certificate check fails after update to 5.21

Issue #570 resolved
Christof Wolf created an issue

This check has status "failed" since upgrade to monit 5.21, although the certificate ist valid till 2019. With monit 5.20 it works as expected

check process postfix
    pidfile /var/spool/postfix/pid/master.pid
    if failed
            host localhost
            port 25
            protocol smtps
            certificate valid > 30 days
            for 3 cycles
    then alert

[x@y~]$ openssl s_client -connect localhost:25 -starttls smtp | openssl x509 -enddate -noout 
depth=3 C = SE, O = AddTrust AB, OU = AddTrust External TTP Network, CN = AddTrust External CA Root
verify return:1
depth=2 C = US, ST = New Jersey, L = Jersey City, O = The USERTRUST Network, CN = USERTrust RSA Certification Authority
verify return:1
depth=1 C = DE, ST = Baden-W\C3\BCrttemberg, L = Durmersheim, O = EUNETIC GmbH, CN = EuropeanSSL Server CA 2
verify return:1
depth=0 OU = Domain Control Validated, OU = Provided by EUNETIC GmbH, OU = EuropeanSSL Single, CN = bsmtp.telekom.at
verify return:1
notAfter=Jul 13 23:59:59 2019 GMT

[x@y~]$ monit status postfix
Monit 5.21.0 uptime: 1h 2m

Process 'postfix'
  status                       Timestamp failed
  monitoring status            Monitored
  monitoring mode              active
  on reboot                    start
  pid                          644
  parent pid                   1
  uid                          0
  effective uid                0
  gid                          0
  uptime                       37d 1h 45m
  threads                      1
  children                     10
  cpu                          0.0%
  cpu total                    0.0%
  memory                       0.1% [2.2 MB]
  memory total                 2.9% [53.3 MB]
  disk read                    0 B/s [2.4 MB total]
  disk write                   0 B/s [422.8 MB total]
  port response time           11.231 ms to localhost:25 type TCP/IP using TLS (certificate valid for 0 days) protocol SMTP
  data collected               Thu, 09 Mar 2017 10:39:29

Comments (9)

  1. Christof Wolf reporter

    After adding the following option monit says the certificate is self signed:

    set ssl options {
        verify: enable
        version: tlsv12
    [CET Mar  9 11:14:43] error    : SSL: read error -- error:14092072:SSL routines:ssl3_get_server_hello:bad message type
    [CET Mar  9 11:14:43] error    : SMTP: Error receiving data from the mailserver -- Success
    [CET Mar  9 11:14:43] error    : 'postfix' failed protocol test [SMTP] at [localhost]:25 [TCP/IP TLS] -- SSL server certificate verification error: self signed certificate in certificate chain
    [CET Mar  9 11:14:43] error    : 'postfix' certificate expiry in 0 days matches check limit [valid > 30 days]
  2. Tildeslash repo owner

    Thank you for data. Is it possible to get access to that mailserver's port so we can test?

  3. Tildeslash repo owner

    Yet minor note regarding formatting, please indent the text like configuration and logs with four spaces ... it then displays as monospace font block, otherwise it is displayed as single line.

    Thanks :)

  4. Log in to comment