monit with ssl (https)

debian ssl https monit

5,014

Seems you did not generate a SSL certificate. Here some pointers (i've done it on my Ubuntu).

Ensure Openssl is available on your system, if not apt-get install openssl

Create folder /var/certs
Navigate to this folder cd /var/certs
create a file named monit.cnf and copy/paste the following into it, then save and close the file :

#create RSA certs - Server
   RANDFILE = ./openssl.rnd
   [ req ]
   default_bits = 2048
   encrypt_key = yes
   distinguished_name = req_dn
   x509_extensions = cert_type
   [ req_dn ]
   countryName = Country Name (2 letter code)
   countryName_default = MO
   stateOrProvinceName    = Ile de France
   stateOrProvinceName_default     = Monitoria
   localityName                    = Paris
   localityName_default            = Monittown
   organizationName                = the_company
   organizationName_default        = Monit Inc.
   organizationalUnitName          = Organizational Unit Name
   organizationalUnitName_default  = Dept. of Monitoring Technologies
   commonName                      = Common Name (FQDN of your server)
   commonName_default              = server.monit.mo
   emailAddress                    = Email Address
   emailAddress_default            = [email protected]
   [ cert_type ]
   nsCertType = server

Then run (press enter each time you are prompted for infos) :

openssl req -new -x509 -days 365 -nodes -config ./monit.cnf -out /var/certs/monit.pem -keyout /var/certs/monit.pem

Set permissions : chmod 700 /var/certs/monit.pem (in my case user:group for pem file is root:root)

Set the following in your monitrc config file :

set httpd port 2812
   ssl enable
   pemfile /var/certs/monit.pem 
   allow user:pass

Restart monit

And then it works ! Now it's up to you to put your real infos in the monit.cnf file and run the openssl command again.

5,014

Georg Pfolz

Updated on September 18, 2022

Comments

Georg Pfolz over 1 year
I recently installed monit (on debian) and everything is working fine. Now I would like to enable ssl support. I did what I found in the documentation:
```
set httpd port 2812
  ssl enable
  pemfile /etc/ssl/certs/ssl-cert-snakeoil.pem
```
Now not only can I not reach the server through the web with https://myserver.com:2812, but the communication between the monit daemon and the monit command fails as well:
```
$# monit status
monit: Openssl read timeout error!
monit: error connecting to the monit daemon
```
- Andrew Schulman over 10 years
  
  What is your question?
- Georg Pfolz over 10 years
  
  How can I get it working? ;)
- misacek007 over 6 years
  
  The problem is missing allow user:pass line.
Georg Pfolz over 10 years

Thanks a lot, that worked. I thought I could use the snakeoil certificate already present in the system which I already use for https. What's wrong with this one?
Georg Pfolz over 10 years

I'll upvote your answer as soon as I have some reputation ;)