LinuxQuestions.org
Share your knowledge at the LQ Wiki.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Newbie
User Name
Password
Linux - Newbie This Linux forum is for members that are new to Linux.
Just starting out and have a question? If it is not in the man pages or the how-to's this is the place!

Notices


Reply
  Search this Thread
Old 09-01-2006, 01:16 PM   #1
Tcat
LQ Newbie
 
Registered: Dec 2004
Distribution: Fedora Core 2
Posts: 11

Rep: Reputation: 0
httpd service restart wants password


I know how I did this, I'm looking to find out how to get rid of it.

I was generating a Secure Certificate Request and the password i used for the certificate has to be entered every time I reboot so I can start HTTPD services.

Is there a FAQ on how to get rid of the password all together? I ended up using the certificate on another server so it is not a concern.

I'm running FC3/Apache


Thanks for any help!
 
Old 09-02-2006, 03:51 PM   #2
gilead
Senior Member
 
Registered: Dec 2005
Location: Brisbane, Australia
Distribution: Slackware64 14.0
Posts: 4,125

Rep: Reputation: 165Reputation: 165
You can remove the passphrase from your key with the following command. There is a security risk, but it sounds like you've already considered that:
Code:
openssl rsa -in server.key -out server.pem
There's more info at http://slacksite.com/apache/certificate.html but basically you're removing the triple DES encryption.
 
Old 09-07-2006, 03:24 PM   #3
Tcat
LQ Newbie
 
Registered: Dec 2004
Distribution: Fedora Core 2
Posts: 11

Original Poster
Rep: Reputation: 0
Gilead,
Thanks much for responding to my question.
I get the following response using that command. Is this a path issue?

Code:
[root@server1 ~]# openssl rsa -in server.key -out test.pem
Error opening Private Key server.key
3858:error:02001002:system library:fopen:No such file or directory:bss_file.c:259:fopen('server.key','r')
3858:error:20074002:BIO routines:FILE_CTRL:system lib:bss_file.c:261:
unable to load Private Key
[root@server1 ~]#

Thanks again for your time
 
Old 09-07-2006, 06:24 PM   #4
gilead
Senior Member
 
Registered: Dec 2005
Location: Brisbane, Australia
Distribution: Slackware64 14.0
Posts: 4,125

Rep: Reputation: 165Reputation: 165
It could be - I run the commands from the directory that the key is located in. Here's the script I use:
Code:
#! /bin/bash
#

echo "Generating key with passphrase - passphrase is removed later"
/usr/bin/openssl genrsa -des3 -out server 1024

echo "Removing passphrase"
/usr/bin/openssl rsa -in server -out server.key

echo "Remove temp file and set permissions"
/usr/bin/rm -f server
/usr/bin/chmod 0400 server.key
 
Old 09-07-2006, 07:44 PM   #5
Tcat
LQ Newbie
 
Registered: Dec 2004
Distribution: Fedora Core 2
Posts: 11

Original Poster
Rep: Reputation: 0
I managed to break httpd, it wont start now. LOL
 
Old 09-07-2006, 08:58 PM   #6
gilead
Senior Member
 
Registered: Dec 2005
Location: Brisbane, Australia
Distribution: Slackware64 14.0
Posts: 4,125

Rep: Reputation: 165Reputation: 165
Murphy's law is always at work Are there any messages in the error or access logs?
 
Old 09-07-2006, 09:13 PM   #7
Tcat
LQ Newbie
 
Registered: Dec 2004
Distribution: Fedora Core 2
Posts: 11

Original Poster
Rep: Reputation: 0
ssl_error_log
Code:
[Thu Sep 07 21:04:46 2006] [error] SSL Library Error: 185073780 error:0B080074:x509 certificate routines:X509_check_private_key::key values mismatch
error_log
Code:
[Thu Sep 07 21:04:46 2006] [notice] suEXEC mechanism enabled (wrapper: /usr/sbin/suexec)
Thats about all I see at the moment.

If it makes any difference, I don't require SSL for any sites on this box. I've never had a service die like that before (not that I'm a guru to begin with).

If I used this command right, I don't think apache is running at all.

Code:
ps -ef | grep httpd
root      3864  3775  0 21:12 pts/0    00:00:00 grep httpd

Last edited by Tcat; 09-07-2006 at 09:15 PM.
 
Old 09-07-2006, 09:33 PM   #8
gilead
Senior Member
 
Registered: Dec 2005
Location: Brisbane, Australia
Distribution: Slackware64 14.0
Posts: 4,125

Rep: Reputation: 165Reputation: 165
When you run apachectl (/usr/local/apache2/bin/apachectl on my system) do you get output like the following?
Code:
# /usr/local/apache2/bin/apachectl -l | grep ssl
  mod_ssl.c
# /usr/local/apache2/bin/apachectl -t
Syntax OK
 
Old 09-07-2006, 09:39 PM   #9
Tcat
LQ Newbie
 
Registered: Dec 2004
Distribution: Fedora Core 2
Posts: 11

Original Poster
Rep: Reputation: 0
I didnt get any reaction from the first command (grep) the exact output is:

Code:
# apachectl -l | grep ssl
# apachectl -t
Syntax OK
 
Old 09-07-2006, 09:48 PM   #10
gilead
Senior Member
 
Registered: Dec 2005
Location: Brisbane, Australia
Distribution: Slackware64 14.0
Posts: 4,125

Rep: Reputation: 165Reputation: 165
As far as I know you need mod_ssl for the https stuff to work. The process I use for building Apache is:
Code:
./configure --with-layout=Apache --prefix=/usr/local/apache2 --enable-rule=SHARED_CORE --enable-so --enable-ssl --enable-rewrite --with-ssl=/usr/include
make
make install
Did you compile your own Apache and include mod_ssl? If you didn't compile your own, is there a mod_ssl package with Fedora (the name might not be mod_ssl)?
 
Old 09-07-2006, 09:52 PM   #11
Tcat
LQ Newbie
 
Registered: Dec 2004
Distribution: Fedora Core 2
Posts: 11

Original Poster
Rep: Reputation: 0
I am running the default vanilla install that fedora does for apache and most services.
All I originally did was generate a csr and that started this whole password thing requirement everytime
I rebooted the server (had to do a manual: services httpd start and it prompted me for the password and after
that it worked ok. I was just trying to eliminate the need for that originally.

I really dont have a need for https at all anyway.
 
Old 09-08-2006, 12:05 AM   #12
Wim Sturkenboom
Senior Member
 
Registered: Jan 2005
Location: Roodepoort, South Africa
Distribution: Slackware 10.1/10.2/12, Ubuntu 12.04, Crunchbang Statler
Posts: 3,786

Rep: Reputation: 282Reputation: 282Reputation: 282
Apache does not start as there is a problem with the certificate. I use Slackware and don't know much about fedora but you should be able to start apache without ssl support (on my box as shown below).
Code:
/usr/sbin/apachectl startssl    # start with SSL support
/usr/sbin/apachectl start       # start without SSL support
Further you can remove the ssl support from the configuration files.

You can also generate a new key and from there a new certificate (in my opinion the best option).
Code:
root@btd-techweb01:~# /usr/bin/openssl genrsa -rand /dev/urandom -out btd-techweb01.key 1024
2048 semi-random bytes loaded
Generating RSA private key, 1024 bit long modulus
.++++++
..........++++++
e is 65537 (0x10001)
From my notes:
Quote:
I did not add the option -des3 after genrsa as it will require a password everytime the Apache webserver is restarted. This will prevent automatic restarts (e.g. after power down). Although less secure as the key is not encrypted and a breach in security on the server might reveal the key, this risk is acceptable.

Last edited by Wim Sturkenboom; 09-08-2006 at 12:08 AM.
 
Old 09-08-2006, 12:33 AM   #13
Tcat
LQ Newbie
 
Registered: Dec 2004
Distribution: Fedora Core 2
Posts: 11

Original Poster
Rep: Reputation: 0
Thanks much for the suggestion. I too thought I just need to create a new key.

My question there is. All the Fedora folders regarding ssl/ appear to be the following structure:
drwx------ 2 root root 4096 Oct 10 2005 ssl.crl
drwx------ 2 root root 4096 Jun 25 15:05 ssl.crt
drwx------ 2 root root 4096 Sep 5 2005 ssl.csr
drwx------ 2 root root 4096 Sep 8 00:19 ssl.key
drwx------ 2 root root 4096 Sep 5 2005 ssl.prm


My question is. By running the commands to create the key from /usr/sbin/ does that put the required files into those folders automatically?
ie: the .crt file you create, does that go into the /ssl.crt folder by itself?

I'm sorry I sound like such a noob I am.. as I mentioned. I never had to touch this stuff before, it was all just the default Fedora installation prior to me generating the orignal csr.


Thanks much for your advice folks.
 
Old 09-08-2006, 12:53 AM   #14
gilead
Senior Member
 
Registered: Dec 2005
Location: Brisbane, Australia
Distribution: Slackware64 14.0
Posts: 4,125

Rep: Reputation: 165Reputation: 165
Quote:
Originally Posted by Tcat
My question is. By running the commands to create the key from /usr/sbin/ does that put the required files into those folders automatically?
ie: the .crt file you create, does that go into the /ssl.crt folder by itself?
The output of those commands will be in whatever directory you are in when you run the command, so you need to manually put the files in their final directory, or run the commands from that directory.

You can put the cert in ssl.crt by itself, mine is. The tutorial I used had a directory structure I've stuck with because it worked. /usr/local/apache2/conf/ssl.crt contains server.crt and /usr/local/apache2/conf/ssl.key contains server.key (and my script).
 
Old 09-08-2006, 11:47 AM   #15
Tcat
LQ Newbie
 
Registered: Dec 2004
Distribution: Fedora Core 2
Posts: 11

Original Poster
Rep: Reputation: 0
Thanks for your help all. I was able to fix it following this.
http://www.apache-ssl.org/#FAQ

Just created the key/certificate and dumped them in the proper folders.
Once I did that, httpd started without any trouble.

Now I'm off to install FC5 on another box. Fighting a lockup problem though when Gnome starts
think its the graphics settings.


Thanks Again!!
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
httpd restart error sandeshshrestha Linux - General 4 03-27-2006 08:09 AM
Failed Httpd restart namboi Linux - Newbie 5 05-07-2005 08:23 PM
service httpd status, results in httpd dead but subsys locked squadja Red Hat 2 09-11-2004 11:31 PM
Command to restart httpd service deWin Linux - Software 2 07-13-2004 07:17 PM
Restart apache service without password prompt? Phaethar Linux - Software 2 07-06-2004 02:28 PM

LinuxQuestions.org > Forums > Linux Forums > Linux - Newbie

All times are GMT -5. The time now is 03:38 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration