monit, let's encrypt, and file permissions

centos7 certbot monit

I decided to put monit on my vps running centos 7. I've already got let's encrypt on the server and the certs are installed. I wanted to point monit at the fullchain.pem or the cert.pem, but I get this error. 

    Dec 30 00:56:52 [23926]: The SSL server PEM file 
    '/etc/letsencrypt/live/example.com/fullchain.pem' must have permissions no more than -rwx------ (0700); right now permissions are -rw-r--r-- (0644).
    Dec 30 00:56:52 monit[23926]: /etc/monitrc:131: SSL server PEM file permissions check failed 'allow'
    Dec 30 00:56:52  systemd[1]: monit.service: main process exited, code=exited, status=1/FAILURE

Not sure how to proceed. Do I change the owner of the cert files? Do I change the owner who runs monit?


Solution 1:

Monit is quite strange in that it expects the private key and TLS certificate chain to be concatenated into a single file specified by pemfile, so you can't use certificates retrieved with certbot without some further processing.

You will need to set up a deploy hook in certbot in order to concatenate the certificates into a single file and set permissions on that file.

An example script might look like:

#!/bin/bash

for domain in $RENEWED_DOMAINS
do
    case $domain in
    example.com)
        cat $RENEWED_LINEAGE/privkey.pem $RENEWED_LINEAGE/fullchain.pem > /etc/monit/pemfile-$domain.pem
        chmod 600 /etc/monit/pemfile-$domain.pem
        ;;
done

Then renew with certbot renew --deploy-hook '/path/to/that/script.sh'.

And in monit specify pemfile /etc/monit/pemfile-example.com.pem

Finally, you can restart monit with the renewed cert with something like a certbot renew --post-hook 'systemctl restart monit'...

Solution 2:

As of Monit v5.27.0, released 2020-06-29, you can now pass in pemchain and pemkey parameters pointing to the separate files that Let's Encrypt generates. Quoting from the documentation:

As an alternative PEMCHAIN and PEMKEY sets the path to separate PEM encoded certificate chain and private key file. The key file should be stored in a safe place on the filesystem and should have strict permissions, no more than 0700.

...

Example for using separate certificate chain and key:

set httpd
    port 2812
    with ssl {
       pemchain: /etc/ssl/certs/monit.chain.pem
       pemkey: /etc/ssl/certs/monit.key.pem
    }
    allow myuser:mypassword

See also: PR #78.

Related

FreeNAS - How do you monitor disk/share usage?
Monitoring DHCP clients bandwidth usage in and out
How can I assign a public IP address to each of my devices?
AWS Patching across several OS's
How does a webserver know which files to send in an HTTP/2 request?
ldap_sasl_interactive_bind_s: Can't contact LDAP server (-1)
htaccess - .htaccess in sub directory not inheriting .htaccess in root directory
Prometheus auto scrape metrics from multiple kube-state-metrics in kubernetes?
Is logrotate supposed to work only in logs inside /var/log?
an upstream response is buffered to a temporary file /var/cache/nginx/proxy_temp/0/01/0000000010 while reading upstream
Allow traffic from ssl-vpn to enter ipsec tunnel on fortigate
Using multicast DNS to broadcast name of my machine like raspberrpi does