Hi all, I think I have taken my attempt about as far as my abilities allow me to go. I've tried a few methods but I cannot get client certificate authentication to work. Has anyone else been able to get this to work? Are there anyone using this feature on the current version of Monit?
Here's what I've tried for Monit versions: * the version that comes with RHEL 6 EPEL on a RHEL 6 VM (which is v5.14) * the version that comes with RHEL 7 EPEL on a RHEL 7 VM (also v5.14) * 5.22.0 compiled using same EPEL SPEC file as above on a RHEL 7 VM * 5.22.0 x86_64 pre-built binaries which I downloaded from mmonit.com website on RHEL 7 VM * 5.22.0 built from slackbuilds on a Slackware 14.2 VM * And somewhere I got 5.23.0 and built that --- maybe from the git repo. My memory is fuzzy. This was on Slackware also. Here's my approach for the server & client certificate. Actual commands used are below. Note: everything is in PEM format for Monit config * pemfile config option: points to combo of key + cert for server cert (self signed, no ca) * clientpemfile config option: points to cert only of client cert (self signed, no ca) * selfsigned config option: is set to allow After above steps, I create the p12 file for the client cert and import it into my browser. Note: one thing I have also tried (which I don't think is needed) is to also put the private key into the clientpemfile similar to the way it is done for the pemfile. I don't think that is needed though, but I tried it and got same results. When I fire up the browser and point to my VM, I get the certificate dialog box. When I choose the certificate I see these lines in the debug output of monit. SSL: read error -- error:140940E5:SSL routines:ssl3_read_bytes:ssl handshake failure SSL: write error -- error:1409E0E5:SSL routines:ssl3_write_bytes:ssl handshake failure HttpRequest: error -- client [192.168.80.1]: HTTP/1.0 400 No request found SSL: read error -- error:140940E5:SSL routines:ssl3_read_bytes:ssl handshake failure SSL: write error -- error:1409E0E5:SSL routines:ssl3_write_bytes:ssl handshake failure HttpRequest: error -- client [192.168.80.1]: HTTP/1.0 400 No request found SSL: cannot get application dataSSL client certificate verification error: error number 1 If I remove the clientpemfile option out of the monit configuration and restart monit, then SSL connection works fine (with the exception of I have to type a user/password instead of client certificate). Is this possibly a bug? Here are the ways I'm generating certificates. If this is incorrect --- what is the right way? SERVER CERT cd /etc/ssl openssl req -x509 -newkey rsa:4096 -keyout private/monit.pem -out certs/monit.pem -days 365 -nodes cat private/monit.pem certs/monit.pem > private/monit-combined.pem -> And the pemfile option points to monit-combined.pem. CLIENT CERT openssl req -x509 -newkey rsa:4096 -keyout private/test.key -out certs/test.cer -days 365 -nodes -> And the clientpemfile option points to test.cer CONVERT FOR BROWSER openssl pkcs12 -export -in certs/test.cer -inkey private/test.key -out /home/sqltest/test.p12 -name "test" -> And the p12 file is imported into browser. Any help is appreciated of course. V/r, Bryan On Thu, Apr 27, 2017 at 6:55 PM, Bryan Harris <[email protected]> wrote: > Hi all, > > I seem to have found a way to get the certificate to appear in the browser > pop-up dialog box. It only appears in the browser if I also put the CA > into the PEM file that I feed to Monit. Below is how I got it to display, > and I will attach a capture (not sure if mailing list accepts > attachments). Unfortunately, when I select the certificate and attempt to > login it still fails with another error message. > > cat test.cer ca.cer > monit.cer > > Then in monitrc: > > set httpd port 443 > with SSL { > pemfile: /etc/pki/tls/certs/server.cer > clientpemfile: /etc/pki/tls/certs/monit.cer > selfsigned: allow > } > allow admin:monit > > Here is the error. > > SSL: cannot get application dataSSL accept error: error:140890B2:SSL > routines:SSL3_GET_CLIENT_CERTIFICATE:no certificate returned > SSL: read error -- error:140940E5:SSL routines:SSL3_READ_BYTES:ssl > handshake failure > SSL: write error -- error:1409E0E5:SSL routines:SSL3_WRITE_BYTES:ssl > handshake failure > HttpRequest: error -- client [192.168.80.1]: HTTP/1.0 400 No request found > SSL: read error -- error:140940E5:SSL routines:SSL3_READ_BYTES:ssl > handshake failure > SSL: write error -- error:1409E0E5:SSL routines:SSL3_WRITE_BYTES:ssl > handshake failure > HttpRequest: error -- client [192.168.80.1]: HTTP/1.0 400 No request found > SSL: read error -- error:140940E5:SSL routines:SSL3_READ_BYTES:ssl > handshake failure > SSL: write error -- error:1409E0E5:SSL routines:SSL3_WRITE_BYTES:ssl > handshake failure > HttpRequest: error -- client [192.168.80.1]: HTTP/1.0 400 No request found > SSL: cannot get application dataSSL accept error: error:140890B2:SSL > routines:SSL3_GET_CLIENT_CERTIFICATE:no certificate returned > > Thanks for any help. > > V/r, > Bryan > > On Thu, Apr 27, 2017 at 4:15 PM, Bryan Harris <[email protected]> > wrote: > >> Well, I gave it a try (building 5.22.0 from source) and still a similar >> issue but a different error message (more descriptive now). I attempted >> with a couple of different browsers. >> >> >> >> Any ideas what I got wrong? >> >> [root@right rpmbuild]# monit -Iv >> Adding credentials for user 'admin' >> Runtime constants: >> Control file = /etc/monitrc >> Log file = /var/log/monit.log >> Pid file = /run/monit.pid >> Id file = /root/.monit.id >> State file = /root/.monit.state >> Debug = True >> Log = True >> Use syslog = False >> Is Daemon = True >> Use process engine = True >> Limits = { >> = programOutput: 512 B >> = sendExpectBuffer: 256 B >> = fileContentBuffer: 512 B >> = httpContentBuffer: 1024 kB >> = networkTimeout: 5 s >> = programTimeout: 5 m >> = stopTimeout: 30 s >> = startTimeout: 30 s >> = restartTimeout: 30 s >> = } >> On reboot = start >> Poll time = 30 seconds with start delay 0 seconds >> Start monit httpd = True >> httpd bind address = 192.168.80.130 >> httpd portnumber = 443 >> httpd encryption = selfsigned: allow, pemfile: >> /etc/pki/tls/certs/server.cer, clientpemfile: /etc/pki/tls/certs/test.cer >> httpd signature = Enabled >> httpd auth. style = Basic Authentication >> >> The service list contains the following entries: >> >> System Name = right.laptop >> Monitoring mode = active >> On reboot = start >> Swap usage limit = if greater than 25.0% then alert >> Memory usage limit = if greater than 75.0% then alert >> CPU usage limit = if greater than 95.0% for 10 cycles then alert >> Load avg. (5min) = if greater than 2.0 then alert >> Load avg. (1min) = if greater than 4.0 then alert >> >> ------------------------------------------------------------ >> ------------------- >> pidfile '/run/monit.pid' does not exist >> Starting Monit 5.22.0 daemon with http interface at [192.168.80.130]:443 >> Starting Monit HTTP server at [192.168.80.130]:443 >> Monit HTTP server started >> 'right.laptop' Monit 5.22.0 started >> 'right.laptop' swap usage check succeeded [current swap usage = 0.0%] >> 'right.laptop' mem usage check succeeded [current mem usage = 17.1%] >> 'right.laptop' cpu usage check succeeded [current cpu usage = 0.0%] >> 'right.laptop' loadavg(5min) check succeeded [current loadavg(5min) = 0.4] >> 'right.laptop' loadavg(1min) check succeeded [current loadavg(1min) = 0.3] >> 'right.laptop' swap usage check succeeded [current swap usage = 0.0%] >> 'right.laptop' mem usage check succeeded [current mem usage = 17.1%] >> 'right.laptop' cpu usage check succeeded [current cpu usage = 1.1%] >> 'right.laptop' loadavg(5min) check succeeded [current loadavg(5min) = 0.3] >> 'right.laptop' loadavg(1min) check succeeded [current loadavg(1min) = 0.2] >> SSL: read error -- error:140940E5:SSL routines:SSL3_READ_BYTES:ssl >> handshake failure >> SSL: write error -- error:1409E0E5:SSL routines:SSL3_WRITE_BYTES:ssl >> handshake failure >> HttpRequest: error -- client [192.168.80.1]: HTTP/1.0 400 No request found >> SSL: read error -- error:140940E5:SSL routines:SSL3_READ_BYTES:ssl >> handshake failure >> SSL: write error -- error:1409E0E5:SSL routines:SSL3_WRITE_BYTES:ssl >> handshake failure >> HttpRequest: error -- client [192.168.80.1]: HTTP/1.0 400 No request found >> SSL accept error: error:140890C7:SSL >> routines:SSL3_GET_CLIENT_CERTIFICATE:peer >> did not return a certificate >> 'right.laptop' swap usage check succeeded [current swap usage = 0.0%] >> 'right.laptop' mem usage check succeeded [current mem usage = 17.1%] >> 'right.laptop' cpu usage check succeeded [current cpu usage = 1.1%] >> 'right.laptop' loadavg(5min) check succeeded [current loadavg(5min) = 0.3] >> 'right.laptop' loadavg(1min) check succeeded [current loadavg(1min) = 0.1] >> SSL accept error: error:140890C7:SSL >> routines:SSL3_GET_CLIENT_CERTIFICATE:peer >> did not return a certificate >> 'right.laptop' swap usage check succeeded [current swap usage = 0.0%] >> 'right.laptop' mem usage check succeeded [current mem usage = 22.1%] >> 'right.laptop' cpu usage check succeeded [current cpu usage = 25.6%] >> 'right.laptop' loadavg(5min) check succeeded [current loadavg(5min) = 0.3] >> 'right.laptop' loadavg(1min) check succeeded [current loadavg(1min) = 0.5] >> SSL: read error -- error:140940E5:SSL routines:SSL3_READ_BYTES:ssl >> handshake failure >> SSL: write error -- error:1409E0E5:SSL routines:SSL3_WRITE_BYTES:ssl >> handshake failure >> HttpRequest: error -- client [192.168.80.1]: HTTP/1.0 400 No request found >> SSL: read error -- error:140940E5:SSL routines:SSL3_READ_BYTES:ssl >> handshake failure >> SSL: write error -- error:1409E0E5:SSL routines:SSL3_WRITE_BYTES:ssl >> handshake failure >> HttpRequest: error -- client [192.168.80.1]: HTTP/1.0 400 No request found >> SSL: read error -- error:140940E5:SSL routines:SSL3_READ_BYTES:ssl >> handshake failure >> SSL: write error -- error:1409E0E5:SSL routines:SSL3_WRITE_BYTES:ssl >> handshake failure >> HttpRequest: error -- client [192.168.80.1]: HTTP/1.0 400 No request found >> SSL: read error -- error:140940E5:SSL routines:SSL3_READ_BYTES:ssl >> handshake failure >> SSL: write error -- error:1409E0E5:SSL routines:SSL3_WRITE_BYTES:ssl >> handshake failure >> HttpRequest: error -- client [192.168.80.1]: HTTP/1.0 400 No request found >> SSL: read error -- error:140940E5:SSL routines:SSL3_READ_BYTES:ssl >> handshake failure >> SSL: write error -- error:1409E0E5:SSL routines:SSL3_WRITE_BYTES:ssl >> handshake failure >> HttpRequest: error -- client [192.168.80.1]: HTTP/1.0 400 No request found >> 'right.laptop' swap usage check succeeded [current swap usage = 0.0%] >> 'right.laptop' mem usage check succeeded [current mem usage = 21.7%] >> 'right.laptop' cpu usage check succeeded [current cpu usage = 15.8%] >> 'right.laptop' loadavg(5min) check succeeded [current loadavg(5min) = 0.5] >> 'right.laptop' loadavg(1min) check succeeded [current loadavg(1min) = 0.8] >> SSL: read error -- error:140940E5:SSL routines:SSL3_READ_BYTES:ssl >> handshake failure >> SSL: write error -- error:1409E0E5:SSL routines:SSL3_WRITE_BYTES:ssl >> handshake failure >> HttpRequest: error -- client [192.168.80.1]: HTTP/1.0 400 No request found >> SSL accept error: error:140890C7:SSL >> routines:SSL3_GET_CLIENT_CERTIFICATE:peer >> did not return a certificate >> 'right.laptop' swap usage check succeeded [current swap usage = 0.0%] >> 'right.laptop' mem usage check succeeded [current mem usage = 21.7%] >> 'right.laptop' cpu usage check succeeded [current cpu usage = 3.1%] >> 'right.laptop' loadavg(5min) check succeeded [current loadavg(5min) = 0.4] >> 'right.laptop' loadavg(1min) check succeeded [current loadavg(1min) = 0.5] >> 'right.laptop' swap usage check succeeded [current swap usage = 0.0%] >> 'right.laptop' mem usage check succeeded [current mem usage = 21.6%] >> 'right.laptop' cpu usage check succeeded [current cpu usage = 5.1%] >> 'right.laptop' loadavg(5min) check succeeded [current loadavg(5min) = 0.4] >> 'right.laptop' loadavg(1min) check succeeded [current loadavg(1min) = 0.3] >> 'right.laptop' swap usage check succeeded [current swap usage = 0.0%] >> 'right.laptop' mem usage check succeeded [current mem usage = 17.7%] >> 'right.laptop' cpu usage check succeeded [current cpu usage = 7.7%] >> 'right.laptop' loadavg(5min) check succeeded [current loadavg(5min) = 0.4] >> 'right.laptop' loadavg(1min) check succeeded [current loadavg(1min) = 0.3] >> 'right.laptop' swap usage check succeeded [current swap usage = 0.0%] >> 'right.laptop' mem usage check succeeded [current mem usage = 17.7%] >> 'right.laptop' cpu usage check succeeded [current cpu usage = 7.2%] >> 'right.laptop' loadavg(5min) check succeeded [current loadavg(5min) = 0.3] >> 'right.laptop' loadavg(1min) check succeeded [current loadavg(1min) = 0.2] >> ^CShutting down Monit HTTP server >> Monit HTTP server stopped >> Monit daemon with pid [4010] stopped >> 'right.laptop' Monit 5.22.0 stopped >> >> >> >> On Thu, Apr 27, 2017 at 2:52 PM, Bryan Harris <[email protected]> >> wrote: >> >>> Well I'm not sure if I did it right. Here is what I did. >>> >>> yumdownloader --source monit >>> cd /root/rpmbuild >>> yum groupinstall "Development Tools" >>> yum install openssl-devel pam-devel >>> >>> Now I edit the 5.14 version in monit.spec instead to say 5.22.0. And I >>> have to download the new source file because yumdownloader got the old one. >>> >>> Then after that I could do a rpmbuild -ba monit.spec and the build >>> succeeds to make a package. I will have to test out the build since right >>> now I am just about to get off work and drive home. Hopefully it will work >>> fine. >>> >>> I don't know if it's right or not. I guess I shall see. >>> >>> V/r, >>> Bryan >>> >>> On Thu, Apr 27, 2017 at 2:38 PM, SZÉPE Viktor <[email protected]> wrote: >>> >>>> Hello Brian! >>>> >>>> Try rebuilding monit: >>>> http://pkgs.fedoraproject.org/cgit/rpms/monit.git/ >>>> >>>> Contact me if you need help. >>>> >>>> >>>> All the best! >>>> (contacts below) >>>> >>>> >>>> Idézem/Quoting Bryan Harris <[email protected]>: >>>> >>>> >>>> I see. Thanks for the help, I will give that a try first. I do wish >>>>> the >>>>> EPEL folks kept newer versions but they are sometimes behind on things. >>>>> >>>> >>>> >>>> SZÉPE Viktor >>>> https://github.com/szepeviktor/debian-server-tools/blob/master/CV.md >>>> -- >>>> +36-20-4242498 [email protected] skype: szepe.viktor >>>> Budapest, III. kerület >>>> >>>> >>>> >>>> >>>> >>> >> >
-- To unsubscribe: https://lists.nongnu.org/mailman/listinfo/monit-general
