monit, let's encrypt, and file permissions

johndoeysmith asked:

I decided to put monit on my vps running centos 7.
I’ve already got let’s encrypt on the server and the certs are installed. I wanted to point monit at the fullchain.pem or the cert.pem, but I get this error.

    Dec 30 00:56:52 [23926]: The SSL server PEM file 
    '/etc/letsencrypt/live/' must have permissions no more than -rwx------ (0700); right now permissions are -rw-r--r-- (0644).
    Dec 30 00:56:52 monit[23926]: /etc/monitrc:131: SSL server PEM file permissions check failed 'allow'
    Dec 30 00:56:52  systemd[1]: monit.service: main process exited, code=exited, status=1/FAILURE

Not sure how to proceed. Do I change the owner of the cert files? Do I change the owner who runs monit?

My answer:

Monit is quite strange in that it expects the private key and TLS certificate chain to be concatenated into a single file specified by pemfile, so you can’t use certificates retrieved with certbot without some further processing.

You will need to set up a deploy hook in certbot in order to concatenate the certificates into a single file and set permissions on that file.

An example script might look like:


for domain in $RENEWED_DOMAINS
    case $domain in
        cat $RENEWED_LINEAGE/privkey.pem $RENEWED_LINEAGE/fullchain.pem > /etc/monit/pemfile-$domain.pem
        chmod 600 /etc/monit/pemfile-$domain.pem

Then renew with certbot renew --deploy-hook '/path/to/that/'.

And in monit specify pemfile /etc/monit/

Finally, you can restart monit with the renewed cert with something like a certbot renew --post-hook 'systemctl restart monit'

View the full question and any other answers on Server Fault.

Creative Commons License
This work is licensed under a Creative Commons Attribution-ShareAlike 3.0 Unported License.