Apache Requires SSL / Passphrase

carlosinfl · 09-22-2008, 08:14 AM

I have Apache2 installed on my web server and also installed my SSL certificates and now when Apache to starts / restarts it requires a passphrase each and every time...

Code:

mail:/# /etc/init.d/apache2 start
Starting web server (apache2)...[Mon Sep 22 09:03:45 2008] [warn] module ssl_module is already loaded, skipping
Apache/2.2.3 mod_ssl/2.2.3 (Pass Phrase Dialog)
Some of your private key files are encrypted for security reasons.
In order to read them you have to provide the pass phrases.

Server 127.0.0.1:443 (RSA)
Enter pass phrase:

OK: Pass Phrase Dialog successful.

It possible to automate this so I don't have to do this each every time? If for some reason I need to reboot the web server and can't gain access to a terminal prompt, I would miss this option and Apache will not start.

bathory · 09-22-2008, 08:32 AM

You can edit the config file so it contains:

Code:

SSLPassPhraseDialog  exec:/path/to/passphrase-file

where the passphrase file contains something like:

Code:

#!/bin/sh
echo "passphrase"

carlosinfl · 09-22-2008, 09:18 AM

Which config file do I edit?

httpd.conf or ssl.conf?

carlosinfl · 09-22-2008, 09:57 AM

I found this in my /etc/apache2/ssl.conf file:

Code:

#   Pass Phrase Dialog:
#   Configure the pass phrase gathering process.
#   The filtering dialog program (`builtin' is a internal
#   terminal dialog) has to provide the pass phrase on stdout.
SSLPassPhraseDialog  builtin

#   Inter-Process Session Cache:
#   Configure the SSL Session Cache: First the mechanism
#   to use and second the expiring timeout (in seconds).
#SSLSessionCache        none
#SSLSessionCache        dbm:/var/cache/mod_ssl/scache(512000)
#SSLSessionCache        dc:UNIX:/var/cache/mod_ssl/distcache
SSLSessionCache         shmcb:/var/cache/mod_ssl/scache(512000)
SSLSessionCacheTimeout  300

bathory · 09-22-2008, 10:38 AM

Since you have 2 conf files and the "SSLPassPhraseDialog" is in ssl.conf, you should replace "SSLPassPhraseDialog builtin" with the one I gave you above.

carlosinfl · 09-22-2008, 12:03 PM

I added this to ssl.conf:

SSLPassPhraseDialog exec:/usr/bin/ssl_passphrase.sh

Then I created the following file:

Code:

-rw-r--r-- 1 root root 26 2008-09-22 12:55 /usr/bin/ssl_passphrase.sh

Code:

mail:/var/log/apache2# cat /usr/bin/ssl_passphrase.sh 
#!/bin/sh
echo "PASSwOrD123"

I can run the file I just created:

Code:

mail:/var/log/apache2# sh /usr/bin/ssl_passphrase.sh 
PASSwOrD123

Then I attempted to "restart" Apache:

mail:/var/log/clamav# /etc/init.d/apache2 restart
Forcing reload of web server (apache2)...[Mon Sep 22 12:55:45 2008] [warn] module ssl_module is already loaded, skipping
waiting [Mon Sep 22 12:55:47 2008] [warn] module ssl_module is already loaded, skipping
failed!

Received the following in my logs:

mail:/var/log/apache2# tail error.log
[Mon Sep 22 12:55:47 2008] [error] Init: Pass phrase incorrect
[Mon Sep 22 12:55:47 2008] [error] SSL Library Error: 218710120 error:0D094068:asn1 encoding routines:d2i_ASN1_SET:bad tag
[Mon Sep 22 12:55:47 2008] [error] SSL Library Error: 218529960 error:0D0680A8:asn1 encoding routines:ASN1_CHECK_TLEN:wrong tag
[Mon Sep 22 12:55:47 2008] [error] SSL Library Error: 218595386 error:0D07803A:asn1 encoding routines:ASN1_ITEM_EX_D2I:nested asn1 error
[Mon Sep 22 12:55:47 2008] [error] SSL Library Error: 218734605 error:0D09A00D:asn1 encoding routines:d2i_PrivateKey:ASN1 lib
[Mon Sep 22 12:56:19 2008] [error] Init: Pass phrase incorrect
[Mon Sep 22 12:56:19 2008] [error] SSL Library Error: 218710120 error:0D094068:asn1 encoding routines:d2i_ASN1_SET:bad tag
[Mon Sep 22 12:56:19 2008] [error] SSL Library Error: 218529960 error:0D0680A8:asn1 encoding routines:ASN1_CHECK_TLEN:wrong tag
[Mon Sep 22 12:56:19 2008] [error] SSL Library Error: 218595386 error:0D07803A:asn1 encoding routines:ASN1_ITEM_EX_D2I:nested asn1 error
[Mon Sep 22 12:56:19 2008] [error] SSL Library Error: 218734605 error:0D09A00D:asn1 encoding routines:d2i_PrivateKey:ASN1 lib

bathory · 09-22-2008, 12:38 PM

You should make the script executable

Code:

chmod +x /usr/bin/ssl_passphrase.sh

so apache does not use the shell to run it.

Regards

carlosinfl · 09-22-2008, 01:14 PM

Cool - appears to be working. Thanks! Is that not dangerous having that pass phrase on my system in plain text?

chort · 09-22-2008, 01:31 PM

Quote:

Originally Posted by Carlwill

Cool - appears to be working. Thanks! Is that not dangerous having that pass phrase on my system in plain text?

Of course it is. If you're going to leave the file world-readable, you might as well just use the openssl command to save a copy of the private key in decrypted format.

The smarter thing would be to chown the shell script to the user that Apache runs as and remove the world read bit.

bathory · 09-22-2008, 01:32 PM

Quote:

Cool - appears to be working. Thanks! Is that not dangerous having that pass phrase on my system in plain text?

It is dangerous if you allow people that you don't trust to have access to your server files.
If you don't feel comfortable with this you can remove the passphrase.

Mateo1041 · 10-27-2010, 08:12 AM

You're probably better off following this advice:

http://chrisschuld.com/2008/08/remov...l-certificate/

Code:

[root@w2 conf]# openssl rsa -in www.website.com.key -out www.website.com.key.nopass