[monit-dev] Patch to allow for chained SSL certificates

[Lawrence Tan]

Dear all,

I'm writing with reference to an issue which came up sometime last year 
on the general mailing list which I found when I encountered the same 
problem recently.

(Re: http://lists.gnu.org/archive/html/monit-general/2008-05/msg00042.html)

When Monit is run with a chained SSL certificate, the http server only 
serves the server digital certificate, but not the rest of the chain, 
causing browsers to produce an error. I have attached a patch below that 
should address this problem.

Index: ssl.c
===================================================================
--- ssl.c       (revision 15)
+++ ssl.c       (working copy)
@@ -351,8 +351,7 @@
     goto sslerror;
   }

-  if(SSL_CTX_use_certificate_file(ssl_server->ctx, pemfile,
-                                  SSL_FILETYPE_PEM) != 1) {
+  if(SSL_CTX_use_certificate_chain_file(ssl_server->ctx, pemfile) != 1) {
     LogError("%s: Cannot initialize SSL server certificate -- %s\n",
              prog, SSLERROR);
     goto sslerror;

I have tested this in a rudimentary manner - I built monit with this 
patch applied, verified that it still accepts non-chained certificates, 
and that it also accepts my chained certificate successfully and serves 
it correctly to firefox. Please let me know if there are other tests 
that should be run before I submit this again. Thank you!

Best regards
Lawrence