Scripting for mod_ssl startup

[Jamon Camisso]

On January 3, 2008 03:00:55 pm Stephen W. Clarke wrote:
> Does anyone on this list know how I could write a script to request
> user input during the httpd startup?
>
> I'm using Fedora 7 and Apache with mod_SSL. I have a signed cert from
> Thawte made using a csr created with a pass phrase protected private
> key. When I start the httpd I should get a prompt asking me for the
> pass phrase. Unfortunately, I don't.
>
> However, when I hard code the pass phrase into a bash script file
> that is called from the ssl.conf the httpd starts up fine. This
> solution worries me as I don't like the idea of having the pass
> phrase hard coded in a file that the apache daemon can access. My
> bash scripting knowledge is poor and my attempts to create a prompt
> to request the pass phrase have not been effective.
>
> Do any of you have any suggestions?

Do you really need the passphrase? If you're going to have it 
automatically input, you would be better off removing it from the key 
altogether in case of reboots or crashes.

Keep in mind that the new server.key will have no passphrase, so if your 
box was ever rooted, you'd have to revoke that certificate and purchase 
a new one. Make sure only root can read the file (400 permission).

Make a backup of your key, then doing the following:
openssl rsa -in server.key.old -out server.key

After that Apache will start up without any problems with the key key in 
place. Check it in your browser to make sure that the des3->rsa switch 
doesn't affect the certificate's validation.

Also, anything in apache's logs when you try to start it without the 
bash hardcoded file? Does selinux interfere with the startup prompt?

Jamon

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part.
URL: <http://gtalug.org/pipermail/legacy/attachments/20080103/c921d5c1/attachment.sig>