That’s a good idea. ssllabs.com is amazing! It might be useful to rule out any certificate issue for the nginx server that Monit/OpenSSL might not like. openssl s_client can also be helpful with that, e.g. 'openssl s_client -connect example.com:443 -showcerts'
In this case though it’s more likely a problem with the CA bundle on the FreeBSD system. Either it's a miss-configuration somewhere or the bundle are missing updated certificates. In the later case, an alternative is to get the the CA bundle from https://curl.se/ca/cacert.pem which is regularly updated and contains a collection of CA certificates converted from the Mozilla CA certificate store. This Monit config should do the trick: ssl options { cacertificatefile : /path/to/cacert.pem } Anyway, that’s it from me. > On 30 May 2024, at 17:23, Michael Thomas <[email protected]> wrote: > > You might try putting your host into the HTTPS evaluator on ssllabs.com to > see if it reports any issues with the cert chain being offered by the web > server. I've found this to be a very useful tool when debugging ssl issues > on web servers. > > --Mike > > On 5/30/24 09:35, Gerrit Kühn wrote: >> Am Thu, 30 May 2024 15:19:00 +0200 >> schrieb Jan-Henrik Haukeland <[email protected]>: >>> The error message "SSL server certificate verification error: unable to >>> get local issuer certificate" indicates that Monit is unable to verify >>> the server's certificate because it does not have access to necessary >>> intermediate or root certificates. Monit will try to read CA >>> certificates etc from '/etc/ssl' (depending on the system and >>> compile-time settings). >>> >>> If you need to load certificates to form a chain from another path see >>> https://mmonit.com/monit/documentation/monit.html#SSL-OPTIONS and >>> CACERTIFICATEFILE or CACERTIFICATEPATH >> Yes, I already tried that, but the error message does not go away. My >> server certificate is under /usr/local/etc/ssl on FreeBSD, but even adding >> the full path to monit didn't help. OTOH, I can access the nginx pages via >> https with my browser just fine, so there should be no intermediate >> certificates missing, I think? >> cu >> Gerrit >
