HTTPS connection to mmonit

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
10 messages Options
Reply | Threaded
Open this post in threaded view
|

HTTPS connection to mmonit

Mr Subs
Hi

I am trying to configure and use mmonit for the first time. Version is "M/Monit 3.7.3 (C) 2009-2018 Tildeslash Ltd" and was downloaded yesterday.

I have configured server.xml to only accept https connections, but when I try to connect from my browser, I get the following messages

2019-04-30 17:18:59 SSL Connector: No host registered to accept secure connection for 172.31.24.86.
Please set the attributes; address and certificate for the <Host> in server.xml
which should process SSL requests directed at this interface


What is strange is that 172.31.24.86 is neither the address of my server OR my client - it is completely unknown to me (and a reverse lookup just tells me it is a private address).


I have tried with both the supplied mmonit.pem and a self-generated certificate, but I get the same error.

The bits of server.xml that I changed are:

<Connector scheme="https" address="*" port="8443" processors="10" secure="true" />
..
<Engine name="mmonit" defaultHost=“my-hostname.com" fileCache="10MB">
..
<Host address=“xx.xx.xx.xx" name="my-hostname.com" appBase="." certificate="conf/mmonit.pem” >

Any ideas on what I have misconfigured?

Thanks

Derek


--
To unsubscribe:
https://lists.nongnu.org/mailman/listinfo/monit-general
Reply | Threaded
Open this post in threaded view
|

Re: HTTPS connection to mmonit

Jan-Henrik Haukeland
> What is strange is that 172.31.24.86 is neither the address of my server OR my client - it is completely unknown to me (and a reverse lookup just tells me it is a private address).

172.31.24.86 is part of a private IP-range, like 192.168.0.0 and 10.0.0.0 and probably setup by the system you use or your network admin.

> I have tried with both the supplied mmonit.pem and a self-generated certificate, but I get the same error.
>
> The bits of server.xml that I changed are:
>
> <Connector scheme="https" address="*" port="8443" processors="10" secure="true" />
> ..
> <Engine name="mmonit" defaultHost=“my-hostname.com" fileCache="10MB">
> ..
> <Host address=“xx.xx.xx.xx" name="my-hostname.com" appBase="." certificate="conf/mmonit.pem” >
>
> Any ideas on what I have misconfigured?

When configuring SSL it is important that your hostname is in DNS, you can unfortunately not just invent a hostname here. The name attribute in <Host> (and defaultHost in <Engine>) must point to a real hostname in DNS.  If “my-hostname.com” is not in DNS try using your IP address instead. You must then access mmonit using https://<your-ip-address>/ The manual and the chapter about setting up M/Monit with SSL has more information, https://mmonit.com/documentation/mmonit_manual.pdf

Best regards
--
To unsubscribe:
https://lists.nongnu.org/mailman/listinfo/monit-general
Reply | Threaded
Open this post in threaded view
|

Re: HTTPS connection to mmonit

Jan-Henrik Haukeland

> On 1 May 2019, at 01:14, Jan-Henrik Haukeland <[hidden email]> wrote:
>
> You must then access mmonit using https://<your-ip-address>/

PS. Which of course kind of defy using SSL (where a certificate is for a domain/host name in DNS), but if you are using a self-signed certificate that might not be super important and you can as well use the IP-address directly. BTW, I forgot, as you configured M/Monit the URL needs to include the port number also,  so the URL will be, https://172.31.24.86:8443/ apparently your host running M/Monit has IP-address 172.31.24.86
--
To unsubscribe:
https://lists.nongnu.org/mailman/listinfo/monit-general
Reply | Threaded
Open this post in threaded view
|

RE: HTTPS connection to mmonit

Jamie Burchell
If you already have SSH access to the server, you could also access the
web interface over SSH by using port forwarding.

This is great because the connection is encrypted (there's no need to mess
around with HTTPS or certificates), there's no need to open any additional
firewall ports and the web UI remains locked down from the public.

E.g:

ssh -L 2812:127.0.0.1:2812 your-server-ip

Then the web UI is available at 127.0.0.1:2821 in your browser.

-----Original Message-----
From: monit-general [mailto:monit-general-bounces+jamie=[hidden email]]
On Behalf Of Jan-Henrik Haukeland
Sent: 01 May 2019 00:45
To: This is the general mailing list for monit <[hidden email]>
Subject: Re: HTTPS connection to mmonit


> On 1 May 2019, at 01:14, Jan-Henrik Haukeland <[hidden email]>
wrote:
>
> You must then access mmonit using https://<your-ip-address>/

PS. Which of course kind of defy using SSL (where a certificate is for a
domain/host name in DNS), but if you are using a self-signed certificate
that might not be super important and you can as well use the IP-address
directly. BTW, I forgot, as you configured M/Monit the URL needs to
include the port number also,  so the URL will be,
https://172.31.24.86:8443/ apparently your host running M/Monit has
IP-address 172.31.24.86
--
To unsubscribe:
https://lists.nongnu.org/mailman/listinfo/monit-general

--
To unsubscribe:
https://lists.nongnu.org/mailman/listinfo/monit-general
Reply | Threaded
Open this post in threaded view
|

Re: HTTPS connection to mmonit

Mr Subs
In reply to this post by Jan-Henrik Haukeland
Thanks for the advice. I have made some progress, but am now getting another error.

I changed server.xml, so the Host address=“172.31.24.86” (which is the private IP address, even though I am connecting to it via it’s public IP address. The domain name is correct, and is public DNS.

Now, when connecting, mmonit -id reports:
2019-05-01 16:02:23 SSL read error [172.31.24.86] error:140940E5:SSL routines:ssl3_read_bytes:ssl handshake failure
2019-05-01 16:02:23 SSL read error [172.31.24.86] error:140940E5:SSL routines:ssl3_read_bytes:ssl handshake failure
2019-05-01 16:02:23 SSL read error [172.31.24.86] error:140A1175:SSL routines:ssl_bytes_to_cipher_list:inappropriate fallback

Any other ideas?

Thanks

> On 1 May 2019, at 00:14, Jan-Henrik Haukeland <[hidden email]> wrote:
>
>> What is strange is that 172.31.24.86 is neither the address of my server OR my client - it is completely unknown to me (and a reverse lookup just tells me it is a private address).
>
> 172.31.24.86 is part of a private IP-range, like 192.168.0.0 and 10.0.0.0 and probably setup by the system you use or your network admin.
>
>> I have tried with both the supplied mmonit.pem and a self-generated certificate, but I get the same error.
>>
>> The bits of server.xml that I changed are:
>>
>> <Connector scheme="https" address="*" port="8443" processors="10" secure="true" />
>> ..
>> <Engine name="mmonit" defaultHost=“my-hostname.com" fileCache="10MB">
>> ..
>> <Host address=“xx.xx.xx.xx" name="my-hostname.com" appBase="." certificate="conf/mmonit.pem” >
>>
>> Any ideas on what I have misconfigured?
>
> When configuring SSL it is important that your hostname is in DNS, you can unfortunately not just invent a hostname here. The name attribute in <Host> (and defaultHost in <Engine>) must point to a real hostname in DNS.  If “my-hostname.com” is not in DNS try using your IP address instead. You must then access mmonit using https://<your-ip-address>/ The manual and the chapter about setting up M/Monit with SSL has more information, https://mmonit.com/documentation/mmonit_manual.pdf
>
> Best regards
> --
> To unsubscribe:
> https://lists.nongnu.org/mailman/listinfo/monit-general


--
To unsubscribe:
https://lists.nongnu.org/mailman/listinfo/monit-general
Reply | Threaded
Open this post in threaded view
|

Re: HTTPS connection to mmonit

Mr Subs
In reply to this post by Jamie Burchell
Jamie,

This looks interesting, but it is not something I have used before, so I have some questions:

1. My server is located in the cloud, so my client is not on the same network. Where does this port mapping occur - client or server?
2. How do I configure mmonit on my server?

Any advice welcome!

Thanks

> On 1 May 2019, at 13:50, Jamie Burchell <[hidden email]> wrote:
>
> If you already have SSH access to the server, you could also access the
> web interface over SSH by using port forwarding.
>
> This is great because the connection is encrypted (there's no need to mess
> around with HTTPS or certificates), there's no need to open any additional
> firewall ports and the web UI remains locked down from the public.
>
> E.g:
>
> ssh -L 2812:127.0.0.1:2812 your-server-ip
>
> Then the web UI is available at 127.0.0.1:2821 in your browser.
>
> -----Original Message-----
> From: monit-general [mailto:monit-general-bounces+jamie=[hidden email]]
> On Behalf Of Jan-Henrik Haukeland
> Sent: 01 May 2019 00:45
> To: This is the general mailing list for monit <[hidden email]>
> Subject: Re: HTTPS connection to mmonit
>
>
>> On 1 May 2019, at 01:14, Jan-Henrik Haukeland <[hidden email]>
> wrote:
>>
>> You must then access mmonit using https://<your-ip-address>/
>
> PS. Which of course kind of defy using SSL (where a certificate is for a
> domain/host name in DNS), but if you are using a self-signed certificate
> that might not be super important and you can as well use the IP-address
> directly. BTW, I forgot, as you configured M/Monit the URL needs to
> include the port number also,  so the URL will be,
> https://172.31.24.86:8443/ apparently your host running M/Monit has
> IP-address 172.31.24.86
> --
> To unsubscribe:
> https://lists.nongnu.org/mailman/listinfo/monit-general
>
> --
> To unsubscribe:
> https://lists.nongnu.org/mailman/listinfo/monit-general


--
To unsubscribe:
https://lists.nongnu.org/mailman/listinfo/monit-general
Reply | Threaded
Open this post in threaded view
|

Re: HTTPS connection to mmonit

Paul Theodoropoulos
In reply to this post by Mr Subs
Is there any chance you could share the actual URL you are using? If, as you mentioned the server has publi DNS and is in the cloud on a public machine, there's really no additional risk to sharing it here - within minutes of it being on the public internet, it will be probed relentlessly by bots and malefactors - the handful of readers of this list will pose no additional threat.

Working blind on the issue makes it much harder for others to assist. We can only guess at the failure modes for the most part.

On 5/1/19 09:06, Mr Subs wrote:
Thanks for the advice. I have made some progress, but am now getting another error.

I changed server.xml, so the Host address=“172.31.24.86” (which is the private IP address, even though I am connecting to it via it’s public IP address. The domain name is correct, and is public DNS.

Now, when connecting, mmonit -id reports:
2019-05-01 16:02:23 SSL read error [172.31.24.86] error:140940E5:SSL routines:ssl3_read_bytes:ssl handshake failure
2019-05-01 16:02:23 SSL read error [172.31.24.86] error:140940E5:SSL routines:ssl3_read_bytes:ssl handshake failure
2019-05-01 16:02:23 SSL read error [172.31.24.86] error:140A1175:SSL routines:ssl_bytes_to_cipher_list:inappropriate fallback

Any other ideas?

Thanks

On 1 May 2019, at 00:14, Jan-Henrik Haukeland [hidden email] wrote:

What is strange is that 172.31.24.86 is neither the address of my server OR my client - it is completely unknown to me (and a reverse lookup just tells me it is a private address).
172.31.24.86 is part of a private IP-range, like 192.168.0.0 and 10.0.0.0 and probably setup by the system you use or your network admin. 

I have tried with both the supplied mmonit.pem and a self-generated certificate, but I get the same error.

The bits of server.xml that I changed are:

<Connector scheme="https" address="*" port="8443" processors="10" secure="true" />
..
<Engine name="mmonit" defaultHost=“my-hostname.com" fileCache="10MB">
..
<Host address=“xx.xx.xx.xx" name="my-hostname.com" appBase="." certificate="conf/mmonit.pem” >

Any ideas on what I have misconfigured?
When configuring SSL it is important that your hostname is in DNS, you can unfortunately not just invent a hostname here. The name attribute in <Host> (and defaultHost in <Engine>) must point to a real hostname in DNS.  If “my-hostname.com” is not in DNS try using your IP address instead. You must then access mmonit using https://<your-ip-address>/ The manual and the chapter about setting up M/Monit with SSL has more information, https://mmonit.com/documentation/mmonit_manual.pdf

Best regards
-- 
To unsubscribe:
https://lists.nongnu.org/mailman/listinfo/monit-general

    


-- 
Paul Theodoropoulos
www.anastrophe.com

--
To unsubscribe:
https://lists.nongnu.org/mailman/listinfo/monit-general
Reply | Threaded
Open this post in threaded view
|

RE: HTTPS connection to mmonit

Jamie Burchell
In reply to this post by Mr Subs
It doesn't matter where the server is as long as you can create an SSH
connection to it. Usually this is port 22 (on the server).
The software used on your client machine to create the ssh connection
depends on your operating system. For Linux, Mac and Windows Subsystem for
Linux ssh is already available to use as a command.

Once you've established a connection, local port 2812 on your client is
forwarded to remote port 2812 on your server, through the ssh tunnel.
In the monirc config, you will need at least

set httpd port 2812
  use address localhost
  allow localhost

I can't comment on m/monit I'm affarid as I haven't used it.

-----Original Message-----
From: monit-general [mailto:monit-general-bounces+jamie=[hidden email]]
On Behalf Of Mr Subs
Sent: 01 May 2019 17:09
To: This is the general mailing list for monit <[hidden email]>
Subject: Re: HTTPS connection to mmonit

Jamie,

This looks interesting, but it is not something I have used before, so I
have some questions:

1. My server is located in the cloud, so my client is not on the same
network. Where does this port mapping occur - client or server?
2. How do I configure mmonit on my server?

Any advice welcome!

Thanks

> On 1 May 2019, at 13:50, Jamie Burchell <[hidden email]> wrote:
>
> If you already have SSH access to the server, you could also access
> the web interface over SSH by using port forwarding.
>
> This is great because the connection is encrypted (there's no need to
> mess around with HTTPS or certificates), there's no need to open any
> additional firewall ports and the web UI remains locked down from the
public.

>
> E.g:
>
> ssh -L 2812:127.0.0.1:2812 your-server-ip
>
> Then the web UI is available at 127.0.0.1:2821 in your browser.
>
> -----Original Message-----
> From: monit-general
> [mailto:monit-general-bounces+jamie=[hidden email]]
> On Behalf Of Jan-Henrik Haukeland
> Sent: 01 May 2019 00:45
> To: This is the general mailing list for monit
> <[hidden email]>
> Subject: Re: HTTPS connection to mmonit
>
>
>> On 1 May 2019, at 01:14, Jan-Henrik Haukeland <[hidden email]>
> wrote:
>>
>> You must then access mmonit using https://<your-ip-address>/
>
> PS. Which of course kind of defy using SSL (where a certificate is for
> a domain/host name in DNS), but if you are using a self-signed
> certificate that might not be super important and you can as well use
> the IP-address directly. BTW, I forgot, as you configured M/Monit the
> URL needs to include the port number also,  so the URL will be,
> https://172.31.24.86:8443/ apparently your host running M/Monit has
> IP-address 172.31.24.86
> --
> To unsubscribe:
> https://lists.nongnu.org/mailman/listinfo/monit-general
>
> --
> To unsubscribe:
> https://lists.nongnu.org/mailman/listinfo/monit-general


--
To unsubscribe:
https://lists.nongnu.org/mailman/listinfo/monit-general

--
To unsubscribe:
https://lists.nongnu.org/mailman/listinfo/monit-general
Reply | Threaded
Open this post in threaded view
|

Re: HTTPS connection to mmonit

Jan-Henrik Haukeland
In reply to this post by Mr Subs

> On 1 May 2019, at 18:06, Mr Subs <[hidden email]> wrote:
>
> I changed server.xml, so the Host address=“172.31.24.86” (which is the private IP address, even though I am connecting to it via it’s public IP address. The domain name is correct, and is public DNS.

You cannot use the private address 172.31.24.86 as the Host address if you use a hostname. The IP address must be the same public IP-address associated with your hostname in DNS.  I.e. in this setup

<Host address=“xx.xx.xx.xx" name=“hostname" appBase="." certificate="conf/mmonit.pem” >

“hostname" must have the public address “xx.xx.xx.xx" in DNS.


--
To unsubscribe:
https://lists.nongnu.org/mailman/listinfo/monit-general
Reply | Threaded
Open this post in threaded view
|

Re: HTTPS connection to mmonit

Paul Theodoropoulos
On 5/2/19 06:14, Jan-Henrik Haukeland wrote:

      
On 1 May 2019, at 18:06, Mr Subs [hidden email] wrote:

I changed server.xml, so the Host address=“172.31.24.86” (which is the private IP address, even though I am connecting to it via it’s public IP address. The domain name is correct, and is public DNS.
You cannot use the private address 172.31.24.86 as the Host address if you use a hostname. The IP address must be the same public IP-address associated with your hostname in DNS.  I.e. in this setup

<Host address=“xx.xx.xx.xx" name=“hostname" appBase="." certificate="conf/mmonit.pem” >

“hostname" must have the public address “xx.xx.xx.xx" in DNS. 


That's doesn't seem to be the case. My current configuration:

<Host name="mmonit.autonetmobile.net" appBase="." address="10.99.170.158" certificate="/etc/letsencrypt/live/mmonit.autonetmobile.net/merged.pem">

Works fine. The host name is mapped to the public IP address of the server. I'm using current latest version of mmonit.

-- 
Paul Theodoropoulos
www.anastrophe.com

--
To unsubscribe:
https://lists.nongnu.org/mailman/listinfo/monit-general