monit, let's encrypt, and file permissions

johndoeysmith asked:

I decided to put monit on my vps running centos 7.
I’ve already got let’s encrypt on the server and the certs are installed. I wanted to point monit at the fullchain.pem or the cert.pem, but I get this error.

    Dec 30 00:56:52 [23926]: The SSL server PEM file 
    '/etc/letsencrypt/live/example.com/fullchain.pem' must have permissions no more than -rwx------ (0700); right now permissions are -rw-r--r-- (0644).
    Dec 30 00:56:52 monit[23926]: /etc/monitrc:131: SSL server PEM file permissions check failed 'allow'
    Dec 30 00:56:52  systemd[1]: monit.service: main process exited, code=exited, status=1/FAILURE

Not sure how to proceed. Do I change the owner of the cert files? Do I change the owner who runs monit?

My answer:


Monit is quite strange in that it expects the private key and TLS certificate chain to be concatenated into a single file specified by pemfile, so you can’t use certificates retrieved with certbot without some further processing.

You will need to set up a deploy hook in certbot in order to concatenate the certificates into a single file and set permissions on that file.

An example script might look like:

#!/bin/bash

for domain in $RENEWED_DOMAINS
do
    case $domain in
    example.com)
        cat $RENEWED_LINEAGE/privkey.pem $RENEWED_LINEAGE/fullchain.pem > /etc/monit/pemfile-$domain.pem
        chmod 600 /etc/monit/pemfile-$domain.pem
        ;;
done

Then renew with certbot renew --deploy-hook '/path/to/that/script.sh'.

And in monit specify pemfile /etc/monit/pemfile-example.com.pem

Finally, you can restart monit with the renewed cert with something like a certbot renew --post-hook 'systemctl restart monit'


View the full question and answer on Server Fault.

Creative Commons License
This work is licensed under a Creative Commons Attribution-ShareAlike 3.0 Unported License.