> On 29 May 2024, at 17:09, Gerrit Kühn <gerrit.ku...@aei.mpg.de> wrote: > > * > > However, this doesn't: > --- > check host self with address localhost > if failed port 443 protocol https and certificate valid > 30 days with > ssl options {verify: enable} then alert > --- > > All I get is > --- > failed protocol test [HTTP] at [localhost]:443 [TCP/IP TLS] -- Connection > refused > --- > > From the documentation I got the impression that one should enable > verification. And why does this cause a "connection refused"? >
Verifying a SSL certificate is good practice to prevent MiM, but it requires that the certificate common name points to a valid DNS name. You must also tell Monit to connect using the Fully Qualified Domain Name (FQDN) as the address. Using ‘localhost’ or an IP-address here, won’t do. When you enable ssl.verify it simply means that Monit will check that the name of the host (given in address) is the same as the SSL certificate's common name. Here is a valid 'check host' statement against our mmonit.com <http://mmonit.com/> server: check host mmonit with address mmonit.com <http://mmonit.com/> # FQDN if failed port 443 protocol https and certificate valid > 30 days with ssl options {verify: enable} then alert Ps. To see more debug output, start monit with the -Iv options.