We can extend the certificate verification to the whole chain. Best regards, Martin
> On 8 Dec 2020, at 19:11, rexkogit...@gmx.at wrote: > > Sure, I admit I sought for a kind of a sensational headline. Monit is a > great tool which surveils the services of this company since many years > and alarmed us for many serious problems. > > The more important line is the last sentence: There is room for > improvement. Since I wasn't into C since more than a decade, I am sorry > that I cannot really contribute to Monit, otherwise I would. I remember > that it was roughly 400 lines of PHP code which made a reliable check of > the TLS certificate chain and against the trust store in /etc/ssl/certs. > What I want to give to the developers of Monit is this idea so they may > improve this great tool even more. > > Kind regards, > > rex kogitans > > Am 04.12.20 um 20:03 schrieb Paul Theodoropoulos: >> You did not lose your job due to Monit, and you know that - you >> clearly described what the proximate cause was of your losing your >> job. It makes for a 'sensational' headline, but blaming it on Monit is >> absurd. >> >> On 12/4/2020 7:52 AM, rexkogit...@gmx.at wrote: >>> I configured monit to monitor the TLS certificate validity of all of our >>> highly productive websites. To all websites, the unnecessary full >>> certificate (without root CA) was installed. However, on 30th of May >>> 2020 one of the chain certificates (COMODO) ran out of its validity >>> period. Obviously monit only checks for the server certificate, that's >>> why the check did not notice this, and such a check is completely >>> pointless. It led to a massive damage to my company, and since I was to >>> deal with monitoring as well as TLS certificates, I had to move on to >>> find a new job. >>> >>> During the notice period, I implemented an own check in PHP and let >>> monit execute this PHP program to check TLS certificates. This PHP >>> program did not just check the entire chain, but also the chain against >>> the system's own trust store (in /etc/ssl/certs). I think it would be an >>> interesting feature to deal with TLS certificates like this in monit in >>> order to avoid more people losing the jobs. >>> >>> >> >