To add some detail, we tried on another host OS (Ubuntu 20.04) while the problematic one is CentOS , and it was working fine
Same binary but another OpenSSL stack probably. ------------------------------------- This is Monit version 5.27.0 Built with ssl, with ipv6, with compression, with pam and with large files Copyright (C) 2001-2020 Tildeslash Ltd. All Rights Reserved. ------------------------------------- -------------------------------------- Remote Host '*******' status OK monitoring status Monitored monitoring mode active on reboot start port response time 114.394 ms to *******:443 type TCP/IP using TLS (certificate valid for 104 days) protocol HTTP data collected Mon, 20 Jul 2020 16:30:06 ----------------------------------------- Best regards. Le lun. 20 juil. 2020 à 16:26, Guillaume François < [email protected]> a écrit : > Hello, > > Since we have upgraded from Monit 5.20.0 to 5.27.0 with have an issue with > certificate verification. > > It seems broken as it cannot maanged to retrieve the certificate > expiration and it warn about a self signed certificate when it is not the > case. > > We are using the linux-x64 binary version from the website. > > We have two rules: > ------------------------------------------ > if failed port 443 protocol https with ssl options {verify: enable} and > certificate valid > 10 days for 5 cycles then alert > if failed port 443 protocol https request "/" with content ="xxxxxxx" for > 5 cycles then alert > ------------------------------------------- > > We tried to change the part "with ssl options {verify: enable}" to "with > ssl options {selfsigned: allow}" without any success. > > Also regarding the documentation enhancement, we had to put the part "with > ssl options {selfsigned: allow}" after the part 'request "/" with content > ="xxxxxxx"' else Monit configuration syntax was failing. It would be good > to provide a sample in documentation. > > In the global configuration file, the ssl setting was set to > > set ssl { > verify : enable, > } > > We tried to add the new parameter "version" but it doesn't solved the > issue. > > set ssl { > version: auto, > verify : enable, > } > > Could anyone provide some guidance for this case ? > > Best Regards. > -- -----BEGIN GEEK CODE BLOCK----- Version: 3.1 GCS/IT d(+) s++:- a C++$ ULC(+)>+++$ !P--- L+>$ !E---? W+++$ !N* !o-- K--? w(+) !O---? !M- !V--? PS+? !PE Y+ PGP++>+++ !t-- !5 !X- R(+)>++* tv-? b(-) DI !D- G(+)>+ e+++ h--() r->$ y?* ------END GEEK CODE BLOCK------
