Monit - expired ssl cert

Discussion in 'Installation/Configuration' started by Poliman, Mar 12, 2018.

  1. Poliman

    Poliman Member

    I used tutorial --> Monit used domain name of the server with green padlock (lets encrypt cert for fqdn and ISP panel). I also configured it to work with ISPconfig. Currently When I try enter on I have information that website cert expired "1 Feb 2018, 07:27" and website uses hsts and this bring to unable add exception. Now I can enter monit site only using ip address with port. I tried add in monitrc config file cert from /etc/letsencrypt/live/ but after restart monit service I have error that cert has 644 but it can max has 700 privileges. How to renew this cert?
  2. ahrasis

    ahrasis Well-Known Member HowtoForge Supporter

    If you followed the relevant guide make sure you understand the note in step #6 that the pem file is created and is not merely symlinked like the two other certs. When the original certs expired, so do the created pem file, thus, it has to be recreated and the relevant services need to be restarted, whether manually or automatically, as per the guide. Otherwise, you'll find monit pem file also expired when it is not recreated accordingly based on the new certs.
    Last edited: Mar 12, 2018
  3. Poliman

    Poliman Member

    Thank you for answer. All things work perfectly but I don't get why I had green padlock with this setting:
    PEMFILE /var/certs/monit.pem
    And how is it possible that this cert expired if it's created by user in tutorial?

    I did part for pureftpd from tutorial you mentioned and now I have some strange thing. Pureftp says that I have two certs in chain:
    1st is for domain for my server issued by LE
    2nd is for LE issued by LE
    I can't still get into Is is possible that this issue is produce because I created in .htaccess redirect from to
    I also pick something up. In /etc/letsencrypt/renewal directory config file has 644 privileges but other .conf files have 755 (they are green).
    Last edited: Mar 12, 2018
  4. ahrasis

    ahrasis Well-Known Member HowtoForge Supporter

    You can run ls -la to check /var/certs/monit.pem as it could a real file or merely a symlink you have created earlier.

    As I said earlier,
    Lastly note that the pem file need to be chmod 600.
  5. Poliman

    Poliman Member

    I wrote it's strange for me, because this file - monit.pem - is not any symlink. Of course it has chmod 600. Second thing that main certificate still works perfectly. It's used for postfix/dovecot and also works like it should. That's why all this case is so strange for me. Of course I provide restart for monit service.

    I removed main certificate for ISP panel, go to panel using ip of the server but I can't renew cert (after remove proper directory from /etc/letsencrypt/live, archive and renewal). I have error:
    [email protected]:/usr/local/ispconfig/interface/ssl# tail -f /var/log/letsencrypt/letsencrypt.log
      File "/usr/lib/python2.7/dist-packages/letsencrypt/", line 225, in obtain_certificate_from_csr
        authzr = self.auth_handler.get_authorizations(domains)
      File "/usr/lib/python2.7/dist-packages/letsencrypt/", line 84, in get_authorizations
        self._respond(cont_resp, dv_resp, best_effort)
      File "/usr/lib/python2.7/dist-packages/letsencrypt/", line 142, in _respond
        self._poll_challenges(chall_update, best_effort)
      File "/usr/lib/python2.7/dist-packages/letsencrypt/", line 204, in _poll_challenges
        raise errors.FailedChallenges(all_failed_achalls)
    FailedChallenges: Failed authorization procedure. (http-01): urn:acme:error:connection :: The server could not connect to the client to verify the domain :: DNS problem: NXDOMAIN looking up A for
    But when I use nslookup I have nice response for with correct ip address. I am going to add www.s1 in dns zone. Maybe it will help.
    Last edited: Mar 13, 2018
  6. Poliman

    Poliman Member

    One more thing. Under System -> Server Config where I can configure Monit and Munin I have lines:
    1. Monit URL -->
    2. Munin URL -->

    In first case I can't enter site, because of error more less site is improperly configured because certificate expired BUT in second case I have no problems with enter site and also I have green padlock (I renew cert for using your tip from another thread and attach cert to Monit as you said I attached two screens with mentioned error.

    Attached Files:

    Last edited: Mar 13, 2018
  7. ahrasis

    ahrasis Well-Known Member HowtoForge Supporter

    That is because you set your ISPConfig LE SSL certs for port 8080 correctly based on and symlinked to LE SSL certs but you might have failed to do the same for your monit which I already mentioned the reason in my posts above.
  8. Poliman

    Poliman Member

    Hmm, now I am seriously confused. I just copied each line with command related to Monit SSL using pureftpd cert. Effect is available on the screen earlier attached. Maybe I do something wrong? I did below:
    cd /etc/ssl/private/
    if [ -f "pure-ftpd.pem" ]; then
        mv pure-ftpd.pem pure-ftpd.pem-$(date +"%y%m%d%H%M%S").bak
    ln -s /usr/local/ispconfig/interface/ssl/ispserver.pem pure-ftpd.pem
    chmod 600 pure-ftpd.pem
    service pure-ftpd-mysql restart
    nano /etc/monit/monitrc
    and finally in /etc/monit/monitrc
    PEMFILE /etc/ssl/private/pure-ftpd.pem
    About chmod's:
    [email protected]:/etc/ssl/private# ls -l
    total 12
    lrwxrwxrwx 1 root root       48 Mar 13 07:45 pure-ftpd.pem -> /usr/local/ispconfig/interface/ssl/ispserver.pem
    After execute "chmod 600 pure-ftpd.pem" privileges for pure-ftpd.pem are like above but ispserver.pem file currently has chmod 600. I think it's ok.

    Of course I provided restart at the end of operation:
    service monit restart
    I resolved my issue. :) After renewal ispserver.key and .crt I didn't do
    cat ispserver.{key,crt} > ispserver.pem
    so ispserver.pem file was old and Monit used it. I am dumb. Thank you for patience and tips. ;)
    Last edited: Mar 13, 2018
    ahrasis likes this.

Share This Page