> On 29 May 2024, at 17:09, Gerrit Kühn <gerrit.ku...@aei.mpg.de> wrote:
>
> *
>
> However, this doesn't:
> ---
> check host self with address localhost
> if failed port 443 protocol https and certificate valid > 30 days with
> ssl options {verify: enable} then alert
> ---
>
> All I get is
> ---
> failed protocol test [HTTP] at [localhost]:443 [TCP/IP TLS] -- Connection
> refused
> ---
>
> From the documentation I got the impression that one should enable
> verification. And why does this cause a "connection refused"?
>
Verifying a SSL certificate is good practice to prevent MiM, but it requires
that the certificate common name points to a valid DNS name. You must also tell
Monit to connect using the Fully Qualified Domain Name (FQDN) as the address.
Using ‘localhost’ or an IP-address here, won’t do. When you enable ssl.verify
it simply means that Monit will check that the name of the host (given in
address) is the same as the SSL certificate's common name. Here is a valid
'check host' statement against our mmonit.com <http://mmonit.com/> server:
check host mmonit with address mmonit.com <http://mmonit.com/> # FQDN
if failed port 443 protocol https and certificate valid > 30 days with
ssl options {verify: enable} then alert
Ps. To see more debug output, start monit with the -Iv options.
