Author: Christian Hopp and the Monit team

• Basic configuration
• Generating a self-signed server certificate for testing
• Client-certificate based authentication
  • Monit configuration (server)
  • Importing a client certificate into a browser (client)

Basic configuration

To enable SSL in Monit's HTTP GUI, add the SSL option to the SET HTTPD statement and specify the location of the PEM encoded server certificate using the PEMFILE option:

 SET HTTPD PORT 2812
     WITH SSL {
         PEMFILE:  /etc/ssl/certs/monit.pem
     }
     ALLOW myuser:mypassword

The PEMFILE should contain the server's private key and certificate. See Generating a self-signed certificate for testing if you don't have a CA signed certificate yet.

Start Monit and connect to the Monit HTTP GUI with SSL via this url:

 https://localhost:2812/

Generating a self-signed server certificate for testing

You can use a self-signed server certificate for testing.

Warning: Using a self-signed certificate in production is not recommended, as in such case the client cannot verify that it talks to the correct server (vulnerable to man-in-the-middle attacks and DNS-hijacking).

Prepare an OpenSSL configuration file.

Example:

  # create RSA certs - Server

  RANDFILE = ./openssl.rnd

  [ req ]
  default_bits = 2048
  default_md = sha256
  encrypt_key = yes
  distinguished_name = req_dn
  x509_extensions = cert_type

  [ req_dn ]
  countryName = Country Name (2 letter code)
  countryName_default = NO

  stateOrProvinceName             = State or Province Name (full name)
  stateOrProvinceName_default     = Oslo

  localityName                    = Locality Name (eg, city)
  localityName_default            = Oslo

  organizationName                = Organization Name (eg, company)
  organizationName_default        = Tildeslash Ltd.

  organizationalUnitName          = Organizational Unit Name (eg, section)
  organizationalUnitName_default  = Services

  commonName                      = Common Name (FQDN of your server)
  commonName_default              = server.tildeslash.com

  emailAddress                    = Email Address
  emailAddress_default            = mmonit@tildeslash.com

  [ cert_type ]
  nsCertType = server

Run these commands to generate the pemfile :

  # Generates the private key and the certificate
  openssl req -new -x509 -days 365 -nodes \
    -config ./monit.cnf -out /etc/ssl/certs/monit.pem \
    -keyout /etc/ssl/certs/monit.pem

  # Generates the  Diffie-Hellman Parameters
  openssl dhparam -2 2048 >> /etc/ssl/certs/monit.pem

  # Set mode
  chmod 600 /etc/ssl/certs/monit.pem

  # Prints out the certificate information
  openssl x509 -text -noout -in /etc/ssl/certs/monit.pem

Important: The Monit CLI works on a client-server basis and uses the Monit HTTP GUI to collect status from the Monit daemon and pass commands like start/stop to it. As self-signed certificates are rejected by default for security reasons, the CLI won't work unless you explicitly allow it by using the SELFSIGNED: ALLOW option:

  SET HTTPD PORT 2812
     WITH SSL {
        PEMFILE: /etc/ssl/certs/monit.pem
        SELFSIGNED: ALLOW
     }

Client-certificate based authentication

Monit configuration (server)

Monit access control supports a client-certificate based authentication option in addition to traditional credentials and IP based ACL.

With client-certificate authentication enabled, if a browser wants to connect to Monit, the browser has to present a certificate known to Monit. If it is not known, Monit will refuse the connection.

The certificate sent by the client (browser) is checked against a PEM encoded database file, which contains list of allowed client certificates plus all necessary CA certificates.

To enable the client-certificate based authentication, specify a path to the certificates database using the CLIENTPEMFILE option:

  SET HTTPD PORT 2812
     WITH SSL {
        PEMFILE: /etc/ssl/certs/monit.pem
        CLIENTPEMFILE:  /etc/ssl/certs/monit-client.pem
     }

Self-signed client certificates note: By default, a self-signed client certificate is rejected for security reasons, but you may explicitly allow it by using the SELFSIGNED: ALLOW option.

Importing a client certificate into a browser (client)

In addition to certificate, you have to also provide the private key. This key SHOULD be different from the key used by the Monit's http server.

You will need a key with a "client" purpose (in OpenSSL it is "nsCertType=client") or a key with no explicit purpose. Otherwise your browser will not send the certificate.

Firefox requires certificates encoded in the PKCS12 format. If you have your client certificate file PEM encoded you will need to convert it to PKCS12.

You can use OpenSSL to convert a PEM encoded certificate to the PKCS12 format:

openssl pkcs12 -export -in monit_client.pem \
        -out monit_client.p12 \
        -name "Monit" 

Finally you must import the certificate into your browser. In Firefox you should use: Preferences->Advanced, select the Certificates tab and click on View Certificates. In the window that pops up, click on the Import button, then import the monit_client.p12 file.