copy/paste the following into it, then save and close the file :

#create RSA certs - Server
   RANDFILE = ./openssl.rnd
   [ req ]
   default_bits = 2048
   encrypt_key = yes
   distinguished_name = req_dn
   x509_extensions = cert_type
   [ req_dn ]
   countryName = Country Name (2 letter code)
   countryName_default = MO
   stateOrProvinceName    = Ile de France
   stateOrProvinceName_default     = Monitoria
   localityName                    = Paris
   localityName_default            = Monittown
   organizationName                = the_company
   organizationName_default        = Monit Inc.
   organizationalUnitName          = Organizational Unit Name
   organizationalUnitName_default  = Dept. of Monitoring Technologies
   commonName                      = Common Name (FQDN of your server)
   commonName_default              = server.monit.mo
   emailAddress                    = Email Address
   emailAddress_default            = root@monit.mo
   [ cert_type ]
   nsCertType = server

Then run (press enter each time you are prompted for infos) :

openssl req -new -x509 -days 365 -nodes -config ./monit.cnf -out /var/certs/monit.pem -keyout /var/certs/monit.pem

Set permissions : chmod 700 /var/certs/monit.pem (in my case user:group for pem file is root:root)

Set the following in your monitrc config file :

set httpd port 2812
   ssl enable
   pemfile /var/certs/monit.pem 
   allow user:pass

Restart monit

And then it works ! Now it's up to you to put your real infos in the monit.cnf file and run the openssl command again.

Thanks a lot, that worked. I thought I could use the snakeoil certificate already present in the system which I already use for https. What's wrong with this one? — Georg Pfolz, Jan 15 '14 at 23:22
I'll upvote your answer as soon as I have some reputation ;) — Georg Pfolz, Jan 15 '14 at 23:51

monit with ssl (https)

1 Answers1