I see. Thanks for the help, I will give that a try first. I do wish the EPEL folks kept newer versions but they are sometimes behind on things.
On Thu, Apr 27, 2017 at 2:16 PM, Martin Pala <[email protected]> wrote: > Hi, > > please upgrade Monit - there were problems with client certificates based > authentication, fixed in Monit 5.15.0. We recommend the latest release > (5.22.0). > > Best regards, > Martin > > > > On 27 Apr 2017, at 20:04, Bryan Harris <[email protected]> wrote: > > > > Hi folks, > > > > I am using the Monit package from RHEL 7: monit-5.14-1.el7.x86_64, and > running into an issue with client certificate authentication. > > > > I've tried two methods to setup client certificates and each way I get > the error message in monit log. The browser never asked me to select a > certificate. > > > > SSL: client didn't send a client certificate > > > > In my first attempt, I exported one of my CAC certificates (it does not > allow exporting the key, just the certificate). It comes in DER format, so > I converted to PEM and gave that file to monit. I also used the > ALLOWSELFCERTIFICATION option. > > > > OpenSSL commands: > > > > cd /etc/pki/tls/certs > > openssl x509 -in mycert.der -inform der -out mycert.cer -outform pem > > > > Monit config like so: > > set httpd port 443 and > > use address 192.168.80.130 # only accept connection from localhost > > ssl enable > > pemfile /etc/pki/tls/certs/server.cer > > clientpemfile /etc/pki/tls/certs/mycert.cer > > allowselfcertification > > allow admin:monit > > > > The browser did not ask me to supply a certificate and monit gave the > error. > > > > SSL: client didn't send a client certificate > > > > In the next situation I generated my own CA and used it to sign a > certificate. That caused the same result: the browser never asked for a > cert, and monit gave the error above. > > > > OpenSSL commands: > > > > cd /etc/pki/tls > > openssl genrsa -out private/ca.key 4096 > > openssl req -new -x509 -days 365 -key private/ca.key -out certs/ca.cer > > openssl x509 -req -days 365 -in misc/test.csr -CA certs/ca.cer -CAkey > private/ca.key -set_serial 01 -out certs/test.cer > > > > Convert to p12 so I can import into Opera/Firefox/Chrome: > > > > openssl pkcs12 -export -in certs/test.cer -inkey private/test.key -out > /home/sqltest/test.p12 -name "test" > > > > Monit config like so: > > > > set httpd port 443 and > > use address 192.168.80.130 # only accept connection from localhost > > ssl enable > > pemfile /etc/pki/tls/certs/server.cer > > clientpemfile /etc/pki/tls/certs/test.cer > > allowselfcertification > > allow admin:monit > > > > Anytime I try to connect (I have tried a few browsers) I only get the > error message in the logs. But the browser never lets me choose any cert I > want to send. It seems as if Monit is not asking for a cert in the first > place. > > > > Does anybody have any ideas why this might happen? > > > > Any help is appreciated. > > > > V/r, > > Bryan > > -- > > To unsubscribe: > > https://lists.nongnu.org/mailman/listinfo/monit-general > > > -- > To unsubscribe: > https://lists.nongnu.org/mailman/listinfo/monit-general >
-- To unsubscribe: https://lists.nongnu.org/mailman/listinfo/monit-general
