httpd - set public/private key separately

Issue #475 resolved
Etienne Bruines created an issue

With services like letsencrypt/certbot, it has become more and more common to have one pem file containing the full chain of the public keys (meaning the public key of the certificate, the public key of the CA and optionally the public key of the root), and another pem containing the private key of the certificate. With these services, they are expected to change every 30-60 days (automatically). (And I'm not sure if setting up a cron-job to "merge" these two, is the best way to go.)

Would be nice if we'd be able to set these two files separately, like you can do with nginx for example:

    ssl_certificate /etc/letsencrypt/live/;
    ssl_certificate_key /etc/letsencrypt/live/;

Comments (2)

  1. Jason Luros

    I was struggling with this problem, too. I've created a renewal cron job that runs weekly that copies the contents of the private key and public keys as described above. The specific section is:

    for dir in $(ls -d /etc/letsencrypt/live/*); do
        cat $dir/privkey.pem $dir/fullchain.pem > $dir/fullkeychain.pem
        chmod 0700 $dir/fullkeychain.pem
  2. Tildeslash repo owner
    • edited description
    • changed status to resolved

    fixed in monit 5.27.0, snip from changelog:

    New: Add support for split certificate chain and key for the monit HTTP interface. Thanks to Lutz Mader for patch. Example:
     set httpd
         port 2812
         with ssl {
            pemchain: /etc/ssl/certs/monit.chain.pem
            pemkey: /etc/ssl/certs/monit.key.pem
         allow myuser:mypassword
  3. Log in to comment