SSL server certificate checksum failed
Issue #677
resolved
I use monit 5.24.0 on Debian 8.9 (jessie) Linux x64
I create certificate checksum connection test:
checksum:
# openssl x509 -fingerprint -sha1 -in /etc/letsencrypt/live/knopka.org/cert.pem | head -1 | cut -f2 -d'=' | sed 's,:,,g'
02F0B3DFAF013556A0305D7815B7C605F61E3787
my monit config file:
check host knopka.org_ssl_checksum with address knopka.org
group knopka
if failed port 443 protocol https and certificate checksum sha1 = "02F0B3DFAF013556A0305D7815B7C605F61E3787" then alert
monit log /var/log/monit.log
[+05 Oct 10 11:46:32] error : 'knopka.org_ssl_checksum' failed protocol test [HTTP] at [knopka.org]:443 [TCP/IP TLS] -- SSL server certificate verification error: SSL server certificate checksum failed
monit status:
# monit -g knopka status
Remote Host 'knopka.org_ssl_checksum'
status Connection failed
monitoring status Monitored
monitoring mode active
on reboot start
port response time FAILED to [knopka.org]:443 type TCP/IP using TLS protocol HTTP
data collected Tue, 10 Oct 2017 11:47:55
Why does monit use the HTTP protocol to check the checksum of the certificate, although I pointed it to the HTTPS protocol?
Comments (4)
-
-
repo owner Hello Mikhail,
the certificate seems to have different checksum:
$ openssl s_client -servername knopka.org -connect knopka.org:443 </dev/null 2>/dev/null | openssl x509 -text | sed -n -e '/BEGIN\ CERTIFICATE/,/END\ CERTIFICATE/p' | openssl x509 -fingerprint -sha1 | head -1 | cut -f2 -d'=' | sed 's,:,,g' 5A9693E2D822FC7D2D40C79BF08D0529F1DB77EE
-
Sorry, everything works correctly.
The certificate re-release script did not restart nginx and it gave out the old ssl-certificate.
-
repo owner - changed status to resolved
- Log in to comment
hello, this is my question, forgot to log in