Re: Client certificates

Thu, 27 Apr 2017 15:56:47 -0700 

Hi all,

I seem to have found a way to get the certificate to appear in the browser
pop-up dialog box.  It only appears in the browser if I also put the CA
into the PEM file that I feed to Monit.  Below is how I got it to display,
and I will attach a capture (not sure if mailing list accepts
attachments).  Unfortunately, when I select the certificate and attempt to
login it still fails with another error message.

cat test.cer ca.cer > monit.cer

Then in monitrc:

set httpd port 443
    with SSL {
        pemfile:       /etc/pki/tls/certs/server.cer
        clientpemfile: /etc/pki/tls/certs/monit.cer
selfsigned: allow
    }
    allow admin:monit

Here is the error.

SSL: cannot get application dataSSL accept error: error:140890B2:SSL
routines:SSL3_GET_CLIENT_CERTIFICATE:no certificate returned
SSL: read error -- error:140940E5:SSL routines:SSL3_READ_BYTES:ssl
handshake failure
SSL: write error -- error:1409E0E5:SSL routines:SSL3_WRITE_BYTES:ssl
handshake failure
HttpRequest: error -- client [192.168.80.1]: HTTP/1.0 400 No request found
SSL: read error -- error:140940E5:SSL routines:SSL3_READ_BYTES:ssl
handshake failure
SSL: write error -- error:1409E0E5:SSL routines:SSL3_WRITE_BYTES:ssl
handshake failure
HttpRequest: error -- client [192.168.80.1]: HTTP/1.0 400 No request found
SSL: read error -- error:140940E5:SSL routines:SSL3_READ_BYTES:ssl
handshake failure
SSL: write error -- error:1409E0E5:SSL routines:SSL3_WRITE_BYTES:ssl
handshake failure
HttpRequest: error -- client [192.168.80.1]: HTTP/1.0 400 No request found
SSL: cannot get application dataSSL accept error: error:140890B2:SSL
routines:SSL3_GET_CLIENT_CERTIFICATE:no certificate returned

Thanks for any help.

V/r,
Bryan

On Thu, Apr 27, 2017 at 4:15 PM, Bryan Harris <[email protected]>
wrote:

> Well, I gave it a try (building 5.22.0 from source) and still a similar
> issue but a different error message (more descriptive now).  I attempted
> with a couple of different browsers.
>
>
>
> Any ideas what I got wrong?
>
> [root@right rpmbuild]# monit -Iv
> Adding credentials for user 'admin'
> Runtime constants:
>  Control file       = /etc/monitrc
>  Log file           = /var/log/monit.log
>  Pid file           = /run/monit.pid
>  Id file            = /root/.monit.id
>  State file         = /root/.monit.state
>  Debug              = True
>  Log                = True
>  Use syslog         = False
>  Is Daemon          = True
>  Use process engine = True
>  Limits             = {
>                     =   programOutput:     512 B
>                     =   sendExpectBuffer:  256 B
>                     =   fileContentBuffer: 512 B
>                     =   httpContentBuffer: 1024 kB
>                     =   networkTimeout:    5 s
>                     =   programTimeout:    5 m
>                     =   stopTimeout:       30 s
>                     =   startTimeout:      30 s
>                     =   restartTimeout:    30 s
>                     = }
>  On reboot          = start
>  Poll time          = 30 seconds with start delay 0 seconds
>  Start monit httpd  = True
>  httpd bind address = 192.168.80.130
>  httpd portnumber   = 443
>  httpd encryption   = selfsigned: allow, pemfile:
> /etc/pki/tls/certs/server.cer, clientpemfile: /etc/pki/tls/certs/test.cer
>  httpd signature    = Enabled
>  httpd auth. style  = Basic Authentication
>
> The service list contains the following entries:
>
> System Name           = right.laptop
>  Monitoring mode      = active
>  On reboot            = start
>  Swap usage limit     = if greater than 25.0% then alert
>  Memory usage limit   = if greater than 75.0% then alert
>  CPU usage limit      = if greater than 95.0% for 10 cycles then alert
>  Load avg. (5min)     = if greater than 2.0 then alert
>  Load avg. (1min)     = if greater than 4.0 then alert
>
> ------------------------------------------------------------
> -------------------
> pidfile '/run/monit.pid' does not exist
> Starting Monit 5.22.0 daemon with http interface at [192.168.80.130]:443
> Starting Monit HTTP server at [192.168.80.130]:443
> Monit HTTP server started
> 'right.laptop' Monit 5.22.0 started
> 'right.laptop' swap usage check succeeded [current swap usage = 0.0%]
> 'right.laptop' mem usage check succeeded [current mem usage = 17.1%]
> 'right.laptop' cpu usage check succeeded [current cpu usage = 0.0%]
> 'right.laptop' loadavg(5min) check succeeded [current loadavg(5min) = 0.4]
> 'right.laptop' loadavg(1min) check succeeded [current loadavg(1min) = 0.3]
> 'right.laptop' swap usage check succeeded [current swap usage = 0.0%]
> 'right.laptop' mem usage check succeeded [current mem usage = 17.1%]
> 'right.laptop' cpu usage check succeeded [current cpu usage = 1.1%]
> 'right.laptop' loadavg(5min) check succeeded [current loadavg(5min) = 0.3]
> 'right.laptop' loadavg(1min) check succeeded [current loadavg(1min) = 0.2]
> SSL: read error -- error:140940E5:SSL routines:SSL3_READ_BYTES:ssl
> handshake failure
> SSL: write error -- error:1409E0E5:SSL routines:SSL3_WRITE_BYTES:ssl
> handshake failure
> HttpRequest: error -- client [192.168.80.1]: HTTP/1.0 400 No request found
> SSL: read error -- error:140940E5:SSL routines:SSL3_READ_BYTES:ssl
> handshake failure
> SSL: write error -- error:1409E0E5:SSL routines:SSL3_WRITE_BYTES:ssl
> handshake failure
> HttpRequest: error -- client [192.168.80.1]: HTTP/1.0 400 No request found
> SSL accept error: error:140890C7:SSL routines:SSL3_GET_CLIENT_CERTIFICATE:peer
> did not return a certificate
> 'right.laptop' swap usage check succeeded [current swap usage = 0.0%]
> 'right.laptop' mem usage check succeeded [current mem usage = 17.1%]
> 'right.laptop' cpu usage check succeeded [current cpu usage = 1.1%]
> 'right.laptop' loadavg(5min) check succeeded [current loadavg(5min) = 0.3]
> 'right.laptop' loadavg(1min) check succeeded [current loadavg(1min) = 0.1]
> SSL accept error: error:140890C7:SSL routines:SSL3_GET_CLIENT_CERTIFICATE:peer
> did not return a certificate
> 'right.laptop' swap usage check succeeded [current swap usage = 0.0%]
> 'right.laptop' mem usage check succeeded [current mem usage = 22.1%]
> 'right.laptop' cpu usage check succeeded [current cpu usage = 25.6%]
> 'right.laptop' loadavg(5min) check succeeded [current loadavg(5min) = 0.3]
> 'right.laptop' loadavg(1min) check succeeded [current loadavg(1min) = 0.5]
> SSL: read error -- error:140940E5:SSL routines:SSL3_READ_BYTES:ssl
> handshake failure
> SSL: write error -- error:1409E0E5:SSL routines:SSL3_WRITE_BYTES:ssl
> handshake failure
> HttpRequest: error -- client [192.168.80.1]: HTTP/1.0 400 No request found
> SSL: read error -- error:140940E5:SSL routines:SSL3_READ_BYTES:ssl
> handshake failure
> SSL: write error -- error:1409E0E5:SSL routines:SSL3_WRITE_BYTES:ssl
> handshake failure
> HttpRequest: error -- client [192.168.80.1]: HTTP/1.0 400 No request found
> SSL: read error -- error:140940E5:SSL routines:SSL3_READ_BYTES:ssl
> handshake failure
> SSL: write error -- error:1409E0E5:SSL routines:SSL3_WRITE_BYTES:ssl
> handshake failure
> HttpRequest: error -- client [192.168.80.1]: HTTP/1.0 400 No request found
> SSL: read error -- error:140940E5:SSL routines:SSL3_READ_BYTES:ssl
> handshake failure
> SSL: write error -- error:1409E0E5:SSL routines:SSL3_WRITE_BYTES:ssl
> handshake failure
> HttpRequest: error -- client [192.168.80.1]: HTTP/1.0 400 No request found
> SSL: read error -- error:140940E5:SSL routines:SSL3_READ_BYTES:ssl
> handshake failure
> SSL: write error -- error:1409E0E5:SSL routines:SSL3_WRITE_BYTES:ssl
> handshake failure
> HttpRequest: error -- client [192.168.80.1]: HTTP/1.0 400 No request found
> 'right.laptop' swap usage check succeeded [current swap usage = 0.0%]
> 'right.laptop' mem usage check succeeded [current mem usage = 21.7%]
> 'right.laptop' cpu usage check succeeded [current cpu usage = 15.8%]
> 'right.laptop' loadavg(5min) check succeeded [current loadavg(5min) = 0.5]
> 'right.laptop' loadavg(1min) check succeeded [current loadavg(1min) = 0.8]
> SSL: read error -- error:140940E5:SSL routines:SSL3_READ_BYTES:ssl
> handshake failure
> SSL: write error -- error:1409E0E5:SSL routines:SSL3_WRITE_BYTES:ssl
> handshake failure
> HttpRequest: error -- client [192.168.80.1]: HTTP/1.0 400 No request found
> SSL accept error: error:140890C7:SSL routines:SSL3_GET_CLIENT_CERTIFICATE:peer
> did not return a certificate
> 'right.laptop' swap usage check succeeded [current swap usage = 0.0%]
> 'right.laptop' mem usage check succeeded [current mem usage = 21.7%]
> 'right.laptop' cpu usage check succeeded [current cpu usage = 3.1%]
> 'right.laptop' loadavg(5min) check succeeded [current loadavg(5min) = 0.4]
> 'right.laptop' loadavg(1min) check succeeded [current loadavg(1min) = 0.5]
> 'right.laptop' swap usage check succeeded [current swap usage = 0.0%]
> 'right.laptop' mem usage check succeeded [current mem usage = 21.6%]
> 'right.laptop' cpu usage check succeeded [current cpu usage = 5.1%]
> 'right.laptop' loadavg(5min) check succeeded [current loadavg(5min) = 0.4]
> 'right.laptop' loadavg(1min) check succeeded [current loadavg(1min) = 0.3]
> 'right.laptop' swap usage check succeeded [current swap usage = 0.0%]
> 'right.laptop' mem usage check succeeded [current mem usage = 17.7%]
> 'right.laptop' cpu usage check succeeded [current cpu usage = 7.7%]
> 'right.laptop' loadavg(5min) check succeeded [current loadavg(5min) = 0.4]
> 'right.laptop' loadavg(1min) check succeeded [current loadavg(1min) = 0.3]
> 'right.laptop' swap usage check succeeded [current swap usage = 0.0%]
> 'right.laptop' mem usage check succeeded [current mem usage = 17.7%]
> 'right.laptop' cpu usage check succeeded [current cpu usage = 7.2%]
> 'right.laptop' loadavg(5min) check succeeded [current loadavg(5min) = 0.3]
> 'right.laptop' loadavg(1min) check succeeded [current loadavg(1min) = 0.2]
> ^CShutting down Monit HTTP server
> Monit HTTP server stopped
> Monit daemon with pid [4010] stopped
> 'right.laptop' Monit 5.22.0 stopped
>
>
>
> On Thu, Apr 27, 2017 at 2:52 PM, Bryan Harris <[email protected]>
> wrote:
>
>> Well I'm not sure if I did it right.  Here is what I did.
>>
>> yumdownloader --source monit
>> cd /root/rpmbuild
>> yum groupinstall "Development Tools"
>> yum install openssl-devel pam-devel
>>
>> Now I edit the 5.14 version in monit.spec instead to say 5.22.0.  And I
>> have to download the new source file because yumdownloader got the old one.
>>
>> Then after that I could do a rpmbuild -ba monit.spec and the build
>> succeeds to make a package.  I will have to test out the build since right
>> now I am just about to get off work and drive home.  Hopefully it will work
>> fine.
>>
>> I don't know if it's right or not.  I guess I shall see.
>>
>> V/r,
>> Bryan
>>
>> On Thu, Apr 27, 2017 at 2:38 PM, SZÉPE Viktor <[email protected]> wrote:
>>
>>> Hello Brian!
>>>
>>> Try rebuilding monit:
>>> http://pkgs.fedoraproject.org/cgit/rpms/monit.git/
>>>
>>> Contact me if you need help.
>>>
>>>
>>> All the best!
>>> (contacts below)
>>>
>>>
>>> Idézem/Quoting Bryan Harris <[email protected]>:
>>>
>>>
>>> I see.  Thanks for the help, I will give that a try first.  I do wish the
>>>> EPEL folks kept newer versions but they are sometimes behind on things.
>>>>
>>>
>>>
>>> SZÉPE Viktor
>>> https://github.com/szepeviktor/debian-server-tools/blob/master/CV.md
>>> --
>>> +36-20-4242498  [email protected]  skype: szepe.viktor
>>> Budapest, III. kerület
>>>
>>>
>>>
>>>
>>>
>>
>

--
To unsubscribe:
https://lists.nongnu.org/mailman/listinfo/monit-general

Reply via email to