How to use monit with ssl
=========================

File information:
 
   @author Christian Hopp, <chopp@iei.tu-clausthal.de>

Where to get openssl:
---------------------

You can get the newest version of openssl at:

   http://www.openssl.org

In many cases your operating system already has a binary version of
openssl installed.


How do I turn on ssl support in monit:
--------------------------------------

To start monit's http server with ssl support, use the standard SET
HTTPD statement and add the keywords SSL ENABLE and specify the
location of the PEM encoded server certificate. This file should
contain the server's private key and certificate (see also: Generation
of a "pemfile").

  SET HTTPD PORT 2812
      SSL ENABLE
      PEMFILE  /var/certs/monit.pem
      ADDRESS localhost
      ALLOW admin:bar
      ALLOW adminscomp.network.com

Start monit and connect to the monit http server over SSL via this
url: https://localhost:2812/

-

You may also utilize ssl to allow monit to test a network connection
to a ssl enabled server. To do so, simply replace the TCP token with
the TCPSSL token. For instance, to check a web server running over ssl
(https) you can use the following command:

check process https with pidfile /var/run/httpds.pid
 if failed port 443 type tcpssl protocol http then alert
 alert root@network.com

Port 443 is the standard HTTPS port.

-

You can also setup monit to only allow clients with a certain
certificate. In other words, if a browser wants to connect to monit,
the browser will need to present a certificate known by monit. If it
is not known, monit will not accept the connection. The certificate
obtained from the client (browser) is checked against certificates in
a database file. This database file can be specified via the
CLIENTPEMFILE statement. It might look like this:

  SET HTTPD PORT 2812
      SSL ENABLE 
      PEMFILE  /var/certs/monit.pem
      CLIENTPEMFILE  /var/certs/monit-client.pem
      ADDRESS localhost
      ALLOW admin:bar
      ALLOW adminscomp.network.com

The database file contains client certificates which are allowed to
access the monit httpd server.

-

A certificate may also be self-signed. Normally a self-signed
certificate is not allowed, but you may explicit allow it by using the
ALLOWSELFCERTIFICATION statement.

-

If you want to switch off SSL support for a while you may replace the
ENABLE keyword with DISABLE (without having to remove any other SSL
statements in the monit control file). Like so:

  SET HTTPD PORT 2812
      SSL DISABLE
      PEMFILE  /var/certs/monit.pem
      CLIENTPEMFILE  /var/certs/monit-client.pem
      ALLOWSELFCERTIFICATION
      ADDRESS localhost
      ALLOW admin:bar
      ALLOW adminscomp.network.com

-

Finally, an overview of the http with ssl statement in monit:

  SET HTTPD [PORT portnumber]
      [SSL [ENABLE|DISABLE]
       PEMFILE filename
       [CLIENTPEMFILE  filename]]
      ALLOWSELFCERTIFICATION
      ADDRESS hostname
      ALLOW [user:passwd|host]
      [ALLOW ...]



How do I get my client certificate into a browser:
--------------------------------------------------

Here, the tricky part starts because we are dealing with a program
other than monit. (-:

First, it is not just the certificate, you also have to provide the
private key of the certificate. This key SHOULD be different from the
key used by the monit's http server.

You will need a key with a "client" purpose (in openssl it is
"nsCertType=client") or a key with no explicit purpose. Otherwise your
browser will not send the certificate.

Netscape and its relatives (like Galeon or Mozilla) likes certificates
encoded in the PKCS12 format. If you have your client certificate file
PEM encoded you will need to convert it to PKCS12.

So how do you convert a PEM encoded certificate to the PKCS12 format
and import it into your browser? Simply use the openssl tool to
convert it:

openssl pkcs12 -export -in monit_client.pem
                       -out monit_client.p12 \
                       -name "Monit" 

Finally you must import the certificate into your browser. In mozilla
you should use: Edit->Preferences->Privacy&Security, click on the
Manage Certificate button and in the window that pops up, click on the
Import button, then import the monit_client.p12 file.



I have turned off client certification but monit still complains:
-----------------------------------------------------------------

If you turn of client certification in monit and a client is sending a
certificate then the monit server may complain with an error like
this:

[MET Nov  4 14:41:10] SSL VERIFY ERROR: depth=0, error=[20] 
  'unable to get local issuer certificate': foo Subject
[MET Nov  4 14:41:10] HTTPD connection denied!
[MET Nov  4 14:41:10] Accept with SSL service has failed!
[MET Nov  4 14:41:10] http server: Cannot establish SSL connection -- Error 0

This simply means that the client provided a cert but monit wasn't
able to verify it. You can solve this by:

1.) Configure your client not to send this certificate (e.g. delete it
    from the Netscape's "Your Certificates".

2.) Turn on client certification and provide the certificate plus all
    necessary CA certificates to monit in X.509 format (as pemfile).



But... but... openssl had so many problems lately:
--------------------------------------------------

First of all, you can of course disable all ssl support in monit and
run monit without ssl if you are in doubt. If you want to build monit
without any SSL support, just run configure with

  ./configure --without-ssl

If monit was already compiled with ssl support you don't need to use
it if you don't want to.  Simply use

  SET HTTPD PORT <port#>

instead of

  SET HTTPD PORT <port#>
	SSL [ENABLE]
	PEMFILE <FILE>

And remember, for security related software it is always wise to keep
it up to date. You should also keep an eye on advisories from cert
(CA) and other sources.



Generation of a "pemfile":
--------------------------

First generate an openssl configuration (or if you have one use
it). It might look like this... IT IS JUST AN EXAMPLE!!!!! (-:

----- BEGIN:monit.cnf -----
# create RSA certs - Server

RANDFILE = ./openssl.rnd

[ req ]
default_bits = 1024
encrypt_key = yes
distinguished_name = req_dn
x509_extensions = cert_type

[ req_dn ]
countryName = Country Name (2 letter code)
countryName_default = MO

stateOrProvinceName             = State or Province Name (full name)
stateOrProvinceName_default     = Monitoria

localityName                    = Locality Name (eg, city)
localityName_default            = Monittown

organizationName                = Organization Name (eg, company)
organizationName_default        = Monit Inc.

organizationalUnitName          = Organizational Unit Name (eg, section)
organizationalUnitName_default  = Dept. of Monitoring Technologies

commonName                      = Common Name (FQDN of your server)
commonName_default              = server.monit.mo

emailAddress                    = Email Address
emailAddress_default            = root@monit.mo

[ cert_type ]
nsCertType = server
----- END:monit.cnf -----

In order to generate the actual pemfile just run these commands:
 
# Generates the private key and the certificate
/usr/local/bin/openssl req -new -x509 -days 365 -nodes \
        -config ./monit.cnf -out /var/certs/monit.pem \
        -keyout /var/certs/monit.pem

# Generates the  Diffie-Hellman Parameters
/usr/local/bin/openssl gendh 512 >> /var/certs/monit.pem

# Prints out the certificate information
/usr/local/bin/openssl x509 -subject -dates -fingerprint -noout \
                -in /var/certs/monit.pem



How do I learn more about openssl:
----------------------------------

First have a look at the original documentation at openssl.org:

  http://www.openssl.org/docs/

I particularly like this documentation when it comes to certs:

  http://tirian.magd.ox.ac.uk/~nick/openssl-certs/


Have fun...! (-: