I decided to put monit on my vps running centos 7.
I’ve already got let’s encrypt on the server and the certs are installed. I wanted to point monit at the fullchain.pem or the cert.pem, but I get this error.
Dec 30 00:56:52 : The SSL server PEM file '/etc/letsencrypt/live/example.com/fullchain.pem' must have permissions no more than -rwx------ (0700); right now permissions are -rw-r--r-- (0644). Dec 30 00:56:52 monit: /etc/monitrc:131: SSL server PEM file permissions check failed 'allow' Dec 30 00:56:52 systemd: monit.service: main process exited, code=exited, status=1/FAILURE
Not sure how to proceed. Do I change the owner of the cert files? Do I change the owner who runs monit?
Monit is quite strange in that it expects the private key and TLS certificate chain to be concatenated into a single file specified by
pemfile, so you can’t use certificates retrieved with certbot without some further processing.
An example script might look like:
#!/bin/bash for domain in $RENEWED_DOMAINS do case $domain in example.com) cat $RENEWED_LINEAGE/privkey.pem $RENEWED_LINEAGE/fullchain.pem > /etc/monit/pemfile-$domain.pem chmod 600 /etc/monit/pemfile-$domain.pem ;; done
Then renew with
certbot renew --deploy-hook '/path/to/that/script.sh'.
And in monit specify
Finally, you can restart monit with the renewed cert with something like a certbot renew
--post-hook 'systemctl restart monit'…
This work is licensed under a Creative Commons Attribution-ShareAlike 3.0 Unported License.