johndoeysmith asked:
I decided to put monit on my vps running centos 7.
I’ve already got let’s encrypt on the server and the certs are installed. I wanted to point monit at the fullchain.pem or the cert.pem, but I get this error.
Dec 30 00:56:52 [23926]: The SSL server PEM file
'/etc/letsencrypt/live/example.com/fullchain.pem' must have permissions no more than -rwx------ (0700); right now permissions are -rw-r--r-- (0644).
Dec 30 00:56:52 monit[23926]: /etc/monitrc:131: SSL server PEM file permissions check failed 'allow'
Dec 30 00:56:52 systemd[1]: monit.service: main process exited, code=exited, status=1/FAILURE
Not sure how to proceed. Do I change the owner of the cert files? Do I change the owner who runs monit?
My answer:
Monit is quite strange in that it expects the private key and TLS certificate chain to be concatenated into a single file specified by pemfile
, so you can’t use certificates retrieved with certbot without some further processing.
You will need to set up a deploy hook in certbot in order to concatenate the certificates into a single file and set permissions on that file.
An example script might look like:
#!/bin/bash
for domain in $RENEWED_DOMAINS
do
case $domain in
example.com)
cat $RENEWED_LINEAGE/privkey.pem $RENEWED_LINEAGE/fullchain.pem > /etc/monit/pemfile-$domain.pem
chmod 600 /etc/monit/pemfile-$domain.pem
;;
done
Then renew with certbot renew --deploy-hook '/path/to/that/script.sh'
.
And in monit specify pemfile /etc/monit/pemfile-example.com.pem
Finally, you can restart monit with the renewed cert with something like a certbot renew --post-hook 'systemctl restart monit'
…
View the full question and any other answers on Server Fault.
This work is licensed under a Creative Commons Attribution-ShareAlike 3.0 Unported License.