1. Tildeslash Avatar Tildeslash
  2. Untitled project
  3. Monit
  4. Issues

httpd - set public/private key separately

Issue #475 resolved
Etienne Bruines created an issue

With services like letsencrypt/certbot, it has become more and more common to have one pem file containing the full chain of the public keys (meaning the public key of the certificate, the public key of the CA and optionally the public key of the root), and another pem containing the private key of the certificate. With these services, they are expected to change every 30-60 days (automatically). (And I'm not sure if setting up a cron-job to "merge" these two, is the best way to go.)

Would be nice if we'd be able to set these two files separately, like you can do with nginx for example:

    ssl_certificate /etc/letsencrypt/live/example.com/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/example.com/privkey.pem;

Comments (2)

  1. Jason Luros

    I was struggling with this problem, too. I've created a renewal cron job that runs weekly that copies the contents of the private key and public keys as described above. The specific section is: 

    #!/bin/bash
for dir in $(ls -d /etc/letsencrypt/live/*); do
    cat $dir/privkey.pem $dir/fullchain.pem > $dir/fullkeychain.pem
    chmod 0700 $dir/fullkeychain.pem
done
  2. Tildeslash repo owner
    • edited description
    • changed status to resolved

    fixed in monit 5.27.0, snip from changelog:

    New: Add support for split certificate chain and key for the monit HTTP interface. Thanks to Lutz Mader for patch. Example:
 set httpd
     port 2812
     with ssl {
        pemchain: /etc/ssl/certs/monit.chain.pem
        pemkey: /etc/ssl/certs/monit.key.pem
     }
     allow myuser:mypassword
  3. Log in to comment
Assignee
Type
proposal
Priority
minor
Status
resolved
Component
Monit
Version
Votes
1
Watchers
2