[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Client certificates
From: |
Martin Pala |
Subject: |
Re: Client certificates |
Date: |
Thu, 27 Apr 2017 20:16:34 +0200 |
Hi,
please upgrade Monit - there were problems with client certificates based
authentication, fixed in Monit 5.15.0. We recommend the latest release (5.22.0).
Best regards,
Martin
> On 27 Apr 2017, at 20:04, Bryan Harris <address@hidden> wrote:
>
> Hi folks,
>
> I am using the Monit package from RHEL 7: monit-5.14-1.el7.x86_64, and
> running into an issue with client certificate authentication.
>
> I've tried two methods to setup client certificates and each way I get the
> error message in monit log. The browser never asked me to select a
> certificate.
>
> SSL: client didn't send a client certificate
>
> In my first attempt, I exported one of my CAC certificates (it does not allow
> exporting the key, just the certificate). It comes in DER format, so I
> converted to PEM and gave that file to monit. I also used the
> ALLOWSELFCERTIFICATION option.
>
> OpenSSL commands:
>
> cd /etc/pki/tls/certs
> openssl x509 -in mycert.der -inform der -out mycert.cer -outform pem
>
> Monit config like so:
> set httpd port 443 and
> use address 192.168.80.130 # only accept connection from localhost
> ssl enable
> pemfile /etc/pki/tls/certs/server.cer
> clientpemfile /etc/pki/tls/certs/mycert.cer
> allowselfcertification
> allow admin:monit
>
> The browser did not ask me to supply a certificate and monit gave the error.
>
> SSL: client didn't send a client certificate
>
> In the next situation I generated my own CA and used it to sign a
> certificate. That caused the same result: the browser never asked for a
> cert, and monit gave the error above.
>
> OpenSSL commands:
>
> cd /etc/pki/tls
> openssl genrsa -out private/ca.key 4096
> openssl req -new -x509 -days 365 -key private/ca.key -out certs/ca.cer
> openssl x509 -req -days 365 -in misc/test.csr -CA certs/ca.cer -CAkey
> private/ca.key -set_serial 01 -out certs/test.cer
>
> Convert to p12 so I can import into Opera/Firefox/Chrome:
>
> openssl pkcs12 -export -in certs/test.cer -inkey private/test.key -out
> /home/sqltest/test.p12 -name "test"
>
> Monit config like so:
>
> set httpd port 443 and
> use address 192.168.80.130 # only accept connection from localhost
> ssl enable
> pemfile /etc/pki/tls/certs/server.cer
> clientpemfile /etc/pki/tls/certs/test.cer
> allowselfcertification
> allow admin:monit
>
> Anytime I try to connect (I have tried a few browsers) I only get the error
> message in the logs. But the browser never lets me choose any cert I want to
> send. It seems as if Monit is not asking for a cert in the first place.
>
> Does anybody have any ideas why this might happen?
>
> Any help is appreciated.
>
> V/r,
> Bryan
> --
> To unsubscribe:
> https://lists.nongnu.org/mailman/listinfo/monit-general