certificate check fails after update to 5.21
Issue #570
resolved
This check has status "failed" since upgrade to monit 5.21, although the certificate ist valid till 2019. With monit 5.20 it works as expected
check process postfix
pidfile /var/spool/postfix/pid/master.pid
if failed
host localhost
port 25
protocol smtps
certificate valid > 30 days
for 3 cycles
then alert
[x@y~]$ openssl s_client -connect localhost:25 -starttls smtp | openssl x509 -enddate -noout
depth=3 C = SE, O = AddTrust AB, OU = AddTrust External TTP Network, CN = AddTrust External CA Root
verify return:1
depth=2 C = US, ST = New Jersey, L = Jersey City, O = The USERTRUST Network, CN = USERTrust RSA Certification Authority
verify return:1
depth=1 C = DE, ST = Baden-W\C3\BCrttemberg, L = Durmersheim, O = EUNETIC GmbH, CN = EuropeanSSL Server CA 2
verify return:1
depth=0 OU = Domain Control Validated, OU = Provided by EUNETIC GmbH, OU = EuropeanSSL Single, CN = bsmtp.telekom.at
verify return:1
250 8BITMIME
notAfter=Jul 13 23:59:59 2019 GMT
[x@y~]$ monit status postfix
Monit 5.21.0 uptime: 1h 2m
Process 'postfix'
status Timestamp failed
monitoring status Monitored
monitoring mode active
on reboot start
pid 644
parent pid 1
uid 0
effective uid 0
gid 0
uptime 37d 1h 45m
threads 1
children 10
cpu 0.0%
cpu total 0.0%
memory 0.1% [2.2 MB]
memory total 2.9% [53.3 MB]
disk read 0 B/s [2.4 MB total]
disk write 0 B/s [422.8 MB total]
port response time 11.231 ms to localhost:25 type TCP/IP using TLS (certificate valid for 0 days) protocol SMTP
data collected Thu, 09 Mar 2017 10:39:29
Comments (9)
-
reporter
-
repo owner
- edited description
-
repo owner
- edited description
-
reporter
After adding the following option monit says the certificate is self signed:
set ssl options { verify: enable version: tlsv12 } [CET Mar 9 11:14:43] error : SSL: read error -- error:14092072:SSL routines:ssl3_get_server_hello:bad message type [CET Mar 9 11:14:43] error : SMTP: Error receiving data from the mailserver -- Success [CET Mar 9 11:14:43] error : 'postfix' failed protocol test [SMTP] at [localhost]:25 [TCP/IP TLS] -- SSL server certificate verification error: self signed certificate in certificate chain [CET Mar 9 11:14:43] error : 'postfix' certificate expiry in 0 days matches check limit [valid > 30 days] -
repo owner
Thank you for data. Is it possible to get access to that mailserver's port so we can test?
-
reporter
You should be able to connect to bsmtp.telekom.at on port 25 or 587
-
repo owner
Yet minor note regarding formatting, please indent the text like configuration and logs with four spaces ... it then displays as monospace font block, otherwise it is displayed as single line.
Thanks :)
-
repo owner
- changed status to resolved
Fixed Issue
#570: if the connection test requires STARTTLS, the certificate valid days test was broken.→ <<cset 26d2222a2039>>
-
repo owner
Thanks for data, the problem is fixed, you can get and compile the development snapshot this way:
wget https://bitbucket.org/tildeslash/monit/get/master.tar.gz tar -xzf master.tar.gz cd tildeslash* ./bootstrap ./configure make(or apply patch from https://bitbucket.org/tildeslash/monit/commits/26d2222a2039 to monit-5.21.0 source code ... one line of code needs to be moved)
- Log in to comment
running on CentOS Linux release 7.2.1511 (Core)