Scripting for mod_ssl startup

Stephen W. Clarke stephenc-wtWqQT8woy8 at public.gmane.org
Fri Jan 4 13:50:13 UTC 2008 

Jamon,

Thanks for your thoughts.

> Do you really need the passphrase?

I'm not sure if I really need the passphrase. There definately needs to be
some people on the web that don't think a passphrase on the key has any
real value. The cert in question is going on an online store so I'm trying
to be overly cautious about security. I can make it work successfully
without the passphrase, thanks for your instructions.

What I'd really like, is to get the httpd to ask me for the passphrase on
startup and then use my input to unlock the key. mod_ssl is supposed to do
that automatically but it doesn't seem to want to.

> Also, anything in apache's logs when you try to start it without the
> bash hardcoded file? Does selinux interfere with the startup prompt?

Yes, I get the '[error] Init: Unable to read pass phrase' in the
ssl_error_log

Yes, selinux did cause some issues at first but once I relabeled the files
in question httpd started up fine with out any warnings.

Thanks again,
Stephen



On Thu, January 3, 2008 18:47, Jamon Camisso wrote:
> On January 3, 2008 03:00:55 pm Stephen W. Clarke wrote:
>
>> Does anyone on this list know how I could write a script to request
>> user input during the httpd startup?
>>
>> I'm using Fedora 7 and Apache with mod_SSL. I have a signed cert from
>> Thawte made using a csr created with a pass phrase protected private
>> key. When I start the httpd I should get a prompt asking me for the pass
>> phrase. Unfortunately, I don't.
>>
>> However, when I hard code the pass phrase into a bash script file
>> that is called from the ssl.conf the httpd starts up fine. This solution
>> worries me as I don't like the idea of having the pass phrase hard coded
>> in a file that the apache daemon can access. My bash scripting knowledge
>> is poor and my attempts to create a prompt to request the pass phrase
>> have not been effective.
>>
>> Do any of you have any suggestions?
>>
>
> Do you really need the passphrase? If you're going to have it
> automatically input, you would be better off removing it from the key
> altogether in case of reboots or crashes.
>
> Keep in mind that the new server.key will have no passphrase, so if your
> box was ever rooted, you'd have to revoke that certificate and purchase a
> new one. Make sure only root can read the file (400 permission).
>
> Make a backup of your key, then doing the following:
> openssl rsa -in server.key.old -out server.key
>
> After that Apache will start up without any problems with the key key in
> place. Check it in your browser to make sure that the des3->rsa switch
> doesn't affect the certificate's validation.
>
> Also, anything in apache's logs when you try to start it without the
> bash hardcoded file? Does selinux interfere with the startup prompt?
>
> Jamon
>
>
>


-- 
Stephen W. Clarke
Marketing and Communications Officer
Nray Services Inc.
56A Head Street
Dundas, ON L9H 3H7
CANADA

(905) 627-1302 x14

--
The Toronto Linux Users Group.      Meetings: http://gtalug.org/
TLUG requests: Linux topics, No HTML, wrap text below 80 columns
How to UNSUBSCRIBE: http://gtalug.org/wiki/Mailing_lists

More information about the Legacy mailing list