I used tutorial --> https://www.howtoforge.com/tutorial/server-monitoring-with-munin-and-monit-on-ubuntu-16-04-lts/2/. Monit used domain name of the server with green padlock (lets encrypt cert for fqdn and ISP panel). I also configured it to work with ISPconfig. Currently When I try enter on s1.example.com:2812 I have information that website cert expired "1 Feb 2018, 07:27" and website uses hsts and this bring to unable add exception. Now I can enter monit site only using ip address with port. I tried add in monitrc config file cert from /etc/letsencrypt/live/s1.example.com but after restart monit service I have error that cert has 644 but it can max has 700 privileges. How to renew this cert?
If you followed the relevant guide make sure you understand the note in step #6 that the pem file is created and is not merely symlinked like the two other certs. When the original certs expired, so do the created pem file, thus, it has to be recreated and the relevant services need to be restarted, whether manually or automatically, as per the guide. Otherwise, you'll find monit pem file also expired when it is not recreated accordingly based on the new certs.
Thank you for answer. All things work perfectly but I don't get why I had green padlock with this setting: Code: PEMFILE /var/certs/monit.pem And how is it possible that this cert expired if it's created by user in tutorial? PS I did part for pureftpd from tutorial you mentioned and now I have some strange thing. Pureftp says that I have two certs in chain: 1st is for domain for my server issued by LE 2nd is for LE issued by LE I can't still get into https://s1.example.com:2812. Is is possible that this issue is produce because I created in .htaccess redirect from s1.example.com to s1.example.com:8080? I also pick something up. In /etc/letsencrypt/renewal directory config file s1.example.com.conf has 644 privileges but other .conf files have 755 (they are green).
You can run ls -la to check /var/certs/monit.pem as it could a real file or merely a symlink you have created earlier. As I said earlier, Lastly note that the pem file need to be chmod 600.
I wrote it's strange for me, because this file - monit.pem - is not any symlink. Of course it has chmod 600. Second thing that main certificate still works perfectly. It's used for postfix/dovecot and also works like it should. That's why all this case is so strange for me. Of course I provide restart for monit service. PS I removed main certificate for ISP panel, go to panel using ip of the server but I can't renew cert (after remove proper directory from /etc/letsencrypt/live, archive and renewal). I have error: Code: root@s1:/usr/local/ispconfig/interface/ssl# tail -f /var/log/letsencrypt/letsencrypt.log File "/usr/lib/python2.7/dist-packages/letsencrypt/client.py", line 225, in obtain_certificate_from_csr authzr = self.auth_handler.get_authorizations(domains) File "/usr/lib/python2.7/dist-packages/letsencrypt/auth_handler.py", line 84, in get_authorizations self._respond(cont_resp, dv_resp, best_effort) File "/usr/lib/python2.7/dist-packages/letsencrypt/auth_handler.py", line 142, in _respond self._poll_challenges(chall_update, best_effort) File "/usr/lib/python2.7/dist-packages/letsencrypt/auth_handler.py", line 204, in _poll_challenges raise errors.FailedChallenges(all_failed_achalls) FailedChallenges: Failed authorization procedure. www.s1.example.net (http-01): urn:acme:error:connection :: The server could not connect to the client to verify the domain :: DNS problem: NXDOMAIN looking up A for www.s1.example.net But when I use nslookup I have nice response for s1.example.net with correct ip address. I am going to add www.s1 in example.net dns zone. Maybe it will help.
One more thing. Under System -> Server Config where I can configure Monit and Munin I have lines: 1. Monit URL --> https://s1.example.net:2812/ 2. Munin URL --> https://s1.example.net:8080/munin In first case I can't enter site, because of error more less site is improperly configured because certificate expired BUT in second case I have no problems with enter site and also I have green padlock (I renew cert for s1.example.net using your tip from another thread and attach cert to Monit as you said https://www.howtoforge.com/communit...l-port-8080-with-lets-encrypt-free-ssl.75554/). I attached two screens with mentioned error.
That is because you set your ISPConfig LE SSL certs for port 8080 correctly based on and symlinked to s1.example.net LE SSL certs but you might have failed to do the same for your monit which I already mentioned the reason in my posts above.
Hmm, now I am seriously confused. I just copied each line with command related to Monit SSL using pureftpd cert. Effect is available on the screen earlier attached. Maybe I do something wrong? I did below: Code: cd /etc/ssl/private/ if [ -f "pure-ftpd.pem" ]; then mv pure-ftpd.pem pure-ftpd.pem-$(date +"%y%m%d%H%M%S").bak fi ln -s /usr/local/ispconfig/interface/ssl/ispserver.pem pure-ftpd.pem chmod 600 pure-ftpd.pem service pure-ftpd-mysql restart then Code: nano /etc/monit/monitrc and finally in /etc/monit/monitrc Code: PEMFILE /etc/ssl/private/pure-ftpd.pem About chmod's: Code: root@s1:/etc/ssl/private# ls -l total 12 lrwxrwxrwx 1 root root 48 Mar 13 07:45 pure-ftpd.pem -> /usr/local/ispconfig/interface/ssl/ispserver.pem After execute "chmod 600 pure-ftpd.pem" privileges for pure-ftpd.pem are like above but ispserver.pem file currently has chmod 600. I think it's ok. Of course I provided restart at the end of operation: Code: service monit restart EDIT I resolved my issue. After renewal ispserver.key and .crt I didn't do Code: cat ispserver.{key,crt} > ispserver.pem so ispserver.pem file was old and Monit used it. I am dumb. Thank you for patience and tips.
