I have installed Let's Encrypt SSL certificate for Server FQDN and that certificate i will use for monit. So In this tutorial we are going to show you, how to add Let's Encrypt SSL certificate for Monit along with CentOS Webpanel on CentOS 7.
Prerequisites:
To complete this tutorial, you will need:
1. CentOS Linux release 7.6.1810 (Core)
2. CWP7.admin , CWP version: 0.9.8.772
3. CSF Firewall
4. Let's Encrypt SSL Certificate (Installed)
Step 1:
Install HTTP client library
Step 2:
Let's Encrypt SSL location for your SERVER_FQDN: /etc/letsencrypt/live/server_fqdn/ , There are four files:
cert.pem is the certificate
chain.pem is the chain
fullchain.pem is the concatenation of cert.pem + chain.pem
privkey.pem is the private key ,
Please keep in mind that the private key is only for you.
Build the proper Intermediate CA plus Root CA .
Let's Encrypt is almost perfect, but during the files the process built, they just add the chain.pem file without the root CA. You must to use the IdenTrust root Certificate and merge it after the chain.pem
Your chain.pem should look like:
So new chain.pem = chain.pem + root CA
and Finally Fullchain = cert.pem + chain.pem + root CA
Prerequisites:
To complete this tutorial, you will need:
1. CentOS Linux release 7.6.1810 (Core)
2. CWP7.admin , CWP version: 0.9.8.772
3. CSF Firewall
4. Let's Encrypt SSL Certificate (Installed)
Step 1:
Install HTTP client library
# yum install python-httplib2
To enable Let's Encrypt SSL for Monit's HTTP GUI, Open Monit Configuration File and uncomment the below line # vi /etc/monitrc
set ssl {
version : TLSV12
verify : enable
}
with ssl {
pemfile: /etc/ssl/certs/monit.pem
}
Check Monit syntax for error # monit -t
Control file syntax OK
Create a file with touch command# touch /etc/ssl/certs/monit.pem
Step 2:
Let's Encrypt SSL location for your SERVER_FQDN: /etc/letsencrypt/live/server_fqdn/ , There are four files:
cert.pem is the certificate
chain.pem is the chain
fullchain.pem is the concatenation of cert.pem + chain.pem
privkey.pem is the private key ,
Please keep in mind that the private key is only for you.
Build the proper Intermediate CA plus Root CA .
Let's Encrypt is almost perfect, but during the files the process built, they just add the chain.pem file without the root CA. You must to use the IdenTrust root Certificate and merge it after the chain.pem
Your chain.pem should look like:
-----BEGIN CERTIFICATE-----
YOURCHAIN
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
MIIDSjCCAjKgAwIBAgIQRK+wgNajJ7qJMDmGLvhAazANBgkqhkiG9w0BAQUFADA/
MSQwIgYDVQQKExtEaWdpdGFsIFNpZ25hdHVyZSBUcnVzdCBDby4xFzAVBgNVBAMT
DkRTVCBSb290IENBIFgzMB4XDTAwMDkzMDIxMTIxOVoXDTIxMDkzMDE0MDExNVow
PzEkMCIGA1UEChMbRGlnaXRhbCBTaWduYXR1cmUgVHJ1c3QgQ28uMRcwFQYDVQQD
Ew5EU1QgUm9vdCBDQSBYMzCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEB
AN+v6ZdQCINXtMxiZfaQguzH0yxrMMpb7NnDfcdAwRgUi+DoM3ZJKuM/IUmTrE4O
rz5Iy2Xu/NMhD2XSKtkyj4zl93ewEnu1lcCJo6m67XMuegwGMoOifooUMM0RoOEq
OLl5CjH9UL2AZd+3UWODyOKIYepLYYHsUmu5ouJLGiifSKOeDNoJjj4XLh7dIN9b
xiqKqy69cK3FCxolkHRyxXtqqzTWMIn/5WgTe1QLyNau7Fqckh49ZLOMxt+/yUFw
7BZy1SbsOFU5Q9D8/RhcQPGX69Wam40dutolucbY38EVAjqr2m7xPi71XAicPNaD
aeQQmxkqtilX4+U9m5/wAl0CAwEAAaNCMEAwDwYDVR0TAQH/BAUwAwEB/zAOBgNV
HQ8BAf8EBAMCAQYwHQYDVR0OBBYEFMSnsaR7LHH62+FLkHX/xBVghYkQMA0GCSqG
SIb3DQEBBQUAA4IBAQCjGiybFwBcqR7uKGY3Or+Dxz9LwwmglSBd49lZRNI+DT69
ikugdB/OEIKcdBodfpga3csTS7MgROSR6cz8faXbauX+5v3gTt23ADq1cEmv8uXr
AvHRAosZy5Q6XkjEGB5YGV8eAlrwDPGxrancWYaLbumR9YbK+rlmM6pZW87ipxZz
R8srzJmwN0jP41ZL9c8PDHIyh8bwRLtTcm1D9SZImlJnt1ir/md2cXjbDaJWFBM5
JDGFoqgCWjBH4d1QB7wCCZAA62RjYJsWvIjJEubSfZGL+T0yjWW06XyxV3bqxbYo
Ob8VZRzI9neWagqNdwvYkQsEjgfbKbYK7p2CNTUQ
-----END CERTIFICATE-----
To sum up: chain.pem has to be concatened with the root CA. First the chain and the end of the file the root CA. The order is important.So new chain.pem = chain.pem + root CA
and Finally Fullchain = cert.pem + chain.pem + root CA
Concatenate the certificates into a single file
# cp /etc/letsencrypt/live/server_fqdn/fullchain.pem /etc/ssl/certs/monit.pem
# cat /etc/letsencrypt/live/server_fqdn/privkey.pem >> /etc/ssl/certs/monit.pem
Generates the Diffie-Hellman Parameters, It will take time# openssl dhparam -2 2048 >> /etc/ssl/certs/monit.pem
Set Owner & permissions on that file# chmod 0600 /etc/ssl/certs/monit.pem
# chown root:root /etc/ssl/certs/monit.pem
If you want to check your own setup first to ensure it will pass this check, you can use the command:# openssl s_client -tls1_2 -connect server_fqdn:443
# openssl s_client -port 2812 -host server_fqdn_or_ip -ssl3
# openssl s_client -port 2812 -host 127.0.0.1 -ssl3
Prints out the certificate information# openssl x509 -text -noout -in /etc/ssl/certs/monit.pem
Check monit is listening # ps aux | grep monit
# netstat -lpn | grep 2812
Now Login to your monit server using https url ( https://server_fqdn:2812 )
Comments
Post a Comment
You are always welcome to comment here, but your remarks should be relevant to the conversation. To keep the exchanges focused and engaging, we reserve the right to remove off-topic comments, or self-promoting URLs and vacuous messages.
We will try to reply to your queries as soon as time allows.
Regards,
Admin