Thanks Martin for the answer. We tried with the "version: tlsv11" but it doesn't solved the issue. To add more info, the target website is accepting TLS 1.0/1.1/1.2
After further investigation, we discovered that the previous version of Monit was locally compiled on the host. We do the same for 5.27.0 and the issues with the certificate / TLS disappeared. However, we still have an error in the Monit log file: ------------------------------------------------ error : filesystem statistic error: cannot read /sys/class/block/auto.mount/stat -- No such file or directory ------------------------------------------------ >From the output of "monit status", it doesnt' seem to raise any issue to pull the statistics Best Regards, Guillaume Le mar. 21 juil. 2020 à 08:42, [email protected] < [email protected]> a écrit : > Hi, > > the monit 5.27.0 enables just TLS 1.2 or later by default (even if the > version is "auto"). It seems that the OpenSSL library on CentOS doesn't > support it, you can enable e.g. TLS 1.1 explicitly this way: > > set ssl { > version: tlsv11 > } > > > Best regards, > Martin > > > > On 20 Jul 2020, at 16:33, Guillaume François < > [email protected]> wrote: > > > > To add some detail, we tried on another host OS (Ubuntu 20.04) while the > problematic one is CentOS , and it was working fine > > > > Same binary but another OpenSSL stack probably. > > ------------------------------------- > > This is Monit version 5.27.0 > > Built with ssl, with ipv6, with compression, with pam and with large > files > > Copyright (C) 2001-2020 Tildeslash Ltd. All Rights Reserved. > > ------------------------------------- > > > > -------------------------------------- > > Remote Host '*******' > > status OK > > monitoring status Monitored > > monitoring mode active > > on reboot start > > port response time 114.394 ms to *******:443 type TCP/IP > using TLS (certificate valid for 104 days) protocol HTTP > > data collected Mon, 20 Jul 2020 16:30:06 > > ----------------------------------------- > > > > Best regards. > > > > Le lun. 20 juil. 2020 à 16:26, Guillaume François < > [email protected]> a écrit : > > Hello, > > > > Since we have upgraded from Monit 5.20.0 to 5.27.0 with have an issue > with certificate verification. > > > > It seems broken as it cannot maanged to retrieve the certificate > expiration and it warn about a self signed certificate when it is not the > case. > > > > We are using the linux-x64 binary version from the website. > > > > We have two rules: > > ------------------------------------------ > > if failed port 443 protocol https with ssl options {verify: enable} and > certificate valid > 10 days for 5 cycles then alert > > if failed port 443 protocol https request "/" with content ="xxxxxxx" > for 5 cycles then alert > > ------------------------------------------- > > > > We tried to change the part "with ssl options {verify: enable}" to "with > ssl options {selfsigned: allow}" without any success. > > > > Also regarding the documentation enhancement, we had to put the part > "with ssl options {selfsigned: allow}" after the part 'request "/" with > content ="xxxxxxx"' else Monit configuration syntax was failing. It would > be good to provide a sample in documentation. > > > > In the global configuration file, the ssl setting was set to > > > > set ssl { > > verify : enable, > > } > > > > We tried to add the new parameter "version" but it doesn't solved the > issue. > > > > set ssl { > > version: auto, > > verify : enable, > > } > > > > Could anyone provide some guidance for this case ? > > > > Best Regards. > > > > > > -- > > -----BEGIN GEEK CODE BLOCK----- > > Version: 3.1 > > GCS/IT d(+) s++:- a C++$ ULC(+)>+++$ !P--- L+>$ !E---? W+++$ !N* !o-- > K--? w(+) !O---? !M- !V--? PS+? !PE Y+ PGP++>+++ !t-- !5 !X- R(+)>++* tv-? > b(-) DI !D- G(+)>+ e+++ h--() r->$ y?* > > ------END GEEK CODE BLOCK------ > > > -- -----BEGIN GEEK CODE BLOCK----- Version: 3.1 GCS/IT d(+) s++:- a C++$ ULC(+)>+++$ !P--- L+>$ !E---? W+++$ !N* !o-- K--? w(+) !O---? !M- !V--? PS+? !PE Y+ PGP++>+++ !t-- !5 !X- R(+)>++* tv-? b(-) DI !D- G(+)>+ e+++ h--() r->$ y?* ------END GEEK CODE BLOCK------
