Client certificates

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
6 messages Options
Reply | Threaded
Open this post in threaded view
|

Client certificates

Bryan Harris
Hi folks,

I am using the Monit package from RHEL 7: monit-5.14-1.el7.x86_64, and running into an issue with client certificate authentication.

I've tried two methods to setup client certificates and each way I get the error message in monit log.  The browser never asked me to select a certificate.

SSL: client didn't send a client certificate

In my first attempt, I exported one of my CAC certificates (it does not allow exporting the key, just the certificate).  It comes in DER format, so I converted to PEM and gave that file to monit.  I also used the ALLOWSELFCERTIFICATION option.

OpenSSL commands:

cd /etc/pki/tls/certs
openssl x509 -in mycert.der -inform der -out mycert.cer -outform pem

Monit config like so:
set httpd port 443 and
    use address 192.168.80.130  # only accept connection from localhost
    ssl enable
    pemfile /etc/pki/tls/certs/server.cer
    clientpemfile /etc/pki/tls/certs/mycert.cer
    allowselfcertification
    allow admin:monit

The browser did not ask me to supply a certificate and monit gave the error.

SSL: client didn't send a client certificate

In the next situation I generated my own CA and used it to sign a certificate.  That caused the same result: the browser never asked for a cert, and monit gave the error above.

OpenSSL commands:

cd /etc/pki/tls
openssl genrsa -out private/ca.key 4096
openssl req -new -x509 -days 365 -key private/ca.key -out certs/ca.cer
openssl x509 -req -days 365 -in misc/test.csr -CA certs/ca.cer -CAkey private/ca.key -set_serial 01 -out certs/test.cer

Convert to p12 so I can import into Opera/Firefox/Chrome:

openssl pkcs12 -export -in certs/test.cer -inkey private/test.key -out /home/sqltest/test.p12 -name "test"

Monit config like so:

set httpd port 443 and
    use address 192.168.80.130  # only accept connection from localhost
    ssl enable
    pemfile /etc/pki/tls/certs/server.cer
    clientpemfile /etc/pki/tls/certs/test.cer
    allowselfcertification
    allow admin:monit

Anytime I try to connect (I have tried a few browsers) I only get the error message in the logs.  But the browser never lets me choose any cert I want to send.  It seems as if Monit is not asking for a cert in the first place.

Does anybody have any ideas why this might happen?

Any help is appreciated.

V/r,
Bryan

--
To unsubscribe:
https://lists.nongnu.org/mailman/listinfo/monit-general
Reply | Threaded
Open this post in threaded view
|

Re: Client certificates

martinp@tildeslash.com
Hi,

please upgrade Monit - there were problems with client certificates based authentication, fixed in Monit 5.15.0. We recommend the latest release (5.22.0).

Best regards,
Martin


> On 27 Apr 2017, at 20:04, Bryan Harris <[hidden email]> wrote:
>
> Hi folks,
>
> I am using the Monit package from RHEL 7: monit-5.14-1.el7.x86_64, and running into an issue with client certificate authentication.
>
> I've tried two methods to setup client certificates and each way I get the error message in monit log.  The browser never asked me to select a certificate.
>
> SSL: client didn't send a client certificate
>
> In my first attempt, I exported one of my CAC certificates (it does not allow exporting the key, just the certificate).  It comes in DER format, so I converted to PEM and gave that file to monit.  I also used the ALLOWSELFCERTIFICATION option.
>
> OpenSSL commands:
>
> cd /etc/pki/tls/certs
> openssl x509 -in mycert.der -inform der -out mycert.cer -outform pem
>
> Monit config like so:
> set httpd port 443 and
>     use address 192.168.80.130  # only accept connection from localhost
>     ssl enable
>     pemfile /etc/pki/tls/certs/server.cer
>     clientpemfile /etc/pki/tls/certs/mycert.cer
>     allowselfcertification
>     allow admin:monit
>
> The browser did not ask me to supply a certificate and monit gave the error.
>
> SSL: client didn't send a client certificate
>
> In the next situation I generated my own CA and used it to sign a certificate.  That caused the same result: the browser never asked for a cert, and monit gave the error above.
>
> OpenSSL commands:
>
> cd /etc/pki/tls
> openssl genrsa -out private/ca.key 4096
> openssl req -new -x509 -days 365 -key private/ca.key -out certs/ca.cer
> openssl x509 -req -days 365 -in misc/test.csr -CA certs/ca.cer -CAkey private/ca.key -set_serial 01 -out certs/test.cer
>
> Convert to p12 so I can import into Opera/Firefox/Chrome:
>
> openssl pkcs12 -export -in certs/test.cer -inkey private/test.key -out /home/sqltest/test.p12 -name "test"
>
> Monit config like so:
>
> set httpd port 443 and
>     use address 192.168.80.130  # only accept connection from localhost
>     ssl enable
>     pemfile /etc/pki/tls/certs/server.cer
>     clientpemfile /etc/pki/tls/certs/test.cer
>     allowselfcertification
>     allow admin:monit
>
> Anytime I try to connect (I have tried a few browsers) I only get the error message in the logs.  But the browser never lets me choose any cert I want to send.  It seems as if Monit is not asking for a cert in the first place.
>
> Does anybody have any ideas why this might happen?
>
> Any help is appreciated.
>
> V/r,
> Bryan
> --
> To unsubscribe:
> https://lists.nongnu.org/mailman/listinfo/monit-general


--
To unsubscribe:
https://lists.nongnu.org/mailman/listinfo/monit-general
Reply | Threaded
Open this post in threaded view
|

Re: Client certificates

Bryan Harris
I see.  Thanks for the help, I will give that a try first.  I do wish the EPEL folks kept newer versions but they are sometimes behind on things.

On Thu, Apr 27, 2017 at 2:16 PM, Martin Pala <[hidden email]> wrote:
Hi,

please upgrade Monit - there were problems with client certificates based authentication, fixed in Monit 5.15.0. We recommend the latest release (5.22.0).

Best regards,
Martin


> On 27 Apr 2017, at 20:04, Bryan Harris <[hidden email]> wrote:
>
> Hi folks,
>
> I am using the Monit package from RHEL 7: monit-5.14-1.el7.x86_64, and running into an issue with client certificate authentication.
>
> I've tried two methods to setup client certificates and each way I get the error message in monit log.  The browser never asked me to select a certificate.
>
> SSL: client didn't send a client certificate
>
> In my first attempt, I exported one of my CAC certificates (it does not allow exporting the key, just the certificate).  It comes in DER format, so I converted to PEM and gave that file to monit.  I also used the ALLOWSELFCERTIFICATION option.
>
> OpenSSL commands:
>
> cd /etc/pki/tls/certs
> openssl x509 -in mycert.der -inform der -out mycert.cer -outform pem
>
> Monit config like so:
> set httpd port 443 and
>     use address 192.168.80.130  # only accept connection from localhost
>     ssl enable
>     pemfile /etc/pki/tls/certs/server.cer
>     clientpemfile /etc/pki/tls/certs/mycert.cer
>     allowselfcertification
>     allow admin:monit
>
> The browser did not ask me to supply a certificate and monit gave the error.
>
> SSL: client didn't send a client certificate
>
> In the next situation I generated my own CA and used it to sign a certificate.  That caused the same result: the browser never asked for a cert, and monit gave the error above.
>
> OpenSSL commands:
>
> cd /etc/pki/tls
> openssl genrsa -out private/ca.key 4096
> openssl req -new -x509 -days 365 -key private/ca.key -out certs/ca.cer
> openssl x509 -req -days 365 -in misc/test.csr -CA certs/ca.cer -CAkey private/ca.key -set_serial 01 -out certs/test.cer
>
> Convert to p12 so I can import into Opera/Firefox/Chrome:
>
> openssl pkcs12 -export -in certs/test.cer -inkey private/test.key -out /home/sqltest/test.p12 -name "test"
>
> Monit config like so:
>
> set httpd port 443 and
>     use address 192.168.80.130  # only accept connection from localhost
>     ssl enable
>     pemfile /etc/pki/tls/certs/server.cer
>     clientpemfile /etc/pki/tls/certs/test.cer
>     allowselfcertification
>     allow admin:monit
>
> Anytime I try to connect (I have tried a few browsers) I only get the error message in the logs.  But the browser never lets me choose any cert I want to send.  It seems as if Monit is not asking for a cert in the first place.
>
> Does anybody have any ideas why this might happen?
>
> Any help is appreciated.
>
> V/r,
> Bryan
> --
> To unsubscribe:
> https://lists.nongnu.org/mailman/listinfo/monit-general


--
To unsubscribe:
https://lists.nongnu.org/mailman/listinfo/monit-general


--
To unsubscribe:
https://lists.nongnu.org/mailman/listinfo/monit-general
Reply | Threaded
Open this post in threaded view
|

Re: Client certificates

Bryan Harris
Well, I gave it a try (building 5.22.0 from source) and still a similar issue but a different error message (more descriptive now).  I attempted with a couple of different browsers.



Any ideas what I got wrong?

[root@right rpmbuild]# monit -Iv
Adding credentials for user 'admin'
Runtime constants:
 Control file       = /etc/monitrc
 Log file           = /var/log/monit.log
 Pid file           = /run/monit.pid
 Id file            = /root/.monit.id
 State file         = /root/.monit.state
 Debug              = True
 Log                = True
 Use syslog         = False
 Is Daemon          = True
 Use process engine = True
 Limits             = {
                    =   programOutput:     512 B
                    =   sendExpectBuffer:  256 B
                    =   fileContentBuffer: 512 B
                    =   httpContentBuffer: 1024 kB
                    =   networkTimeout:    5 s
                    =   programTimeout:    5 m
                    =   stopTimeout:       30 s
                    =   startTimeout:      30 s
                    =   restartTimeout:    30 s
                    = }
 On reboot          = start
 Poll time          = 30 seconds with start delay 0 seconds
 Start monit httpd  = True
 httpd bind address = 192.168.80.130
 httpd portnumber   = 443
 httpd encryption   = selfsigned: allow, pemfile: /etc/pki/tls/certs/server.cer, clientpemfile: /etc/pki/tls/certs/test.cer
 httpd signature    = Enabled
 httpd auth. style  = Basic Authentication

The service list contains the following entries:

System Name           = right.laptop
 Monitoring mode      = active
 On reboot            = start
 Swap usage limit     = if greater than 25.0% then alert
 Memory usage limit   = if greater than 75.0% then alert
 CPU usage limit      = if greater than 95.0% for 10 cycles then alert
 Load avg. (5min)     = if greater than 2.0 then alert
 Load avg. (1min)     = if greater than 4.0 then alert

-------------------------------------------------------------------------------
pidfile '/run/monit.pid' does not exist
Starting Monit 5.22.0 daemon with http interface at [192.168.80.130]:443
Starting Monit HTTP server at [192.168.80.130]:443
Monit HTTP server started
'right.laptop' Monit 5.22.0 started
'right.laptop' swap usage check succeeded [current swap usage = 0.0%]
'right.laptop' mem usage check succeeded [current mem usage = 17.1%]
'right.laptop' cpu usage check succeeded [current cpu usage = 0.0%]
'right.laptop' loadavg(5min) check succeeded [current loadavg(5min) = 0.4]
'right.laptop' loadavg(1min) check succeeded [current loadavg(1min) = 0.3]
'right.laptop' swap usage check succeeded [current swap usage = 0.0%]
'right.laptop' mem usage check succeeded [current mem usage = 17.1%]
'right.laptop' cpu usage check succeeded [current cpu usage = 1.1%]
'right.laptop' loadavg(5min) check succeeded [current loadavg(5min) = 0.3]
'right.laptop' loadavg(1min) check succeeded [current loadavg(1min) = 0.2]
SSL: read error -- error:140940E5:SSL routines:SSL3_READ_BYTES:ssl handshake failure
SSL: write error -- error:1409E0E5:SSL routines:SSL3_WRITE_BYTES:ssl handshake failure
HttpRequest: error -- client [192.168.80.1]: HTTP/1.0 400 No request found
SSL: read error -- error:140940E5:SSL routines:SSL3_READ_BYTES:ssl handshake failure
SSL: write error -- error:1409E0E5:SSL routines:SSL3_WRITE_BYTES:ssl handshake failure
HttpRequest: error -- client [192.168.80.1]: HTTP/1.0 400 No request found
SSL accept error: error:140890C7:SSL routines:SSL3_GET_CLIENT_CERTIFICATE:peer did not return a certificate
'right.laptop' swap usage check succeeded [current swap usage = 0.0%]
'right.laptop' mem usage check succeeded [current mem usage = 17.1%]
'right.laptop' cpu usage check succeeded [current cpu usage = 1.1%]
'right.laptop' loadavg(5min) check succeeded [current loadavg(5min) = 0.3]
'right.laptop' loadavg(1min) check succeeded [current loadavg(1min) = 0.1]
SSL accept error: error:140890C7:SSL routines:SSL3_GET_CLIENT_CERTIFICATE:peer did not return a certificate
'right.laptop' swap usage check succeeded [current swap usage = 0.0%]
'right.laptop' mem usage check succeeded [current mem usage = 22.1%]
'right.laptop' cpu usage check succeeded [current cpu usage = 25.6%]
'right.laptop' loadavg(5min) check succeeded [current loadavg(5min) = 0.3]
'right.laptop' loadavg(1min) check succeeded [current loadavg(1min) = 0.5]
SSL: read error -- error:140940E5:SSL routines:SSL3_READ_BYTES:ssl handshake failure
SSL: write error -- error:1409E0E5:SSL routines:SSL3_WRITE_BYTES:ssl handshake failure
HttpRequest: error -- client [192.168.80.1]: HTTP/1.0 400 No request found
SSL: read error -- error:140940E5:SSL routines:SSL3_READ_BYTES:ssl handshake failure
SSL: write error -- error:1409E0E5:SSL routines:SSL3_WRITE_BYTES:ssl handshake failure
HttpRequest: error -- client [192.168.80.1]: HTTP/1.0 400 No request found
SSL: read error -- error:140940E5:SSL routines:SSL3_READ_BYTES:ssl handshake failure
SSL: write error -- error:1409E0E5:SSL routines:SSL3_WRITE_BYTES:ssl handshake failure
HttpRequest: error -- client [192.168.80.1]: HTTP/1.0 400 No request found
SSL: read error -- error:140940E5:SSL routines:SSL3_READ_BYTES:ssl handshake failure
SSL: write error -- error:1409E0E5:SSL routines:SSL3_WRITE_BYTES:ssl handshake failure
HttpRequest: error -- client [192.168.80.1]: HTTP/1.0 400 No request found
SSL: read error -- error:140940E5:SSL routines:SSL3_READ_BYTES:ssl handshake failure
SSL: write error -- error:1409E0E5:SSL routines:SSL3_WRITE_BYTES:ssl handshake failure
HttpRequest: error -- client [192.168.80.1]: HTTP/1.0 400 No request found
'right.laptop' swap usage check succeeded [current swap usage = 0.0%]
'right.laptop' mem usage check succeeded [current mem usage = 21.7%]
'right.laptop' cpu usage check succeeded [current cpu usage = 15.8%]
'right.laptop' loadavg(5min) check succeeded [current loadavg(5min) = 0.5]
'right.laptop' loadavg(1min) check succeeded [current loadavg(1min) = 0.8]
SSL: read error -- error:140940E5:SSL routines:SSL3_READ_BYTES:ssl handshake failure
SSL: write error -- error:1409E0E5:SSL routines:SSL3_WRITE_BYTES:ssl handshake failure
HttpRequest: error -- client [192.168.80.1]: HTTP/1.0 400 No request found
SSL accept error: error:140890C7:SSL routines:SSL3_GET_CLIENT_CERTIFICATE:peer did not return a certificate
'right.laptop' swap usage check succeeded [current swap usage = 0.0%]
'right.laptop' mem usage check succeeded [current mem usage = 21.7%]
'right.laptop' cpu usage check succeeded [current cpu usage = 3.1%]
'right.laptop' loadavg(5min) check succeeded [current loadavg(5min) = 0.4]
'right.laptop' loadavg(1min) check succeeded [current loadavg(1min) = 0.5]
'right.laptop' swap usage check succeeded [current swap usage = 0.0%]
'right.laptop' mem usage check succeeded [current mem usage = 21.6%]
'right.laptop' cpu usage check succeeded [current cpu usage = 5.1%]
'right.laptop' loadavg(5min) check succeeded [current loadavg(5min) = 0.4]
'right.laptop' loadavg(1min) check succeeded [current loadavg(1min) = 0.3]
'right.laptop' swap usage check succeeded [current swap usage = 0.0%]
'right.laptop' mem usage check succeeded [current mem usage = 17.7%]
'right.laptop' cpu usage check succeeded [current cpu usage = 7.7%]
'right.laptop' loadavg(5min) check succeeded [current loadavg(5min) = 0.4]
'right.laptop' loadavg(1min) check succeeded [current loadavg(1min) = 0.3]
'right.laptop' swap usage check succeeded [current swap usage = 0.0%]
'right.laptop' mem usage check succeeded [current mem usage = 17.7%]
'right.laptop' cpu usage check succeeded [current cpu usage = 7.2%]
'right.laptop' loadavg(5min) check succeeded [current loadavg(5min) = 0.3]
'right.laptop' loadavg(1min) check succeeded [current loadavg(1min) = 0.2]
^CShutting down Monit HTTP server
Monit HTTP server stopped
Monit daemon with pid [4010] stopped
'right.laptop' Monit 5.22.0 stopped



On Thu, Apr 27, 2017 at 2:52 PM, Bryan Harris <[hidden email]> wrote:
Well I'm not sure if I did it right.  Here is what I did.

yumdownloader --source monit
cd /root/rpmbuild
yum groupinstall "Development Tools"
yum install openssl-devel pam-devel

Now I edit the 5.14 version in monit.spec instead to say 5.22.0.  And I have to download the new source file because yumdownloader got the old one.

Then after that I could do a rpmbuild -ba monit.spec and the build succeeds to make a package.  I will have to test out the build since right now I am just about to get off work and drive home.  Hopefully it will work fine.

I don't know if it's right or not.  I guess I shall see.

V/r,
Bryan

On Thu, Apr 27, 2017 at 2:38 PM, SZÉPE Viktor <[hidden email]> wrote:
Hello Brian!

Try rebuilding monit:
http://pkgs.fedoraproject.org/cgit/rpms/monit.git/

Contact me if you need help.


All the best!
(contacts below)


Idézem/Quoting Bryan Harris <[hidden email]>:


I see.  Thanks for the help, I will give that a try first.  I do wish the
EPEL folks kept newer versions but they are sometimes behind on things.


SZÉPE Viktor
https://github.com/szepeviktor/debian-server-tools/blob/master/CV.md
--
<a href="tel:%2B36-20-4242498" value="+36204242498" target="_blank">+36-20-4242498  [hidden email]  skype: szepe.viktor
Budapest, III. kerület







--
To unsubscribe:
https://lists.nongnu.org/mailman/listinfo/monit-general
Reply | Threaded
Open this post in threaded view
|

Re: Client certificates

Bryan Harris
Hi all,

I seem to have found a way to get the certificate to appear in the browser pop-up dialog box.  It only appears in the browser if I also put the CA into the PEM file that I feed to Monit.  Below is how I got it to display, and I will attach a capture (not sure if mailing list accepts attachments).  Unfortunately, when I select the certificate and attempt to login it still fails with another error message.

cat test.cer ca.cer > monit.cer

Then in monitrc:

set httpd port 443
    with SSL {
        pemfile:       /etc/pki/tls/certs/server.cer
        clientpemfile: /etc/pki/tls/certs/monit.cer
selfsigned: allow
    }
    allow admin:monit

Here is the error.

SSL: cannot get application dataSSL accept error: error:140890B2:SSL routines:SSL3_GET_CLIENT_CERTIFICATE:no certificate returned
SSL: read error -- error:140940E5:SSL routines:SSL3_READ_BYTES:ssl handshake failure
SSL: write error -- error:1409E0E5:SSL routines:SSL3_WRITE_BYTES:ssl handshake failure
HttpRequest: error -- client [192.168.80.1]: HTTP/1.0 400 No request found
SSL: read error -- error:140940E5:SSL routines:SSL3_READ_BYTES:ssl handshake failure
SSL: write error -- error:1409E0E5:SSL routines:SSL3_WRITE_BYTES:ssl handshake failure
HttpRequest: error -- client [192.168.80.1]: HTTP/1.0 400 No request found
SSL: read error -- error:140940E5:SSL routines:SSL3_READ_BYTES:ssl handshake failure
SSL: write error -- error:1409E0E5:SSL routines:SSL3_WRITE_BYTES:ssl handshake failure
HttpRequest: error -- client [192.168.80.1]: HTTP/1.0 400 No request found
SSL: cannot get application dataSSL accept error: error:140890B2:SSL routines:SSL3_GET_CLIENT_CERTIFICATE:no certificate returned

Thanks for any help.

V/r,
Bryan

On Thu, Apr 27, 2017 at 4:15 PM, Bryan Harris <[hidden email]> wrote:
Well, I gave it a try (building 5.22.0 from source) and still a similar issue but a different error message (more descriptive now).  I attempted with a couple of different browsers.



Any ideas what I got wrong?

[root@right rpmbuild]# monit -Iv
Adding credentials for user 'admin'
Runtime constants:
 Control file       = /etc/monitrc
 Log file           = /var/log/monit.log
 Pid file           = /run/monit.pid
 Id file            = /root/.monit.id
 State file         = /root/.monit.state
 Debug              = True
 Log                = True
 Use syslog         = False
 Is Daemon          = True
 Use process engine = True
 Limits             = {
                    =   programOutput:     512 B
                    =   sendExpectBuffer:  256 B
                    =   fileContentBuffer: 512 B
                    =   httpContentBuffer: 1024 kB
                    =   networkTimeout:    5 s
                    =   programTimeout:    5 m
                    =   stopTimeout:       30 s
                    =   startTimeout:      30 s
                    =   restartTimeout:    30 s
                    = }
 On reboot          = start
 Poll time          = 30 seconds with start delay 0 seconds
 Start monit httpd  = True
 httpd bind address = 192.168.80.130
 httpd portnumber   = 443
 httpd encryption   = selfsigned: allow, pemfile: /etc/pki/tls/certs/server.cer, clientpemfile: /etc/pki/tls/certs/test.cer
 httpd signature    = Enabled
 httpd auth. style  = Basic Authentication

The service list contains the following entries:

System Name           = right.laptop
 Monitoring mode      = active
 On reboot            = start
 Swap usage limit     = if greater than 25.0% then alert
 Memory usage limit   = if greater than 75.0% then alert
 CPU usage limit      = if greater than 95.0% for 10 cycles then alert
 Load avg. (5min)     = if greater than 2.0 then alert
 Load avg. (1min)     = if greater than 4.0 then alert

-------------------------------------------------------------------------------
pidfile '/run/monit.pid' does not exist
Starting Monit 5.22.0 daemon with http interface at [192.168.80.130]:443
Starting Monit HTTP server at [192.168.80.130]:443
Monit HTTP server started
'right.laptop' Monit 5.22.0 started
'right.laptop' swap usage check succeeded [current swap usage = 0.0%]
'right.laptop' mem usage check succeeded [current mem usage = 17.1%]
'right.laptop' cpu usage check succeeded [current cpu usage = 0.0%]
'right.laptop' loadavg(5min) check succeeded [current loadavg(5min) = 0.4]
'right.laptop' loadavg(1min) check succeeded [current loadavg(1min) = 0.3]
'right.laptop' swap usage check succeeded [current swap usage = 0.0%]
'right.laptop' mem usage check succeeded [current mem usage = 17.1%]
'right.laptop' cpu usage check succeeded [current cpu usage = 1.1%]
'right.laptop' loadavg(5min) check succeeded [current loadavg(5min) = 0.3]
'right.laptop' loadavg(1min) check succeeded [current loadavg(1min) = 0.2]
SSL: read error -- error:140940E5:SSL routines:SSL3_READ_BYTES:ssl handshake failure
SSL: write error -- error:1409E0E5:SSL routines:SSL3_WRITE_BYTES:ssl handshake failure
HttpRequest: error -- client [192.168.80.1]: HTTP/1.0 400 No request found
SSL: read error -- error:140940E5:SSL routines:SSL3_READ_BYTES:ssl handshake failure
SSL: write error -- error:1409E0E5:SSL routines:SSL3_WRITE_BYTES:ssl handshake failure
HttpRequest: error -- client [192.168.80.1]: HTTP/1.0 400 No request found
SSL accept error: error:140890C7:SSL routines:SSL3_GET_CLIENT_CERTIFICATE:peer did not return a certificate
'right.laptop' swap usage check succeeded [current swap usage = 0.0%]
'right.laptop' mem usage check succeeded [current mem usage = 17.1%]
'right.laptop' cpu usage check succeeded [current cpu usage = 1.1%]
'right.laptop' loadavg(5min) check succeeded [current loadavg(5min) = 0.3]
'right.laptop' loadavg(1min) check succeeded [current loadavg(1min) = 0.1]
SSL accept error: error:140890C7:SSL routines:SSL3_GET_CLIENT_CERTIFICATE:peer did not return a certificate
'right.laptop' swap usage check succeeded [current swap usage = 0.0%]
'right.laptop' mem usage check succeeded [current mem usage = 22.1%]
'right.laptop' cpu usage check succeeded [current cpu usage = 25.6%]
'right.laptop' loadavg(5min) check succeeded [current loadavg(5min) = 0.3]
'right.laptop' loadavg(1min) check succeeded [current loadavg(1min) = 0.5]
SSL: read error -- error:140940E5:SSL routines:SSL3_READ_BYTES:ssl handshake failure
SSL: write error -- error:1409E0E5:SSL routines:SSL3_WRITE_BYTES:ssl handshake failure
HttpRequest: error -- client [192.168.80.1]: HTTP/1.0 400 No request found
SSL: read error -- error:140940E5:SSL routines:SSL3_READ_BYTES:ssl handshake failure
SSL: write error -- error:1409E0E5:SSL routines:SSL3_WRITE_BYTES:ssl handshake failure
HttpRequest: error -- client [192.168.80.1]: HTTP/1.0 400 No request found
SSL: read error -- error:140940E5:SSL routines:SSL3_READ_BYTES:ssl handshake failure
SSL: write error -- error:1409E0E5:SSL routines:SSL3_WRITE_BYTES:ssl handshake failure
HttpRequest: error -- client [192.168.80.1]: HTTP/1.0 400 No request found
SSL: read error -- error:140940E5:SSL routines:SSL3_READ_BYTES:ssl handshake failure
SSL: write error -- error:1409E0E5:SSL routines:SSL3_WRITE_BYTES:ssl handshake failure
HttpRequest: error -- client [192.168.80.1]: HTTP/1.0 400 No request found
SSL: read error -- error:140940E5:SSL routines:SSL3_READ_BYTES:ssl handshake failure
SSL: write error -- error:1409E0E5:SSL routines:SSL3_WRITE_BYTES:ssl handshake failure
HttpRequest: error -- client [192.168.80.1]: HTTP/1.0 400 No request found
'right.laptop' swap usage check succeeded [current swap usage = 0.0%]
'right.laptop' mem usage check succeeded [current mem usage = 21.7%]
'right.laptop' cpu usage check succeeded [current cpu usage = 15.8%]
'right.laptop' loadavg(5min) check succeeded [current loadavg(5min) = 0.5]
'right.laptop' loadavg(1min) check succeeded [current loadavg(1min) = 0.8]
SSL: read error -- error:140940E5:SSL routines:SSL3_READ_BYTES:ssl handshake failure
SSL: write error -- error:1409E0E5:SSL routines:SSL3_WRITE_BYTES:ssl handshake failure
HttpRequest: error -- client [192.168.80.1]: HTTP/1.0 400 No request found
SSL accept error: error:140890C7:SSL routines:SSL3_GET_CLIENT_CERTIFICATE:peer did not return a certificate
'right.laptop' swap usage check succeeded [current swap usage = 0.0%]
'right.laptop' mem usage check succeeded [current mem usage = 21.7%]
'right.laptop' cpu usage check succeeded [current cpu usage = 3.1%]
'right.laptop' loadavg(5min) check succeeded [current loadavg(5min) = 0.4]
'right.laptop' loadavg(1min) check succeeded [current loadavg(1min) = 0.5]
'right.laptop' swap usage check succeeded [current swap usage = 0.0%]
'right.laptop' mem usage check succeeded [current mem usage = 21.6%]
'right.laptop' cpu usage check succeeded [current cpu usage = 5.1%]
'right.laptop' loadavg(5min) check succeeded [current loadavg(5min) = 0.4]
'right.laptop' loadavg(1min) check succeeded [current loadavg(1min) = 0.3]
'right.laptop' swap usage check succeeded [current swap usage = 0.0%]
'right.laptop' mem usage check succeeded [current mem usage = 17.7%]
'right.laptop' cpu usage check succeeded [current cpu usage = 7.7%]
'right.laptop' loadavg(5min) check succeeded [current loadavg(5min) = 0.4]
'right.laptop' loadavg(1min) check succeeded [current loadavg(1min) = 0.3]
'right.laptop' swap usage check succeeded [current swap usage = 0.0%]
'right.laptop' mem usage check succeeded [current mem usage = 17.7%]
'right.laptop' cpu usage check succeeded [current cpu usage = 7.2%]
'right.laptop' loadavg(5min) check succeeded [current loadavg(5min) = 0.3]
'right.laptop' loadavg(1min) check succeeded [current loadavg(1min) = 0.2]
^CShutting down Monit HTTP server
Monit HTTP server stopped
Monit daemon with pid [4010] stopped
'right.laptop' Monit 5.22.0 stopped



On Thu, Apr 27, 2017 at 2:52 PM, Bryan Harris <[hidden email]> wrote:
Well I'm not sure if I did it right.  Here is what I did.

yumdownloader --source monit
cd /root/rpmbuild
yum groupinstall "Development Tools"
yum install openssl-devel pam-devel

Now I edit the 5.14 version in monit.spec instead to say 5.22.0.  And I have to download the new source file because yumdownloader got the old one.

Then after that I could do a rpmbuild -ba monit.spec and the build succeeds to make a package.  I will have to test out the build since right now I am just about to get off work and drive home.  Hopefully it will work fine.

I don't know if it's right or not.  I guess I shall see.

V/r,
Bryan

On Thu, Apr 27, 2017 at 2:38 PM, SZÉPE Viktor <[hidden email]> wrote:
Hello Brian!

Try rebuilding monit:
http://pkgs.fedoraproject.org/cgit/rpms/monit.git/

Contact me if you need help.


All the best!
(contacts below)


Idézem/Quoting Bryan Harris <[hidden email]>:


I see.  Thanks for the help, I will give that a try first.  I do wish the
EPEL folks kept newer versions but they are sometimes behind on things.


SZÉPE Viktor
https://github.com/szepeviktor/debian-server-tools/blob/master/CV.md
--
<a href="tel:%2B36-20-4242498" value="+36204242498" target="_blank">+36-20-4242498  [hidden email]  skype: szepe.viktor
Budapest, III. kerület








--
To unsubscribe:
https://lists.nongnu.org/mailman/listinfo/monit-general

testCertCapture.PNG (100K) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: Client certificates

Bryan Harris
Hi all,

I think I have taken my attempt about as far as my abilities allow me to go.  I've tried a few methods but I cannot get client certificate authentication to work.  Has anyone else been able to get this to work?  Are there anyone using this feature on the current version of Monit?

Here's what I've tried for Monit versions:

* the version that comes with RHEL 6 EPEL on a RHEL 6 VM (which is v5.14)
* the version that comes with RHEL 7 EPEL on a RHEL 7 VM (also v5.14)
* 5.22.0 compiled using same EPEL SPEC file as above on a RHEL 7 VM
* 5.22.0 x86_64 pre-built binaries which I downloaded from mmonit.com website on RHEL 7 VM
* 5.22.0 built from slackbuilds on a Slackware 14.2 VM
* And somewhere I got 5.23.0 and built that --- maybe from the git repo.  My memory is fuzzy.  This was on Slackware also.

Here's my approach for the server & client certificate.  Actual commands used are below.

Note: everything is in PEM format for Monit config

* pemfile config option: points to combo of key + cert for server cert (self signed, no ca)
* clientpemfile config option: points to cert only of client cert (self signed, no ca)
* selfsigned config option: is set to allow

After above steps, I create the p12 file for the client cert and import it into my browser.

Note: one thing I have also tried (which I don't think is needed) is to also put the private key into the clientpemfile similar to the way it is done for the pemfile.  I don't think that is needed though, but I tried it and got same results.

When I fire up the browser and point to my VM, I get the certificate dialog box.  When I choose the certificate I see these lines in the debug output of monit.

SSL: read error -- error:140940E5:SSL routines:ssl3_read_bytes:ssl handshake failure
SSL: write error -- error:1409E0E5:SSL routines:ssl3_write_bytes:ssl handshake failure
HttpRequest: error -- client [192.168.80.1]: HTTP/1.0 400 No request found
SSL: read error -- error:140940E5:SSL routines:ssl3_read_bytes:ssl handshake failure
SSL: write error -- error:1409E0E5:SSL routines:ssl3_write_bytes:ssl handshake failure
HttpRequest: error -- client [192.168.80.1]: HTTP/1.0 400 No request found
SSL: cannot get application dataSSL client certificate verification error: error number 1

If I remove the clientpemfile option out of the monit configuration and restart monit, then SSL connection works fine (with the exception of I have to type a user/password instead of client certificate).

Is this possibly a bug?

Here are the ways I'm generating certificates.  If this is incorrect --- what is the right way?

SERVER CERT
cd /etc/ssl
openssl req -x509 -newkey rsa:4096 -keyout private/monit.pem -out certs/monit.pem -days 365 -nodes
cat private/monit.pem certs/monit.pem > private/monit-combined.pem
-> And the pemfile option points to monit-combined.pem.

CLIENT CERT
openssl req -x509 -newkey rsa:4096 -keyout private/test.key -out certs/test.cer -days 365 -nodes
-> And the clientpemfile option points to test.cer

CONVERT FOR BROWSER
openssl pkcs12 -export -in certs/test.cer -inkey private/test.key -out /home/sqltest/test.p12 -name "test"
-> And the p12 file is imported into browser.




Any help is appreciated of course.

V/r,
Bryan



On Thu, Apr 27, 2017 at 6:55 PM, Bryan Harris <[hidden email]> wrote:
Hi all,

I seem to have found a way to get the certificate to appear in the browser pop-up dialog box.  It only appears in the browser if I also put the CA into the PEM file that I feed to Monit.  Below is how I got it to display, and I will attach a capture (not sure if mailing list accepts attachments).  Unfortunately, when I select the certificate and attempt to login it still fails with another error message.

cat test.cer ca.cer > monit.cer

Then in monitrc:

set httpd port 443
    with SSL {
        pemfile:       /etc/pki/tls/certs/server.cer
        clientpemfile: /etc/pki/tls/certs/monit.cer
selfsigned: allow
    }
    allow admin:monit

Here is the error.

SSL: cannot get application dataSSL accept error: error:140890B2:SSL routines:SSL3_GET_CLIENT_CERTIFICATE:no certificate returned
SSL: read error -- error:140940E5:SSL routines:SSL3_READ_BYTES:ssl handshake failure
SSL: write error -- error:1409E0E5:SSL routines:SSL3_WRITE_BYTES:ssl handshake failure
HttpRequest: error -- client [192.168.80.1]: HTTP/1.0 400 No request found
SSL: read error -- error:140940E5:SSL routines:SSL3_READ_BYTES:ssl handshake failure
SSL: write error -- error:1409E0E5:SSL routines:SSL3_WRITE_BYTES:ssl handshake failure
HttpRequest: error -- client [192.168.80.1]: HTTP/1.0 400 No request found
SSL: read error -- error:140940E5:SSL routines:SSL3_READ_BYTES:ssl handshake failure
SSL: write error -- error:1409E0E5:SSL routines:SSL3_WRITE_BYTES:ssl handshake failure
HttpRequest: error -- client [192.168.80.1]: HTTP/1.0 400 No request found
SSL: cannot get application dataSSL accept error: error:140890B2:SSL routines:SSL3_GET_CLIENT_CERTIFICATE:no certificate returned

Thanks for any help.

V/r,
Bryan

On Thu, Apr 27, 2017 at 4:15 PM, Bryan Harris <[hidden email]> wrote:
Well, I gave it a try (building 5.22.0 from source) and still a similar issue but a different error message (more descriptive now).  I attempted with a couple of different browsers.



Any ideas what I got wrong?

[root@right rpmbuild]# monit -Iv
Adding credentials for user 'admin'
Runtime constants:
 Control file       = /etc/monitrc
 Log file           = /var/log/monit.log
 Pid file           = /run/monit.pid
 Id file            = /root/.monit.id
 State file         = /root/.monit.state
 Debug              = True
 Log                = True
 Use syslog         = False
 Is Daemon          = True
 Use process engine = True
 Limits             = {
                    =   programOutput:     512 B
                    =   sendExpectBuffer:  256 B
                    =   fileContentBuffer: 512 B
                    =   httpContentBuffer: 1024 kB
                    =   networkTimeout:    5 s
                    =   programTimeout:    5 m
                    =   stopTimeout:       30 s
                    =   startTimeout:      30 s
                    =   restartTimeout:    30 s
                    = }
 On reboot          = start
 Poll time          = 30 seconds with start delay 0 seconds
 Start monit httpd  = True
 httpd bind address = 192.168.80.130
 httpd portnumber   = 443
 httpd encryption   = selfsigned: allow, pemfile: /etc/pki/tls/certs/server.cer, clientpemfile: /etc/pki/tls/certs/test.cer
 httpd signature    = Enabled
 httpd auth. style  = Basic Authentication

The service list contains the following entries:

System Name           = right.laptop
 Monitoring mode      = active
 On reboot            = start
 Swap usage limit     = if greater than 25.0% then alert
 Memory usage limit   = if greater than 75.0% then alert
 CPU usage limit      = if greater than 95.0% for 10 cycles then alert
 Load avg. (5min)     = if greater than 2.0 then alert
 Load avg. (1min)     = if greater than 4.0 then alert

-------------------------------------------------------------------------------
pidfile '/run/monit.pid' does not exist
Starting Monit 5.22.0 daemon with http interface at [192.168.80.130]:443
Starting Monit HTTP server at [192.168.80.130]:443
Monit HTTP server started
'right.laptop' Monit 5.22.0 started
'right.laptop' swap usage check succeeded [current swap usage = 0.0%]
'right.laptop' mem usage check succeeded [current mem usage = 17.1%]
'right.laptop' cpu usage check succeeded [current cpu usage = 0.0%]
'right.laptop' loadavg(5min) check succeeded [current loadavg(5min) = 0.4]
'right.laptop' loadavg(1min) check succeeded [current loadavg(1min) = 0.3]
'right.laptop' swap usage check succeeded [current swap usage = 0.0%]
'right.laptop' mem usage check succeeded [current mem usage = 17.1%]
'right.laptop' cpu usage check succeeded [current cpu usage = 1.1%]
'right.laptop' loadavg(5min) check succeeded [current loadavg(5min) = 0.3]
'right.laptop' loadavg(1min) check succeeded [current loadavg(1min) = 0.2]
SSL: read error -- error:140940E5:SSL routines:SSL3_READ_BYTES:ssl handshake failure
SSL: write error -- error:1409E0E5:SSL routines:SSL3_WRITE_BYTES:ssl handshake failure
HttpRequest: error -- client [192.168.80.1]: HTTP/1.0 400 No request found
SSL: read error -- error:140940E5:SSL routines:SSL3_READ_BYTES:ssl handshake failure
SSL: write error -- error:1409E0E5:SSL routines:SSL3_WRITE_BYTES:ssl handshake failure
HttpRequest: error -- client [192.168.80.1]: HTTP/1.0 400 No request found
SSL accept error: error:140890C7:SSL routines:SSL3_GET_CLIENT_CERTIFICATE:peer did not return a certificate
'right.laptop' swap usage check succeeded [current swap usage = 0.0%]
'right.laptop' mem usage check succeeded [current mem usage = 17.1%]
'right.laptop' cpu usage check succeeded [current cpu usage = 1.1%]
'right.laptop' loadavg(5min) check succeeded [current loadavg(5min) = 0.3]
'right.laptop' loadavg(1min) check succeeded [current loadavg(1min) = 0.1]
SSL accept error: error:140890C7:SSL routines:SSL3_GET_CLIENT_CERTIFICATE:peer did not return a certificate
'right.laptop' swap usage check succeeded [current swap usage = 0.0%]
'right.laptop' mem usage check succeeded [current mem usage = 22.1%]
'right.laptop' cpu usage check succeeded [current cpu usage = 25.6%]
'right.laptop' loadavg(5min) check succeeded [current loadavg(5min) = 0.3]
'right.laptop' loadavg(1min) check succeeded [current loadavg(1min) = 0.5]
SSL: read error -- error:140940E5:SSL routines:SSL3_READ_BYTES:ssl handshake failure
SSL: write error -- error:1409E0E5:SSL routines:SSL3_WRITE_BYTES:ssl handshake failure
HttpRequest: error -- client [192.168.80.1]: HTTP/1.0 400 No request found
SSL: read error -- error:140940E5:SSL routines:SSL3_READ_BYTES:ssl handshake failure
SSL: write error -- error:1409E0E5:SSL routines:SSL3_WRITE_BYTES:ssl handshake failure
HttpRequest: error -- client [192.168.80.1]: HTTP/1.0 400 No request found
SSL: read error -- error:140940E5:SSL routines:SSL3_READ_BYTES:ssl handshake failure
SSL: write error -- error:1409E0E5:SSL routines:SSL3_WRITE_BYTES:ssl handshake failure
HttpRequest: error -- client [192.168.80.1]: HTTP/1.0 400 No request found
SSL: read error -- error:140940E5:SSL routines:SSL3_READ_BYTES:ssl handshake failure
SSL: write error -- error:1409E0E5:SSL routines:SSL3_WRITE_BYTES:ssl handshake failure
HttpRequest: error -- client [192.168.80.1]: HTTP/1.0 400 No request found
SSL: read error -- error:140940E5:SSL routines:SSL3_READ_BYTES:ssl handshake failure
SSL: write error -- error:1409E0E5:SSL routines:SSL3_WRITE_BYTES:ssl handshake failure
HttpRequest: error -- client [192.168.80.1]: HTTP/1.0 400 No request found
'right.laptop' swap usage check succeeded [current swap usage = 0.0%]
'right.laptop' mem usage check succeeded [current mem usage = 21.7%]
'right.laptop' cpu usage check succeeded [current cpu usage = 15.8%]
'right.laptop' loadavg(5min) check succeeded [current loadavg(5min) = 0.5]
'right.laptop' loadavg(1min) check succeeded [current loadavg(1min) = 0.8]
SSL: read error -- error:140940E5:SSL routines:SSL3_READ_BYTES:ssl handshake failure
SSL: write error -- error:1409E0E5:SSL routines:SSL3_WRITE_BYTES:ssl handshake failure
HttpRequest: error -- client [192.168.80.1]: HTTP/1.0 400 No request found
SSL accept error: error:140890C7:SSL routines:SSL3_GET_CLIENT_CERTIFICATE:peer did not return a certificate
'right.laptop' swap usage check succeeded [current swap usage = 0.0%]
'right.laptop' mem usage check succeeded [current mem usage = 21.7%]
'right.laptop' cpu usage check succeeded [current cpu usage = 3.1%]
'right.laptop' loadavg(5min) check succeeded [current loadavg(5min) = 0.4]
'right.laptop' loadavg(1min) check succeeded [current loadavg(1min) = 0.5]
'right.laptop' swap usage check succeeded [current swap usage = 0.0%]
'right.laptop' mem usage check succeeded [current mem usage = 21.6%]
'right.laptop' cpu usage check succeeded [current cpu usage = 5.1%]
'right.laptop' loadavg(5min) check succeeded [current loadavg(5min) = 0.4]
'right.laptop' loadavg(1min) check succeeded [current loadavg(1min) = 0.3]
'right.laptop' swap usage check succeeded [current swap usage = 0.0%]
'right.laptop' mem usage check succeeded [current mem usage = 17.7%]
'right.laptop' cpu usage check succeeded [current cpu usage = 7.7%]
'right.laptop' loadavg(5min) check succeeded [current loadavg(5min) = 0.4]
'right.laptop' loadavg(1min) check succeeded [current loadavg(1min) = 0.3]
'right.laptop' swap usage check succeeded [current swap usage = 0.0%]
'right.laptop' mem usage check succeeded [current mem usage = 17.7%]
'right.laptop' cpu usage check succeeded [current cpu usage = 7.2%]
'right.laptop' loadavg(5min) check succeeded [current loadavg(5min) = 0.3]
'right.laptop' loadavg(1min) check succeeded [current loadavg(1min) = 0.2]
^CShutting down Monit HTTP server
Monit HTTP server stopped
Monit daemon with pid [4010] stopped
'right.laptop' Monit 5.22.0 stopped



On Thu, Apr 27, 2017 at 2:52 PM, Bryan Harris <[hidden email]> wrote:
Well I'm not sure if I did it right.  Here is what I did.

yumdownloader --source monit
cd /root/rpmbuild
yum groupinstall "Development Tools"
yum install openssl-devel pam-devel

Now I edit the 5.14 version in monit.spec instead to say 5.22.0.  And I have to download the new source file because yumdownloader got the old one.

Then after that I could do a rpmbuild -ba monit.spec and the build succeeds to make a package.  I will have to test out the build since right now I am just about to get off work and drive home.  Hopefully it will work fine.

I don't know if it's right or not.  I guess I shall see.

V/r,
Bryan

On Thu, Apr 27, 2017 at 2:38 PM, SZÉPE Viktor <[hidden email]> wrote:
Hello Brian!

Try rebuilding monit:
http://pkgs.fedoraproject.org/cgit/rpms/monit.git/

Contact me if you need help.


All the best!
(contacts below)


Idézem/Quoting Bryan Harris <[hidden email]>:


I see.  Thanks for the help, I will give that a try first.  I do wish the
EPEL folks kept newer versions but they are sometimes behind on things.


SZÉPE Viktor
https://github.com/szepeviktor/debian-server-tools/blob/master/CV.md
--
<a href="tel:%2B36-20-4242498" value="+36204242498" target="_blank">+36-20-4242498  [hidden email]  skype: szepe.viktor
Budapest, III. kerület









--
To unsubscribe:
https://lists.nongnu.org/mailman/listinfo/monit-general