problem to restart https service in cronjob

ramesh14 · 05-31-2011, 01:39 AM

hi all of u i have a doubt in shell script

i installed https service in my remote host. some times the https service suddenly dead that's y i wrote a small script and i assigned crone job every 15 minutes
but it is not working fine because of i installed ssl certificate with password when i restart the httpd service it's asking password i don't know how to give the password in script any body pls guid me how to give password argument in my shell script
below the script i wrote it. i am beginner in scripting

#!/bin/bash
ACC=/sbin/service httpd
netsta -l -t -p |grep http ./dev/null
echo $?
if [ $? -gt 1 ]
then
$ACC stop
$ACC start > statap
mutt -s " apache tr stat" -a statap myid@gmail.com < /dev/null

else
echo "service running fine" > /var/log/httpd/aphelth

fi

thanks in advance...

bathory · 05-31-2011, 01:52 AM

Hi,

Add:

Code:

SSLPassPhraseDialog  exec:/path/to/passphrase

in httpd.conf (or ssl.conf) and create a script named passphrase like:

Code:

#!/bin/sh
echo "password"

Make it executable and you'll be set

Regards

ramesh14 · 05-31-2011, 02:11 AM

hai bathory

thank you for your suggestion but i didn't get clarity

shell i add this code like this in my shell script

#!/bin/bash
ACC=/sbin/service httpd
netsta -l -t -p |grep http ./dev/null
echo $?
if [ $? -gt 1 ]
then
$ACC stop
$ACC start > statap
SSLPassPhraseDialog exec:/etc/httpd/conf/passfile

fi

can i edit below httpd.conf file echo "password" or create a new password file
i didn't understand pls suggest me
thanks in addvance

bathory · 05-31-2011, 02:26 AM

Hi,

No, you don't have to touch anything in your startup script.
You put the SSLPassPhraseDialog directive in the appropriate apache config file and then create the little script passphrase (in the path you gave as the SSLPassPhraseDialog argument)
What the script does, is to echo the ssl password when apache starts, so you don't have to type it.
I hope it's clear now

Regards

ramesh14 · 05-31-2011, 03:01 AM

thanks bathory now i clarified my doubts thanks your valuable suggestions now I'll try it

ramesh14 · 06-01-2011, 01:44 AM

hai bathory i tried to implimented what u said yestrday. but i am getting errors pls once u glance this errors
i edited httpd.conf file SSLPassPhraseDialog exec:/etc/httpd/conf.d/passphrase i am getting errors
next i tried to edit ssl.conf file SSLPassPhraseDialog exec:/etc/httpd/conf.d/passphrase but it is not working fine

i flowed below these steps

#######
i created passphrase file in /path/to/passphrase
#!/bin/bash
echo "XXXXXX"
##########
edited httpd.conf file
SSLEngine on
SSLCertificateFile /etc/httpd/conf.d/server.crt
SSLCertificateKeyFile /etc/httpd/conf.d/server.key
SSLPassPhraseDialog exec:/path/to/passphrase
#########
next i checked
#httpd -t
Syntax error on line 1009 of /etc/httpd/conf/httpd.conf:
SSLPassPhraseDialog cannot occur within <VirtualHost> section
########
next i removed in <VirtualHost> section
and copied after virtualhost section like this
<VirtualHost X.X.X.X:443>
DocumentRoot /var/www/html/
DirectoryIndex index.htm
SSLEngine on
SSLCertificateFile /etc/httpd/conf.d/server.crt
SSLCertificateKeyFile /etc/httpd/conf.d/server.key
ErrorLog logs/tserver-error_log
CustomLog logs/tserver-access_log common
</VirtualHost>
SSLPassPhraseDialog exec:/path/to/passphrase

httpd -t
syntax ok
service httpd start
httpd dead but subsys locked
#############

i removed SSLPassPhraseDialog exec:/path/to/passphrase section in httpd.conf file

i copied ssl.conf file
but when i tried to restart the service i got below error
httpd dead but subsys locked

if i remove this SSLPassPhraseDialog exec:/path/to/passphrase in ssl.conf file the service working fine but when i restart the service it is asking password
pls suggest me how execute my script without password

thanks in advance

bathory · 06-01-2011, 02:46 AM

Did you remembered to make the passphrase script executable?
Also if you're running fedora as in your profile, it could be SELinux that prevents apache to execute the passphrase script.

ramesh14 · 06-01-2011, 03:01 AM

good afternoon bathory

all ready i gave the 755 permission in passpharase file so this excitable file
and disabled selinux policy
# getenforce
Disabled
but i am unable to restart the service
i am getting same error

bathory · 06-01-2011, 03:16 AM

Can you take a look at the error_log and see if you get anything?
Also what happens if you execute the script directly from command line?

Code:

/etc/httpd/conf.d/passphrase

ramesh14 · 06-01-2011, 03:39 AM

hai bathory

i tested my passphrase script
cd /etc/httpd/conf.d/
#./passphrase
displaying password
#################
service httpd start
Starting httpd: Syntax error on line 1021 of /etc/httpd/conf/httpd.conf:
SSLPassPhraseDialog cannot occur within <VirtualHost> section

i con't understanding this error ###cannot occur within <VirtualHost> section####
###########################################
i checked the error_log
tail -f /var/log/httpd/error_log
[Wed May 25 00:39:22 2011] [warn] RSA server certificate is a CA certificate (BasicConstraints: CA == TRUE !?)
[Wed May 25 00:39:22 2011] [warn] RSA server certificate CommonName (CN) `digitsample.com' does NOT match server name!?
[Wed May 25 00:39:22 2011] [notice] Digest: generating secret for digest authentication ...
[Wed May 25 00:39:22 2011] [notice] Digest: done
[Wed May 25 00:39:22 2011] [warn] No JkLogFile defined in httpd.conf. Using default /etc/httpd/logs/mod_jk.log
[Wed May 25 00:39:22 2011] [warn] No JkShmFile defined in httpd.conf. Using default /etc/httpd/logs/jk-runtime-status
[Wed May 25 00:39:22 2011] [warn] RSA server certificate is a CA certificate (BasicConstraints: CA == TRUE !?)
[Wed May 25 00:39:22 2011] [warn] RSA server certificate CommonName (CN) `sampleserver.com' does NOT match server name!?
[Wed May 25 00:39:22 2011] [notice] Apache/2.2.8 (Unix) DAV/2 mod_jk/1.2.31 mod_ssl/2.2.8 OpenSSL/0.9.8g configured -- resuming normal operations
[Wed May 25 01:06:44 2011] [notice] caught SIGTERM, shutting down

bathory · 06-01-2011, 03:59 AM

You should put the SSLPassPhraseDialog outside the <Virtualhost ...:443>...</Virtualhost> part of the config file. And btw if you're using fedora don't put ssl stuff in httpd.conf. Open /etc/httpd/conf.d/ssl.conf, find the SSLPassPhraseDialog directive and change it accordingly

ramesh14 · 06-01-2011, 04:31 AM

hi bathory thanks it's successfully working. i am using fc13 changed the ssl stuff in ssl.conf file
it is working fine
thank you very much.....

ramesh14 · 06-01-2011, 06:47 AM

hai bathory that script is working fine but my organization is not accept to keep password in the file is it possible to put the password in the script file later i'll encrypt the script file.

bathory · 06-01-2011, 07:32 AM

Hi,

You can remove the passphrase from the server's key, if you don't want to store it in a file.
To do so, make a backup of the key file just in case something goes wrong...

Code:

cp server.key server.key.bak

Then run:

Code:

openssl rsa -in server.key -out server.key

Edit ssl.conf and use "SSLPassPhraseDialog builtin", Then restart apache and see if it starts without asking for the passphrase

ramesh14 · 06-01-2011, 07:55 AM

k thank you