Skip to main content

CWP: How to Add Let's Encrypt SSL to Monit on CentOS 7.6

I have installed Let's Encrypt SSL certificate for Server FQDN and that certificate i will use for monit. So In this tutorial we are going to show you, how to add Let's Encrypt SSL certificate for Monit along with CentOS Webpanel on CentOS 7.

Prerequisites:
To complete this tutorial, you will need:
1. CentOS Linux release 7.6.1810 (Core)
2. CWP7.admin , CWP version: 0.9.8.772
3. CSF Firewall
4. Let's Encrypt SSL Certificate (Installed)

Step 1:
Install HTTP client library
# yum install python-httplib2  
To enable Let's Encrypt SSL for Monit's HTTP GUI, Open Monit Configuration File and uncomment the below line
 # vi /etc/monitrc

 set ssl {
     version    : TLSV12
     verify     : enable 
 }


 with ssl {            
        pemfile: /etc/ssl/certs/monit.pem
   }
  
Check Monit syntax for error
# monit -t 
Control file syntax OK  
Create a file with touch command
# touch /etc/ssl/certs/monit.pem  

Step 2:
Let's Encrypt SSL location for your SERVER_FQDN: /etc/letsencrypt/live/server_fqdn/ , There are four files:
cert.pem is the certificate
chain.pem is the chain
fullchain.pem is the concatenation of cert.pem + chain.pem
privkey.pem is the private key ,
Please keep in mind that the private key is only for you.
Build the proper Intermediate CA plus Root CA .
Let's Encrypt is almost perfect, but during the files the process built, they just add the chain.pem file without the root CA. You must to use the IdenTrust root Certificate and merge it after the chain.pem
Your chain.pem should look like:
 -----BEGIN CERTIFICATE-----
YOURCHAIN
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
MIIDSjCCAjKgAwIBAgIQRK+wgNajJ7qJMDmGLvhAazANBgkqhkiG9w0BAQUFADA/
MSQwIgYDVQQKExtEaWdpdGFsIFNpZ25hdHVyZSBUcnVzdCBDby4xFzAVBgNVBAMT
DkRTVCBSb290IENBIFgzMB4XDTAwMDkzMDIxMTIxOVoXDTIxMDkzMDE0MDExNVow
PzEkMCIGA1UEChMbRGlnaXRhbCBTaWduYXR1cmUgVHJ1c3QgQ28uMRcwFQYDVQQD
Ew5EU1QgUm9vdCBDQSBYMzCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEB
AN+v6ZdQCINXtMxiZfaQguzH0yxrMMpb7NnDfcdAwRgUi+DoM3ZJKuM/IUmTrE4O
rz5Iy2Xu/NMhD2XSKtkyj4zl93ewEnu1lcCJo6m67XMuegwGMoOifooUMM0RoOEq
OLl5CjH9UL2AZd+3UWODyOKIYepLYYHsUmu5ouJLGiifSKOeDNoJjj4XLh7dIN9b
xiqKqy69cK3FCxolkHRyxXtqqzTWMIn/5WgTe1QLyNau7Fqckh49ZLOMxt+/yUFw
7BZy1SbsOFU5Q9D8/RhcQPGX69Wam40dutolucbY38EVAjqr2m7xPi71XAicPNaD
aeQQmxkqtilX4+U9m5/wAl0CAwEAAaNCMEAwDwYDVR0TAQH/BAUwAwEB/zAOBgNV
HQ8BAf8EBAMCAQYwHQYDVR0OBBYEFMSnsaR7LHH62+FLkHX/xBVghYkQMA0GCSqG
SIb3DQEBBQUAA4IBAQCjGiybFwBcqR7uKGY3Or+Dxz9LwwmglSBd49lZRNI+DT69
ikugdB/OEIKcdBodfpga3csTS7MgROSR6cz8faXbauX+5v3gTt23ADq1cEmv8uXr
AvHRAosZy5Q6XkjEGB5YGV8eAlrwDPGxrancWYaLbumR9YbK+rlmM6pZW87ipxZz
R8srzJmwN0jP41ZL9c8PDHIyh8bwRLtTcm1D9SZImlJnt1ir/md2cXjbDaJWFBM5
JDGFoqgCWjBH4d1QB7wCCZAA62RjYJsWvIjJEubSfZGL+T0yjWW06XyxV3bqxbYo
Ob8VZRzI9neWagqNdwvYkQsEjgfbKbYK7p2CNTUQ
-----END CERTIFICATE----- 
To sum up: chain.pem has to be concatened with the root CA. First the chain and the end of the file the root CA. The order is important.
So new chain.pem = chain.pem + root CA 
and Finally Fullchain = cert.pem + chain.pem + root CA
Concatenate the certificates into a single file
# cp /etc/letsencrypt/live/server_fqdn/fullchain.pem /etc/ssl/certs/monit.pem
# cat /etc/letsencrypt/live/server_fqdn/privkey.pem >> /etc/ssl/certs/monit.pem  
 Generates the  Diffie-Hellman Parameters, It will take time
# openssl dhparam -2 2048 >> /etc/ssl/certs/monit.pem  
 Set Owner & permissions on that file
# chmod 0600 /etc/ssl/certs/monit.pem  
# chown root:root  /etc/ssl/certs/monit.pem
If you want to check your own setup first to ensure it will pass this check, you can use the command:
# openssl s_client -tls1_2 -connect server_fqdn:443
# openssl s_client -port 2812 -host server_fqdn_or_ip -ssl3
# openssl s_client -port 2812 -host 127.0.0.1 -ssl3 
Prints out the certificate information
# openssl x509 -text -noout -in /etc/ssl/certs/monit.pem 
Check monit is listening 
# ps aux | grep monit
# netstat -lpn | grep 2812 
Now Login to your monit server using https url ( https://server_fqdn:2812 )

Comments

Most Popular

CWP DNS Part 1 : How to Configure DNS properly for CentOS WebPanel on CentOS 7.6

After hosting my parent domain on CWP7.admin, I am getting dns error and i'm not able access my server using my server FQDN but i can access using my server IP.
So what can i do for that problem ?

Yes, you have to fix the error .

Environment Details:
Distro Name: CentOS Linux release 7.6.1810 (Core)
CentOS-Web Panel version: CWP7.admin
CWP version: 0.9.8.757
WebServer: Apache Only
FQDN: host.datahead.biz
IP: 192.120.10.3

1.Change Hostname Permanently:
# hostnamectl set-hostname host.datahead.biz# hostnamectl Static hostname: host.datahead.biz Icon name: computer-vm Chassis: vm Machine ID: 7400071490ea4f7d931374824ad4b52c Boot ID: 6e1f2d76495d4b318c25c4a1195aa130 Virtualization: vmware Operating System: CentOS Linux 7 (Core) CPE OS Name: cpe:/o:centos:centos:7 Kernel: Linux 3.10.0-862.14.4.el7.x86_64 Architecture: x86-64 It also writes this information to the /etc/hostname file as well.
# cat /etc/hostname host.d…

CWP DNS Part 2 : How to Configure DNS properly for CentOS WebPanel on CentOS 7.6

7.Open Main Configuration file
# vi /etc/named.conf 12 options { 13 listen-on port 53 { any; }; 14 listen-on-v6 port 53 { ::1; }; 15 directory "/var/named"; 16 dump-file "/var/named/data/cache_dump.db"; 17 statistics-file "/var/named/data/named_stats.txt"; 18 memstatistics-file "/var/named/data/named_mem_stats.txt"; 19 recursing-file "/var/named/data/named.recursing"; 20 secroots-file "/var/named/data/named.secroots"; 21 allow-query { any; }; 33 recursion no; 34 35 dnssec-enable yes; 36 dnssec-validation yes; 54 zone "." IN { 55 type hint; 56 file "named.ca"; 57 }; 58 59 include "/etc/named.rfc1912.zones"; 60 include "/etc/named.root.key"; 61 …