Configuring SSL on "monit" with letsencrypt certificates


#1

I just installed “Monit 5.25.2” on a FreeBSD-11.2 / amd64 machine. The application is working fine and I have slowly, but surely gotten it configured. I do have a question though regarding “SSL”

From the manual, this is a skeleton for the “SET SSL” section:

SSL OPTIONS

Common SSL/TLS options can be set using the following statement and will apply to all SSL connections made through Monit:

SET <SSL | TLS> [OPTIONS] {
VERSION: <AUTO | SSLV2 | SSLV3 | TLSV1 | TLSV11 | TLSV12 | TLSV13>
VERIFY: <ENABLE | DISABLE>
SELFSIGNED: <ALLOW | REJECT>
CIPHERS:
PEMFILE:
CLIENTPEMFILE:
CACERTIFICATEFILE:
CACERTIFICATEPATH:
}

Now, I am using “letsencrypt” on my machine. I am confused as to what files go where. Letsencrypt has these files available:

  1. cert.pem
  2. chain.pem
  3. fullchain.pem
  4. privkey.pem

I was told that “monit” will not accept the “fullchain.pem” file unless the “privkey.pem” is added to the top of it.

What I want to know is what keys are used for each of the “PEMFILE”, “CLIENTPEMFILE”, and “CACERTIFICATEFILE” file entries. I am using the “ca-root-nss.crt” file path for the " CACERTIFICATEPATH"; i.e, “/usr/local/share/certs/ca-root-nss.crt”. Also, do I have to all the “privkey.pem” to the “fullchain.pem” in order for “monit” to accept it?


#2

privkey.pem || fullchain.pem (concatenated, as you already noted). Common “combined” format as used in Apache 2.4 and haproxy.

Not needed.

Not needed.

Not needed.