LinuxQuestions.org - httpd service restart wants password

Page 1 of 2

Show 50 post(s) from this thread on one page

- Linux - Newbie (https://www.linuxquestions.org/questions/linux-newbie-8/)

- - httpd service restart wants password (https://www.linuxquestions.org/questions/linux-newbie-8/httpd-service-restart-wants-password-479484/)

Tcat	09-01-2006 12:16 PM

httpd service restart wants password

I know how I did this, I'm looking to find out how to get rid of it.

I was generating a Secure Certificate Request and the password i used for the certificate has to be entered every time I reboot so I can start HTTPD services.

Is there a FAQ on how to get rid of the password all together? I ended up using the certificate on another server so it is not a concern.

I'm running FC3/Apache

Thanks for any help!

gilead

09-02-2006 02:51 PM

You can remove the passphrase from your key with the following command. There is a security risk, but it sounds like you've already considered that:

Code:

openssl rsa -in server.key -out server.pem

There's more info at http://slacksite.com/apache/certificate.html but basically you're removing the triple DES encryption.

Tcat	09-07-2006 02:24 PM

Gilead,
Thanks much for responding to my question.
I get the following response using that command. Is this a path issue?

Code:

[root@server1 ~]# openssl rsa -in server.key -out test.pem

Error opening Private Key server.key

3858:error:02001002:system library:fopen:No such file or directory:bss_file.c:259:fopen('server.key','r')

3858:error:20074002:BIO routines:FILE_CTRL:system lib:bss_file.c:261:

unable to load Private Key

[root@server1 ~]#

Thanks again for your time

gilead

09-07-2006 05:24 PM

It could be - I run the commands from the directory that the key is located in. Here's the script I use:

Code:

#! /bin/bash

#



echo "Generating key with passphrase - passphrase is removed later"

/usr/bin/openssl genrsa -des3 -out server 1024



echo "Removing passphrase"

/usr/bin/openssl rsa -in server -out server.key



echo "Remove temp file and set permissions"

/usr/bin/rm -f server

/usr/bin/chmod 0400 server.key

Tcat	09-07-2006 06:44 PM

I managed to break httpd, it wont start now. LOL
:confused:

gilead

09-07-2006 07:58 PM

Murphy's law is always at work :) Are there any messages in the error or access logs?

Tcat	09-07-2006 08:13 PM

ssl_error_log

Code:

[Thu Sep 07 21:04:46 2006] [error] SSL Library Error: 185073780 error:0B080074:x509 certificate routines:X509_check_private_key::key values mismatch

error_log

Code:

[Thu Sep 07 21:04:46 2006] [notice] suEXEC mechanism enabled (wrapper: /usr/sbin/suexec)

Thats about all I see at the moment.

If it makes any difference, I don't require SSL for any sites on this box. I've never had a service die like that before (not that I'm a guru to begin with).

If I used this command right, I don't think apache is running at all.

Code:

ps -ef | grep httpd

root      3864  3775  0 21:12 pts/0    00:00:00 grep httpd

gilead

09-07-2006 08:33 PM

When you run apachectl (/usr/local/apache2/bin/apachectl on my system) do you get output like the following?

Code:

# /usr/local/apache2/bin/apachectl -l | grep ssl

  mod_ssl.c

# /usr/local/apache2/bin/apachectl -t

Syntax OK

Tcat	09-07-2006 08:39 PM

I didnt get any reaction from the first command (grep) the exact output is:

Code:

# apachectl -l | grep ssl

# apachectl -t

Syntax OK

gilead

09-07-2006 08:48 PM

As far as I know you need mod_ssl for the https stuff to work. The process I use for building Apache is:

Code:

./configure --with-layout=Apache --prefix=/usr/local/apache2 --enable-rule=SHARED_CORE --enable-so --enable-ssl --enable-rewrite --with-ssl=/usr/include

make

make install

Did you compile your own Apache and include mod_ssl? If you didn't compile your own, is there a mod_ssl package with Fedora (the name might not be mod_ssl)?

Tcat	09-07-2006 08:52 PM

I am running the default vanilla install that fedora does for apache and most services.
All I originally did was generate a csr and that started this whole password thing requirement everytime
I rebooted the server (had to do a manual: services httpd start and it prompted me for the password and after
that it worked ok. I was just trying to eliminate the need for that originally.

I really dont have a need for https at all anyway.

Wim Sturkenboom

09-07-2006 11:05 PM

Apache does not start as there is a problem with the certificate. I use Slackware and don't know much about fedora but you should be able to start apache without ssl support (on my box as shown below).

Code:

/usr/sbin/apachectl startssl    # start with SSL support

/usr/sbin/apachectl start      # start without SSL support

Further you can remove the ssl support from the configuration files.

You can also generate a new key and from there a new certificate (in my opinion the best option).

Code:

root@btd-techweb01:~# /usr/bin/openssl genrsa -rand /dev/urandom -out btd-techweb01.key 1024

2048 semi-random bytes loaded

Generating RSA private key, 1024 bit long modulus

.++++++

..........++++++

e is 65537 (0x10001)

From my notes:

Quote:

I did not add the option -des3 after genrsa as it will require a password everytime the Apache webserver is restarted. This will prevent automatic restarts (e.g. after power down). Although less secure as the key is not encrypted and a breach in security on the server might reveal the key, this risk is acceptable.

Tcat	09-07-2006 11:33 PM

Thanks much for the suggestion. I too thought I just need to create a new key.

My question there is. All the Fedora folders regarding ssl/ appear to be the following structure:
drwx------ 2 root root 4096 Oct 10 2005 ssl.crl
drwx------ 2 root root 4096 Jun 25 15:05 ssl.crt
drwx------ 2 root root 4096 Sep 5 2005 ssl.csr
drwx------ 2 root root 4096 Sep 8 00:19 ssl.key
drwx------ 2 root root 4096 Sep 5 2005 ssl.prm

My question is. By running the commands to create the key from /usr/sbin/ does that put the required files into those folders automatically?
ie: the .crt file you create, does that go into the /ssl.crt folder by itself?

I'm sorry I sound like such a noob :( I am.. as I mentioned. I never had to touch this stuff before, it was all just the default Fedora installation prior to me generating the orignal csr.

Thanks much for your advice folks.

gilead

09-07-2006 11:53 PM

Quote:

Originally Posted by Tcat

My question is. By running the commands to create the key from /usr/sbin/ does that put the required files into those folders automatically?
ie: the .crt file you create, does that go into the /ssl.crt folder by itself?

The output of those commands will be in whatever directory you are in when you run the command, so you need to manually put the files in their final directory, or run the commands from that directory.

You can put the cert in ssl.crt by itself, mine is. The tutorial I used had a directory structure I've stuck with because it worked. /usr/local/apache2/conf/ssl.crt contains server.crt and /usr/local/apache2/conf/ssl.key contains server.key (and my script).

Tcat	09-08-2006 10:47 AM

Thanks for your help all. I was able to fix it following this.
http://www.apache-ssl.org/#FAQ

Just created the key/certificate and dumped them in the proper folders.
Once I did that, httpd started without any trouble.

Now I'm off to install FC5 on another box. Fighting a lockup problem though when Gnome starts
think its the graphics settings.

Thanks Again!!

All times are GMT -5. The time now is 06:20 AM.

Page 1 of 2

Show 50 post(s) from this thread on one page