monit-general
[Top][All Lists]
Advanced

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Client certificates


From: Martin Pala
Subject: Re: Client certificates
Date: Thu, 27 Apr 2017 20:16:34 +0200

Hi,

please upgrade Monit - there were problems with client certificates based 
authentication, fixed in Monit 5.15.0. We recommend the latest release (5.22.0).

Best regards,
Martin


> On 27 Apr 2017, at 20:04, Bryan Harris <address@hidden> wrote:
> 
> Hi folks,
> 
> I am using the Monit package from RHEL 7: monit-5.14-1.el7.x86_64, and 
> running into an issue with client certificate authentication.
> 
> I've tried two methods to setup client certificates and each way I get the 
> error message in monit log.  The browser never asked me to select a 
> certificate.
> 
> SSL: client didn't send a client certificate
> 
> In my first attempt, I exported one of my CAC certificates (it does not allow 
> exporting the key, just the certificate).  It comes in DER format, so I 
> converted to PEM and gave that file to monit.  I also used the 
> ALLOWSELFCERTIFICATION option.
> 
> OpenSSL commands:
> 
> cd /etc/pki/tls/certs
> openssl x509 -in mycert.der -inform der -out mycert.cer -outform pem
> 
> Monit config like so:
> set httpd port 443 and
>     use address 192.168.80.130  # only accept connection from localhost
>     ssl enable
>     pemfile /etc/pki/tls/certs/server.cer
>     clientpemfile /etc/pki/tls/certs/mycert.cer
>     allowselfcertification
>     allow admin:monit
> 
> The browser did not ask me to supply a certificate and monit gave the error.
> 
> SSL: client didn't send a client certificate
> 
> In the next situation I generated my own CA and used it to sign a 
> certificate.  That caused the same result: the browser never asked for a 
> cert, and monit gave the error above.
> 
> OpenSSL commands:
> 
> cd /etc/pki/tls
> openssl genrsa -out private/ca.key 4096
> openssl req -new -x509 -days 365 -key private/ca.key -out certs/ca.cer
> openssl x509 -req -days 365 -in misc/test.csr -CA certs/ca.cer -CAkey 
> private/ca.key -set_serial 01 -out certs/test.cer
> 
> Convert to p12 so I can import into Opera/Firefox/Chrome:
> 
> openssl pkcs12 -export -in certs/test.cer -inkey private/test.key -out 
> /home/sqltest/test.p12 -name "test"
> 
> Monit config like so:
> 
> set httpd port 443 and
>     use address 192.168.80.130  # only accept connection from localhost
>     ssl enable
>     pemfile /etc/pki/tls/certs/server.cer
>     clientpemfile /etc/pki/tls/certs/test.cer
>     allowselfcertification
>     allow admin:monit
> 
> Anytime I try to connect (I have tried a few browsers) I only get the error 
> message in the logs.  But the browser never lets me choose any cert I want to 
> send.  It seems as if Monit is not asking for a cert in the first place.
> 
> Does anybody have any ideas why this might happen?
> 
> Any help is appreciated.
> 
> V/r,
> Bryan
> --
> To unsubscribe:
> https://lists.nongnu.org/mailman/listinfo/monit-general




reply via email to

[Prev in Thread] Current Thread [Next in Thread]