certificate check fails after update to 5.21
Issue #570
resolved
This check has status "failed" since upgrade to monit 5.21, although the certificate ist valid till 2019. With monit 5.20 it works as expected
check process postfix pidfile /var/spool/postfix/pid/master.pid if failed host localhost port 25 protocol smtps certificate valid > 30 days for 3 cycles then alert [x@y~]$ openssl s_client -connect localhost:25 -starttls smtp | openssl x509 -enddate -noout depth=3 C = SE, O = AddTrust AB, OU = AddTrust External TTP Network, CN = AddTrust External CA Root verify return:1 depth=2 C = US, ST = New Jersey, L = Jersey City, O = The USERTRUST Network, CN = USERTrust RSA Certification Authority verify return:1 depth=1 C = DE, ST = Baden-W\C3\BCrttemberg, L = Durmersheim, O = EUNETIC GmbH, CN = EuropeanSSL Server CA 2 verify return:1 depth=0 OU = Domain Control Validated, OU = Provided by EUNETIC GmbH, OU = EuropeanSSL Single, CN = bsmtp.telekom.at verify return:1 250 8BITMIME notAfter=Jul 13 23:59:59 2019 GMT [x@y~]$ monit status postfix Monit 5.21.0 uptime: 1h 2m Process 'postfix' status Timestamp failed monitoring status Monitored monitoring mode active on reboot start pid 644 parent pid 1 uid 0 effective uid 0 gid 0 uptime 37d 1h 45m threads 1 children 10 cpu 0.0% cpu total 0.0% memory 0.1% [2.2 MB] memory total 2.9% [53.3 MB] disk read 0 B/s [2.4 MB total] disk write 0 B/s [422.8 MB total] port response time 11.231 ms to localhost:25 type TCP/IP using TLS (certificate valid for 0 days) protocol SMTP data collected Thu, 09 Mar 2017 10:39:29
Comments (9)
-
reporter
-
repo owner
- edited description
-
repo owner
- edited description
-
reporter
After adding the following option monit says the certificate is self signed:
set ssl options { verify: enable version: tlsv12 } [CET Mar 9 11:14:43] error : SSL: read error -- error:14092072:SSL routines:ssl3_get_server_hello:bad message type [CET Mar 9 11:14:43] error : SMTP: Error receiving data from the mailserver -- Success [CET Mar 9 11:14:43] error : 'postfix' failed protocol test [SMTP] at [localhost]:25 [TCP/IP TLS] -- SSL server certificate verification error: self signed certificate in certificate chain [CET Mar 9 11:14:43] error : 'postfix' certificate expiry in 0 days matches check limit [valid > 30 days]
-
repo owner
Thank you for data. Is it possible to get access to that mailserver's port so we can test?
-
reporter
You should be able to connect to bsmtp.telekom.at on port 25 or 587
-
repo owner
Yet minor note regarding formatting, please indent the text like configuration and logs with four spaces ... it then displays as monospace font block, otherwise it is displayed as single line.
Thanks :)
-
repo owner
- changed status to resolved
Fixed Issue
#570: if the connection test requires STARTTLS, the certificate valid days test was broken.→ <<cset 26d2222a2039>>
-
repo owner
Thanks for data, the problem is fixed, you can get and compile the development snapshot this way:
wget https://bitbucket.org/tildeslash/monit/get/master.tar.gz tar -xzf master.tar.gz cd tildeslash* ./bootstrap ./configure make
(or apply patch from https://bitbucket.org/tildeslash/monit/commits/26d2222a2039 to monit-5.21.0 source code ... one line of code needs to be moved)
- Log in to comment
running on CentOS Linux release 7.2.1511 (Core)