I'm trying to use a StartSSL (free) SSL certificate with monit.
I followed the wizard on startssl.com to generate first a private key, then a certificate. I then downloaded the sub.class1.server.ca.pem and ca.pem files. I combined them all into one single file like so:
cat ssl.key ssl.crt sub.class1.server.ca.pem ca.pem > server.pem
I then set that file in monitrc as the pemfile. The resulting setup works fine in chrome / IE, but displays the (Error code: sec_error_unknown_issuer) message in Firefox. I get the same result if I leave out the StartSSL intermediate CA certificates, like so:
cat ssl.key ssl.crt > server.pem
Could it be that monit only supports a single certificate and not a chain of certificates?
How can I get monit to recognise the certificate chain and display without error in firefox?
Best Answer
Chances are high that you're missing a chain certificate or have them in the wrong order, and that Chrome/IE already knows the chains when Firefox doesn't.
You can use openssl s_client to debug this, but it's a bit clunky and nasty. I quite like the free tool on sslshopper for testing SSL cert deployments. Give that a try and report back what you get!