Monit - TLS: Directive 'CACERTIFICATEPATH'

Issue #640 resolved
Anonymous created an issue

The following bug report is applicable to Monit 5.22.0 used on Debian Stretch. The bug report is not valid for Monit 5.20.0 used on Debian Stretch as the bug does not appear using that version.

The 'monitrc' configuration directive 'CACERTIFICATEPATH' does not seem to behave as expected, based on previous experiences with 'Monit 5.20.0'.

The 'CACERTIFICATEPATH' directive points to '/etc/ssl/cacerts'. This is used in combination with the 'VERIFY' directive to enable certificate verification when performing SMTP and HTTP checks. The CA path that has been configured is a custom folder holding a small set of private CA files for a custom PKI. All to-verify-certificates are signed by the CA represented by c_rehashed PEM files located in '/etc/ssl/cacerts'. This setup works as expected using 'Monit 5.20.0', but fails to work as expected using 'Monit 5.22.0'.

A few workarounds do work using 'Monit 5.22.0':

  • Using the configuration directive 'CACERTIFICATEFILE' and pointing it to a concatenated PEM file holding all required CA certificates
  • Copying all PEM files + c_rehashed pointers to '/etc/ssl/certs', and removing the 'CACERTIFICATEPATH' directive from the main Monit configuration file '/etc/monit/monitrc'

Either of the two seem unnecessary as it looks like this is a unintentional bug based on the behaviour of previous Monit versions.

Comments (2)

  1. Tildeslash repo owner

    Thank you for report, the problem is fixed in the development version.

    If you want to test it:

    wget https://bitbucket.org/tildeslash/monit/get/master.tar.gz
    tar -xzf master.tar.gz
    cd tildeslash*
    ./bootstrap
    ./configure
    make
    
  2. Log in to comment