LinuxQuestions.org
Download your favorite Linux distribution at LQ ISO.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Server
User Name
Password
Linux - Server This forum is for the discussion of Linux Software used in a server related context.

Notices


Reply
  Search this Thread
Old 09-22-2008, 08:14 AM   #1
carlosinfl
Senior Member
 
Registered: May 2004
Location: Orlando, FL
Distribution: Arch
Posts: 2,905

Rep: Reputation: 77
Apache Requires SSL / Passphrase


I have Apache2 installed on my web server and also installed my SSL certificates and now when Apache to starts / restarts it requires a passphrase each and every time...

Code:
mail:/# /etc/init.d/apache2 start
Starting web server (apache2)...[Mon Sep 22 09:03:45 2008] [warn] module ssl_module is already loaded, skipping
Apache/2.2.3 mod_ssl/2.2.3 (Pass Phrase Dialog)
Some of your private key files are encrypted for security reasons.
In order to read them you have to provide the pass phrases.

Server 127.0.0.1:443 (RSA)
Enter pass phrase:

OK: Pass Phrase Dialog successful.
It possible to automate this so I don't have to do this each every time? If for some reason I need to reboot the web server and can't gain access to a terminal prompt, I would miss this option and Apache will not start.
 
Old 09-22-2008, 08:32 AM   #2
bathory
LQ Guru
 
Registered: Jun 2004
Location: Piraeus
Distribution: Slackware
Posts: 13,204
Blog Entries: 1

Rep: Reputation: 2059Reputation: 2059Reputation: 2059Reputation: 2059Reputation: 2059Reputation: 2059Reputation: 2059Reputation: 2059Reputation: 2059Reputation: 2059Reputation: 2059
You can edit the config file so it contains:
Code:
SSLPassPhraseDialog  exec:/path/to/passphrase-file
where the passphrase file contains something like:
Code:
#!/bin/sh
echo "passphrase"
 
Old 09-22-2008, 09:18 AM   #3
carlosinfl
Senior Member
 
Registered: May 2004
Location: Orlando, FL
Distribution: Arch
Posts: 2,905

Original Poster
Rep: Reputation: 77
Which config file do I edit?

httpd.conf or ssl.conf?
 
Old 09-22-2008, 09:57 AM   #4
carlosinfl
Senior Member
 
Registered: May 2004
Location: Orlando, FL
Distribution: Arch
Posts: 2,905

Original Poster
Rep: Reputation: 77
I found this in my /etc/apache2/ssl.conf file:

Code:
#   Pass Phrase Dialog:
#   Configure the pass phrase gathering process.
#   The filtering dialog program (`builtin' is a internal
#   terminal dialog) has to provide the pass phrase on stdout.
SSLPassPhraseDialog  builtin

#   Inter-Process Session Cache:
#   Configure the SSL Session Cache: First the mechanism
#   to use and second the expiring timeout (in seconds).
#SSLSessionCache        none
#SSLSessionCache        dbm:/var/cache/mod_ssl/scache(512000)
#SSLSessionCache        dc:UNIX:/var/cache/mod_ssl/distcache
SSLSessionCache         shmcb:/var/cache/mod_ssl/scache(512000)
SSLSessionCacheTimeout  300
 
Old 09-22-2008, 10:38 AM   #5
bathory
LQ Guru
 
Registered: Jun 2004
Location: Piraeus
Distribution: Slackware
Posts: 13,204
Blog Entries: 1

Rep: Reputation: 2059Reputation: 2059Reputation: 2059Reputation: 2059Reputation: 2059Reputation: 2059Reputation: 2059Reputation: 2059Reputation: 2059Reputation: 2059Reputation: 2059
Since you have 2 conf files and the "SSLPassPhraseDialog" is in ssl.conf, you should replace "SSLPassPhraseDialog builtin" with the one I gave you above.
 
Old 09-22-2008, 12:03 PM   #6
carlosinfl
Senior Member
 
Registered: May 2004
Location: Orlando, FL
Distribution: Arch
Posts: 2,905

Original Poster
Rep: Reputation: 77
I added this to ssl.conf:

SSLPassPhraseDialog exec:/usr/bin/ssl_passphrase.sh

Then I created the following file:

Code:
-rw-r--r-- 1 root root 26 2008-09-22 12:55 /usr/bin/ssl_passphrase.sh
Code:
mail:/var/log/apache2# cat /usr/bin/ssl_passphrase.sh 
#!/bin/sh
echo "PASSwOrD123"
I can run the file I just created:

Code:
mail:/var/log/apache2# sh /usr/bin/ssl_passphrase.sh 
PASSwOrD123
Then I attempted to "restart" Apache:

mail:/var/log/clamav# /etc/init.d/apache2 restart
Forcing reload of web server (apache2)...[Mon Sep 22 12:55:45 2008] [warn] module ssl_module is already loaded, skipping
waiting [Mon Sep 22 12:55:47 2008] [warn] module ssl_module is already loaded, skipping
failed!


Received the following in my logs:


mail:/var/log/apache2# tail error.log
[Mon Sep 22 12:55:47 2008] [error] Init: Pass phrase incorrect
[Mon Sep 22 12:55:47 2008] [error] SSL Library Error: 218710120 error:0D094068:asn1 encoding routines:d2i_ASN1_SET:bad tag
[Mon Sep 22 12:55:47 2008] [error] SSL Library Error: 218529960 error:0D0680A8:asn1 encoding routines:ASN1_CHECK_TLEN:wrong tag
[Mon Sep 22 12:55:47 2008] [error] SSL Library Error: 218595386 error:0D07803A:asn1 encoding routines:ASN1_ITEM_EX_D2I:nested asn1 error
[Mon Sep 22 12:55:47 2008] [error] SSL Library Error: 218734605 error:0D09A00D:asn1 encoding routines:d2i_PrivateKey:ASN1 lib
[Mon Sep 22 12:56:19 2008] [error] Init: Pass phrase incorrect
[Mon Sep 22 12:56:19 2008] [error] SSL Library Error: 218710120 error:0D094068:asn1 encoding routines:d2i_ASN1_SET:bad tag
[Mon Sep 22 12:56:19 2008] [error] SSL Library Error: 218529960 error:0D0680A8:asn1 encoding routines:ASN1_CHECK_TLEN:wrong tag
[Mon Sep 22 12:56:19 2008] [error] SSL Library Error: 218595386 error:0D07803A:asn1 encoding routines:ASN1_ITEM_EX_D2I:nested asn1 error
[Mon Sep 22 12:56:19 2008] [error] SSL Library Error: 218734605 error:0D09A00D:asn1 encoding routines:d2i_PrivateKey:ASN1 lib
 
Old 09-22-2008, 12:38 PM   #7
bathory
LQ Guru
 
Registered: Jun 2004
Location: Piraeus
Distribution: Slackware
Posts: 13,204
Blog Entries: 1

Rep: Reputation: 2059Reputation: 2059Reputation: 2059Reputation: 2059Reputation: 2059Reputation: 2059Reputation: 2059Reputation: 2059Reputation: 2059Reputation: 2059Reputation: 2059
You should make the script executable
Code:
chmod +x /usr/bin/ssl_passphrase.sh
so apache does not use the shell to run it.

Regards
 
Old 09-22-2008, 01:14 PM   #8
carlosinfl
Senior Member
 
Registered: May 2004
Location: Orlando, FL
Distribution: Arch
Posts: 2,905

Original Poster
Rep: Reputation: 77
Cool - appears to be working. Thanks! Is that not dangerous having that pass phrase on my system in plain text?
 
Old 09-22-2008, 01:31 PM   #9
chort
Senior Member
 
Registered: Jul 2003
Location: Silicon Valley, USA
Distribution: OpenBSD 4.6, OS X 10.6.2, CentOS 4 & 5
Posts: 3,660

Rep: Reputation: 76
Quote:
Originally Posted by Carlwill View Post
Cool - appears to be working. Thanks! Is that not dangerous having that pass phrase on my system in plain text?
Of course it is. If you're going to leave the file world-readable, you might as well just use the openssl command to save a copy of the private key in decrypted format.

The smarter thing would be to chown the shell script to the user that Apache runs as and remove the world read bit.

Last edited by chort; 09-22-2008 at 01:34 PM.
 
Old 09-22-2008, 01:32 PM   #10
bathory
LQ Guru
 
Registered: Jun 2004
Location: Piraeus
Distribution: Slackware
Posts: 13,204
Blog Entries: 1

Rep: Reputation: 2059Reputation: 2059Reputation: 2059Reputation: 2059Reputation: 2059Reputation: 2059Reputation: 2059Reputation: 2059Reputation: 2059Reputation: 2059Reputation: 2059
Quote:
Cool - appears to be working. Thanks! Is that not dangerous having that pass phrase on my system in plain text?
It is dangerous if you allow people that you don't trust to have access to your server files.
If you don't feel comfortable with this you can remove the passphrase.
 
Old 10-27-2010, 08:12 AM   #11
Mateo1041
Member
 
Registered: Nov 2004
Location: New Prague, MN
Posts: 80

Rep: Reputation: 15
You're probably better off following this advice:

http://chrisschuld.com/2008/08/remov...l-certificate/

Code:
[root@w2 conf]# openssl rsa -in www.website.com.key -out www.website.com.key.nopass
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
SSL Servers vs Apache SSL mlewis Linux - Networking 2 04-02-2008 10:13 AM
Adobe Acrobate Reader Requires A Plugin-That Requires Open LDAP That Requires Berkely Old_Fogie Slackware 10 05-08-2006 05:04 AM
Apache 1.3.33 (debian built) and Apache SSL does not respond to the proper ports lqorg_user Linux - Networking 0 11-06-2005 04:11 PM
apache requires SSL connection ryedunn Linux - Software 1 02-01-2005 07:34 PM
apache ssl passphrase barrys Mandriva 1 10-15-2004 07:26 AM

LinuxQuestions.org > Forums > Linux Forums > Linux - Server

All times are GMT -5. The time now is 10:37 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration