Ps. If your ‘nginx_conn’ certificate is a self-signed certificate, I believe you need to create your own CA and use it to sign the certificate. Check internet for guides or get a free certificate from Let’s Encrypt, https://letsencrypt.org/
> On 30 May 2024, at 15:19, Jan-Henrik Haukeland <[email protected]> wrote: > > The error message "SSL server certificate verification error: unable to get > local issuer certificate" indicates that Monit is unable to verify the > server's certificate because it does not have access to necessary > intermediate or root certificates. Monit will try to read CA certificates etc > from '/etc/ssl' (depending on the system and compile-time settings). > > If you need to load certificates to form a chain from another path see > https://mmonit.com/monit/documentation/monit.html#SSL-OPTIONS and > CACERTIFICATEFILE or CACERTIFICATEPATH > > Best regards > >> On 30 May 2024, at 09:17, Gerrit Kühn <[email protected]> wrote: >> >> Am Wed, 29 May 2024 18:54:56 +0200 >> schrieb Jan-Henrik Haukeland <[email protected]>: >> >> >>> You must also tell Monit to connect using the Fully Qualified Domain >>> Name (FQDN) as the address. Using ‘localhost’ or an IP-address here, >>> won’t do. When you enable ssl.verify it simply means that Monit will >>> check that the name of the host (given in address) is the same as the >>> SSL certificate's common name. >> >> Good point. I had intended to start with something "very simple" before >> moving over to create templated checks via orchestration tools, but this >> was obviously "too simple". >> >>> Ps. To see more debug output, start monit with the -Iv options. >> >> I have added the correct dns names now: >> >> --- >> check host nginx_conn with address removed-but-valid >> if failed port 443 protocol https and certificate valid > 30 days >> with ssl options { verify: enable } >> --- >> >> >> However, looking into the debug output, I still get >> >> --- >> Socket test failed for [10.xyz.abc.dec:443 -- SSL server certificate >> verification error: unable to get local issuer certificate 'nginx_conn' >> failed protocol test [HTTP] at [removed-but-valid]:443 >> [TCP/IP TLS] -- SSL server certificate verification error: unable to get >> local issuer certificate >> --- >> >> Any ideas what I am still missing? >> >> >> cu >> Gerrit >> > >
