Hi, please upgrade Monit - there were problems with client certificates based authentication, fixed in Monit 5.15.0. We recommend the latest release (5.22.0).
Best regards, Martin > On 27 Apr 2017, at 20:04, Bryan Harris <[email protected]> wrote: > > Hi folks, > > I am using the Monit package from RHEL 7: monit-5.14-1.el7.x86_64, and > running into an issue with client certificate authentication. > > I've tried two methods to setup client certificates and each way I get the > error message in monit log. The browser never asked me to select a > certificate. > > SSL: client didn't send a client certificate > > In my first attempt, I exported one of my CAC certificates (it does not allow > exporting the key, just the certificate). It comes in DER format, so I > converted to PEM and gave that file to monit. I also used the > ALLOWSELFCERTIFICATION option. > > OpenSSL commands: > > cd /etc/pki/tls/certs > openssl x509 -in mycert.der -inform der -out mycert.cer -outform pem > > Monit config like so: > set httpd port 443 and > use address 192.168.80.130 # only accept connection from localhost > ssl enable > pemfile /etc/pki/tls/certs/server.cer > clientpemfile /etc/pki/tls/certs/mycert.cer > allowselfcertification > allow admin:monit > > The browser did not ask me to supply a certificate and monit gave the error. > > SSL: client didn't send a client certificate > > In the next situation I generated my own CA and used it to sign a > certificate. That caused the same result: the browser never asked for a > cert, and monit gave the error above. > > OpenSSL commands: > > cd /etc/pki/tls > openssl genrsa -out private/ca.key 4096 > openssl req -new -x509 -days 365 -key private/ca.key -out certs/ca.cer > openssl x509 -req -days 365 -in misc/test.csr -CA certs/ca.cer -CAkey > private/ca.key -set_serial 01 -out certs/test.cer > > Convert to p12 so I can import into Opera/Firefox/Chrome: > > openssl pkcs12 -export -in certs/test.cer -inkey private/test.key -out > /home/sqltest/test.p12 -name "test" > > Monit config like so: > > set httpd port 443 and > use address 192.168.80.130 # only accept connection from localhost > ssl enable > pemfile /etc/pki/tls/certs/server.cer > clientpemfile /etc/pki/tls/certs/test.cer > allowselfcertification > allow admin:monit > > Anytime I try to connect (I have tried a few browsers) I only get the error > message in the logs. But the browser never lets me choose any cert I want to > send. It seems as if Monit is not asking for a cert in the first place. > > Does anybody have any ideas why this might happen? > > Any help is appreciated. > > V/r, > Bryan > -- > To unsubscribe: > https://lists.nongnu.org/mailman/listinfo/monit-general -- To unsubscribe: https://lists.nongnu.org/mailman/listinfo/monit-general
