The error message "SSL server certificate verification error: unable to get local issuer certificate" indicates that Monit is unable to verify the server's certificate because it does not have access to necessary intermediate or root certificates. Monit will try to read CA certificates etc from '/etc/ssl' (depending on the system and compile-time settings).
If you need to load certificates to form a chain from another path see https://mmonit.com/monit/documentation/monit.html#SSL-OPTIONS and CACERTIFICATEFILE or CACERTIFICATEPATH Best regards > On 30 May 2024, at 09:17, Gerrit Kühn <[email protected]> wrote: > > Am Wed, 29 May 2024 18:54:56 +0200 > schrieb Jan-Henrik Haukeland <[email protected]>: > > >> You must also tell Monit to connect using the Fully Qualified Domain >> Name (FQDN) as the address. Using ‘localhost’ or an IP-address here, >> won’t do. When you enable ssl.verify it simply means that Monit will >> check that the name of the host (given in address) is the same as the >> SSL certificate's common name. > > Good point. I had intended to start with something "very simple" before > moving over to create templated checks via orchestration tools, but this > was obviously "too simple". > >> Ps. To see more debug output, start monit with the -Iv options. > > I have added the correct dns names now: > > --- > check host nginx_conn with address removed-but-valid > if failed port 443 protocol https and certificate valid > 30 days > with ssl options { verify: enable } > --- > > > However, looking into the debug output, I still get > > --- > Socket test failed for [10.xyz.abc.dec:443 -- SSL server certificate > verification error: unable to get local issuer certificate 'nginx_conn' > failed protocol test [HTTP] at [removed-but-valid]:443 > [TCP/IP TLS] -- SSL server certificate verification error: unable to get > local issuer certificate > --- > > Any ideas what I am still missing? > > > cu > Gerrit >
