Dear all,
I'm writing with reference to an issue which came up sometime last year
on the general mailing list which I found when I encountered the same
problem recently.
(Re: http://lists.gnu.org/archive/html/monit-general/2008-05/msg00042.html)
When Monit is run with a chained SSL certificate, the http server only
serves the server digital certificate, but not the rest of the chain,
causing browsers to produce an error. I have attached a patch below that
should address this problem.
Index: ssl.c
===================================================================
--- ssl.c (revision 15)
+++ ssl.c (working copy)
@@ -351,8 +351,7 @@
goto sslerror;
}
- if(SSL_CTX_use_certificate_file(ssl_server->ctx, pemfile,
- SSL_FILETYPE_PEM) != 1) {
+ if(SSL_CTX_use_certificate_chain_file(ssl_server->ctx, pemfile) != 1) {
LogError("%s: Cannot initialize SSL server certificate -- %s\n",
prog, SSLERROR);
goto sslerror;
I have tested this in a rudimentary manner - I built monit with this
patch applied, verified that it still accepts non-chained certificates,
and that it also accepts my chained certificate successfully and serves
it correctly to firefox. Please let me know if there are other tests
that should be run before I submit this again. Thank you!
Best regards
Lawrence
_______________________________________________
monit-dev mailing list
monit-dev@nongnu.org
http://lists.nongnu.org/mailman/listinfo/monit-dev
