Bug since upgrade and documentation

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
4 messages Options
Reply | Threaded
Open this post in threaded view
|

Bug since upgrade and documentation

Guillaume François
Hello,

Since we have upgraded from Monit 5.20.0 to 5.27.0 with have an issue with certificate verification.

It seems broken as it cannot maanged to retrieve the certificate expiration and it warn about a self signed certificate when it is not the case.

We are using the linux-x64 binary version from the website.

We have two rules:
------------------------------------------
if failed port 443 protocol https with ssl options {verify: enable} and certificate valid > 10 days for 5 cycles then alert
if failed port 443 protocol https request "/" with content ="xxxxxxx" for 5 cycles then alert
-------------------------------------------

We tried to change the part "with ssl options {verify: enable}" to "with ssl options {selfsigned: allow}" without any success.

Also regarding the documentation enhancement, we had to put the part "with ssl options {selfsigned: allow}" after the part 'request "/" with content ="xxxxxxx"' else Monit configuration syntax was failing. It would be good to provide a sample in documentation.

In the global configuration file, the ssl setting was set to

set ssl {
     verify     : enable,
}

We tried to add the new parameter "version" but it doesn't solved the issue.

set ssl {
     version: auto,
     verify     : enable,
}

Could anyone provide some guidance for this case ?

Best Regards.
Reply | Threaded
Open this post in threaded view
|

Re: Bug since upgrade and documentation

Guillaume François
To add some detail, we tried on another host OS (Ubuntu 20.04) while the problematic one is CentOS , and it was working fine

Same binary but another OpenSSL stack probably.
-------------------------------------
This is Monit version 5.27.0
Built with ssl, with ipv6, with compression, with pam and with large files
Copyright (C) 2001-2020 Tildeslash Ltd. All Rights Reserved.
-------------------------------------

--------------------------------------
Remote Host '*******'
  status                       OK
  monitoring status            Monitored
  monitoring mode              active
  on reboot                    start
  port response time           114.394 ms to *******:443 type TCP/IP using TLS (certificate valid for 104 days) protocol HTTP
  data collected               Mon, 20 Jul 2020 16:30:06
-----------------------------------------

Best regards.

Le lun. 20 juil. 2020 à 16:26, Guillaume François <[hidden email]> a écrit :
Hello,

Since we have upgraded from Monit 5.20.0 to 5.27.0 with have an issue with certificate verification.

It seems broken as it cannot maanged to retrieve the certificate expiration and it warn about a self signed certificate when it is not the case.

We are using the linux-x64 binary version from the website.

We have two rules:
------------------------------------------
if failed port 443 protocol https with ssl options {verify: enable} and certificate valid > 10 days for 5 cycles then alert
if failed port 443 protocol https request "/" with content ="xxxxxxx" for 5 cycles then alert
-------------------------------------------

We tried to change the part "with ssl options {verify: enable}" to "with ssl options {selfsigned: allow}" without any success.

Also regarding the documentation enhancement, we had to put the part "with ssl options {selfsigned: allow}" after the part 'request "/" with content ="xxxxxxx"' else Monit configuration syntax was failing. It would be good to provide a sample in documentation.

In the global configuration file, the ssl setting was set to

set ssl {
     verify     : enable,
}

We tried to add the new parameter "version" but it doesn't solved the issue.

set ssl {
     version: auto,
     verify     : enable,
}

Could anyone provide some guidance for this case ?

Best Regards.


--
-----BEGIN GEEK CODE BLOCK-----
Version: 3.1
GCS/IT d(+) s++:- a C++$ ULC(+)>+++$ !P--- L+>$ !E---? W+++$ !N* !o-- K--? w(+) !O---? !M- !V--? PS+? !PE Y+ PGP++>+++ !t-- !5 !X- R(+)>++* tv-? b(-) DI !D- G(+)>+ e+++ h--() r->$ y?*
------END GEEK CODE BLOCK------
Reply | Threaded
Open this post in threaded view
|

Re: Bug since upgrade and documentation

martinp@tildeslash.com
Hi,

the monit 5.27.0 enables just TLS 1.2 or later by default (even if the version is "auto"). It seems that the OpenSSL library on CentOS doesn't support it, you can enable e.g. TLS 1.1 explicitly this way:

     set ssl {
        version: tlsv11
     }


Best regards,
Martin


> On 20 Jul 2020, at 16:33, Guillaume François <[hidden email]> wrote:
>
> To add some detail, we tried on another host OS (Ubuntu 20.04) while the problematic one is CentOS , and it was working fine
>
> Same binary but another OpenSSL stack probably.
> -------------------------------------
> This is Monit version 5.27.0
> Built with ssl, with ipv6, with compression, with pam and with large files
> Copyright (C) 2001-2020 Tildeslash Ltd. All Rights Reserved.
> -------------------------------------
>
> --------------------------------------
> Remote Host '*******'
>   status                       OK
>   monitoring status            Monitored
>   monitoring mode              active
>   on reboot                    start
>   port response time           114.394 ms to *******:443 type TCP/IP using TLS (certificate valid for 104 days) protocol HTTP
>   data collected               Mon, 20 Jul 2020 16:30:06
> -----------------------------------------
>
> Best regards.
>
> Le lun. 20 juil. 2020 à 16:26, Guillaume François <[hidden email]> a écrit :
> Hello,
>
> Since we have upgraded from Monit 5.20.0 to 5.27.0 with have an issue with certificate verification.
>
> It seems broken as it cannot maanged to retrieve the certificate expiration and it warn about a self signed certificate when it is not the case.
>
> We are using the linux-x64 binary version from the website.
>
> We have two rules:
> ------------------------------------------
> if failed port 443 protocol https with ssl options {verify: enable} and certificate valid > 10 days for 5 cycles then alert
> if failed port 443 protocol https request "/" with content ="xxxxxxx" for 5 cycles then alert
> -------------------------------------------
>
> We tried to change the part "with ssl options {verify: enable}" to "with ssl options {selfsigned: allow}" without any success.
>
> Also regarding the documentation enhancement, we had to put the part "with ssl options {selfsigned: allow}" after the part 'request "/" with content ="xxxxxxx"' else Monit configuration syntax was failing. It would be good to provide a sample in documentation.
>
> In the global configuration file, the ssl setting was set to
>
> set ssl {
>      verify     : enable,
> }
>
> We tried to add the new parameter "version" but it doesn't solved the issue.
>
> set ssl {
>      version: auto,
>      verify     : enable,
> }
>
> Could anyone provide some guidance for this case ?
>
> Best Regards.
>
>
> --
> -----BEGIN GEEK CODE BLOCK-----
> Version: 3.1
> GCS/IT d(+) s++:- a C++$ ULC(+)>+++$ !P--- L+>$ !E---? W+++$ !N* !o-- K--? w(+) !O---? !M- !V--? PS+? !PE Y+ PGP++>+++ !t-- !5 !X- R(+)>++* tv-? b(-) DI !D- G(+)>+ e+++ h--() r->$ y?*
> ------END GEEK CODE BLOCK------


Reply | Threaded
Open this post in threaded view
|

Re: Bug since upgrade and documentation

Guillaume François
Thanks Martin for the answer.

We tried with the "version: tlsv11" but it doesn't solved the issue. To add more info, the target website is accepting TLS 1.0/1.1/1.2

After further investigation, we discovered that the previous version of Monit was locally compiled on the host. We do the same for 5.27.0 and the issues with the certificate / TLS disappeared.

However, we still have an error in the Monit log file:
------------------------------------------------
error    : filesystem statistic error: cannot read /sys/class/block/auto.mount/stat -- No such file or directory
------------------------------------------------

From the output of "monit status", it doesnt' seem to raise any issue to pull the statistics

Best Regards,
Guillaume


Le mar. 21 juil. 2020 à 08:42, [hidden email] <[hidden email]> a écrit :
Hi,

the monit 5.27.0 enables just TLS 1.2 or later by default (even if the version is "auto"). It seems that the OpenSSL library on CentOS doesn't support it, you can enable e.g. TLS 1.1 explicitly this way:

     set ssl {
        version: tlsv11
     }


Best regards,
Martin


> On 20 Jul 2020, at 16:33, Guillaume François <[hidden email]> wrote:
>
> To add some detail, we tried on another host OS (Ubuntu 20.04) while the problematic one is CentOS , and it was working fine
>
> Same binary but another OpenSSL stack probably.
> -------------------------------------
> This is Monit version 5.27.0
> Built with ssl, with ipv6, with compression, with pam and with large files
> Copyright (C) 2001-2020 Tildeslash Ltd. All Rights Reserved.
> -------------------------------------
>
> --------------------------------------
> Remote Host '*******'
>   status                       OK
>   monitoring status            Monitored
>   monitoring mode              active
>   on reboot                    start
>   port response time           114.394 ms to *******:443 type TCP/IP using TLS (certificate valid for 104 days) protocol HTTP
>   data collected               Mon, 20 Jul 2020 16:30:06
> -----------------------------------------
>
> Best regards.
>
> Le lun. 20 juil. 2020 à 16:26, Guillaume François <[hidden email]> a écrit :
> Hello,
>
> Since we have upgraded from Monit 5.20.0 to 5.27.0 with have an issue with certificate verification.
>
> It seems broken as it cannot maanged to retrieve the certificate expiration and it warn about a self signed certificate when it is not the case.
>
> We are using the linux-x64 binary version from the website.
>
> We have two rules:
> ------------------------------------------
> if failed port 443 protocol https with ssl options {verify: enable} and certificate valid > 10 days for 5 cycles then alert
> if failed port 443 protocol https request "/" with content ="xxxxxxx" for 5 cycles then alert
> -------------------------------------------
>
> We tried to change the part "with ssl options {verify: enable}" to "with ssl options {selfsigned: allow}" without any success.
>
> Also regarding the documentation enhancement, we had to put the part "with ssl options {selfsigned: allow}" after the part 'request "/" with content ="xxxxxxx"' else Monit configuration syntax was failing. It would be good to provide a sample in documentation.
>
> In the global configuration file, the ssl setting was set to
>
> set ssl {
>      verify     : enable,
> }
>
> We tried to add the new parameter "version" but it doesn't solved the issue.
>
> set ssl {
>      version: auto,
>      verify     : enable,
> }
>
> Could anyone provide some guidance for this case ?
>
> Best Regards.
>
>
> --
> -----BEGIN GEEK CODE BLOCK-----
> Version: 3.1
> GCS/IT d(+) s++:- a C++$ ULC(+)>+++$ !P--- L+>$ !E---? W+++$ !N* !o-- K--? w(+) !O---? !M- !V--? PS+? !PE Y+ PGP++>+++ !t-- !5 !X- R(+)>++* tv-? b(-) DI !D- G(+)>+ e+++ h--() r->$ y?*
> ------END GEEK CODE BLOCK------




--
-----BEGIN GEEK CODE BLOCK-----
Version: 3.1
GCS/IT d(+) s++:- a C++$ ULC(+)>+++$ !P--- L+>$ !E---? W+++$ !N* !o-- K--? w(+) !O---? !M- !V--? PS+? !PE Y+ PGP++>+++ !t-- !5 !X- R(+)>++* tv-? b(-) DI !D- G(+)>+ e+++ h--() r->$ y?*
------END GEEK CODE BLOCK------