CWP: How to Add Let's Encrypt SSL to Monit on CentOS 7.6

I have installed Let's Encrypt SSL certificate for Server FQDN and that certificate i will use for monit. So In this tutorial we are going to show you, how to add Let's Encrypt SSL certificate for Monit along with CentOS Webpanel on CentOS 7.

Prerequisites:
To complete this tutorial, you will need:
1. CentOS Linux release 7.6.1810 (Core)
2. CWP7.admin , CWP version: 0.9.8.772
3. CSF Firewall
4. Let's Encrypt SSL Certificate (Installed)

Step 1:
Install HTTP client library

# yum install python-httplib2  

To enable Let's Encrypt SSL for Monit's HTTP GUI, Open Monit Configuration File and uncomment the below line

 # vi /etc/monitrc

 set ssl {
     version    : TLSV12
     verify     : enable 
 }


 with ssl {            
        pemfile: /etc/ssl/certs/monit.pem
   }
  

Check Monit syntax for error

# monit -t 
Control file syntax OK  

Create a file with touch command

# touch /etc/ssl/certs/monit.pem  

Step 2:
Let's Encrypt SSL location for your SERVER_FQDN: /etc/letsencrypt/live/server_fqdn/ , There are four files:
cert.pem is the certificate
chain.pem is the chain
fullchain.pem is the concatenation of cert.pem + chain.pem
privkey.pem is the private key ,
Please keep in mind that the private key is only for you.
Build the proper Intermediate CA plus Root CA .
Let's Encrypt is almost perfect, but during the files the process built, they just add the chain.pem file without the root CA. You must to use the IdenTrust root Certificate and merge it after the chain.pem
Your chain.pem should look like:

 -----BEGIN CERTIFICATE-----
YOURCHAIN
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
MIIDSjCCAjKgAwIBAgIQRK+wgNajJ7qJMDmGLvhAazANBgkqhkiG9w0BAQUFADA/
MSQwIgYDVQQKExtEaWdpdGFsIFNpZ25hdHVyZSBUcnVzdCBDby4xFzAVBgNVBAMT
DkRTVCBSb290IENBIFgzMB4XDTAwMDkzMDIxMTIxOVoXDTIxMDkzMDE0MDExNVow
PzEkMCIGA1UEChMbRGlnaXRhbCBTaWduYXR1cmUgVHJ1c3QgQ28uMRcwFQYDVQQD
Ew5EU1QgUm9vdCBDQSBYMzCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEB
AN+v6ZdQCINXtMxiZfaQguzH0yxrMMpb7NnDfcdAwRgUi+DoM3ZJKuM/IUmTrE4O
rz5Iy2Xu/NMhD2XSKtkyj4zl93ewEnu1lcCJo6m67XMuegwGMoOifooUMM0RoOEq
OLl5CjH9UL2AZd+3UWODyOKIYepLYYHsUmu5ouJLGiifSKOeDNoJjj4XLh7dIN9b
xiqKqy69cK3FCxolkHRyxXtqqzTWMIn/5WgTe1QLyNau7Fqckh49ZLOMxt+/yUFw
7BZy1SbsOFU5Q9D8/RhcQPGX69Wam40dutolucbY38EVAjqr2m7xPi71XAicPNaD
aeQQmxkqtilX4+U9m5/wAl0CAwEAAaNCMEAwDwYDVR0TAQH/BAUwAwEB/zAOBgNV
HQ8BAf8EBAMCAQYwHQYDVR0OBBYEFMSnsaR7LHH62+FLkHX/xBVghYkQMA0GCSqG
SIb3DQEBBQUAA4IBAQCjGiybFwBcqR7uKGY3Or+Dxz9LwwmglSBd49lZRNI+DT69
ikugdB/OEIKcdBodfpga3csTS7MgROSR6cz8faXbauX+5v3gTt23ADq1cEmv8uXr
AvHRAosZy5Q6XkjEGB5YGV8eAlrwDPGxrancWYaLbumR9YbK+rlmM6pZW87ipxZz
R8srzJmwN0jP41ZL9c8PDHIyh8bwRLtTcm1D9SZImlJnt1ir/md2cXjbDaJWFBM5
JDGFoqgCWjBH4d1QB7wCCZAA62RjYJsWvIjJEubSfZGL+T0yjWW06XyxV3bqxbYo
Ob8VZRzI9neWagqNdwvYkQsEjgfbKbYK7p2CNTUQ
-----END CERTIFICATE----- 

To sum up: chain.pem has to be concatened with the root CA. First the chain and the end of the file the root CA. The order is important.
So new chain.pem = chain.pem + root CA 
and Finally Fullchain = cert.pem + chain.pem + root CA

Concatenate the certificates into a single file

# cp /etc/letsencrypt/live/server_fqdn/fullchain.pem /etc/ssl/certs/monit.pem
# cat /etc/letsencrypt/live/server_fqdn/privkey.pem >> /etc/ssl/certs/monit.pem  

 Generates the  Diffie-Hellman Parameters, It will take time

# openssl dhparam -2 2048 >> /etc/ssl/certs/monit.pem  

 Set Owner & permissions on that file

# chmod 0600 /etc/ssl/certs/monit.pem  
# chown root:root  /etc/ssl/certs/monit.pem

If you want to check your own setup first to ensure it will pass this check, you can use the command:

# openssl s_client -tls1_2 -connect server_fqdn:443
# openssl s_client -port 2812 -host server_fqdn_or_ip -ssl3
# openssl s_client -port 2812 -host 127.0.0.1 -ssl3 

Prints out the certificate information

# openssl x509 -text -noout -in /etc/ssl/certs/monit.pem 

Check monit is listening 

# ps aux | grep monit
# netstat -lpn | grep 2812 

Now Login to your monit server using https url ( https://server_fqdn:2812 )