SSL HTTP Interface with Monit


#1

My domain is: techlegends.in

I want to use SSL HTTP interface with Monit on my server. However, Monit requires " The PEMFILE should contain the server’s private key and certificate". - what should I do? Which file is the one that I’m looking for?

Also, someone suggested to deploy a hook to overcome file permission issues when enabling SSL for Monit when using Let’s Encrypt (read the reference: https://serverfault.com/questions/890076/monit-lets-encrypt-and-file-permissions).

But, that didn’t help either.

Need suggestions to enable the HTTP interface of Monit with SSL.


#2

From the Monit documentation (https://mmonit.com/wiki/Monit/EnableSSLInMonit):
“The PEMFILE should contain the server’s private key and certificate.”
Their example for “Generating a self-signed server certificate for testing” show that indeed the key and public cert are expected in the one single pem file:
Run these commands to generate the pemfile:
Generates the private key and the certificate
openssl req -new -x509 -days 365 -nodes \
-config ./monit.cnf -out /etc/ssl/certs/monit.pem \
-keyout /etc/ssl/certs/monit.pem

So, how do you do that with LE?
LE doesn’t put those two parts of the cert into any single file.
They are two separate files; one for the key and one for the cert.
But using a --post-hook you can run a script to concatenate those two files into a new file that can be placed wherever Monit needs it to be.


#3

Hi @ankushdas9,

Currently, Certbot does not create a single file that contains these items. You would have to create it yourself.

If you’re using Certbot, the hook idea seems like a helpful one to me because the file would need to be recreated every time the certificate is renewed, because the contents would change. A hook script can help to automate this process.

In Certbot terms, the combination that you need is either privkey.pem + cert.pem, or privkey.pem + fullchain.pem, depending on whether Monit wants the complete chain in the file or not.


#4

Yes, I got that solution here: https://serverfault.com/questions/890076/monit-lets-encrypt-and-file-permissions

But, that doesn’t renew the certificates nor processes a hook.

Could you take a look at it?


#5

Got it. Monit is really a helpful tool - I’m really looking forward to resolve it to use it with Let’s Encrypt SSL on board. Thanks for your time!


#6

That answer is exactly what you need to get the cert into Monit.
You will need to get the cert and renew the cert normally with your ACME client.

So do you have an ACME client installed (like certbot or certbot-auto)?
How do you plan to get the LE cert?