httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "James, Denise" <denise.ja...@fldoe.org>
Subject [users@httpd] PROBLEM RESOLVED: [users@httpd] apachectl startssl --need to start without entering password
Date Mon, 15 Aug 2005 17:39:14 GMT
Thanks for everyone's assistance!  

How can I get rid of the pass-phrase dialog at Apache startup time?
The reason why this dialog pops up at startup and every re-start is that
the RSA private key inside your server.key file is stored in encrypted
format for security reasons. The pass-phrase is needed to be able to
read and parse this file. When you can be sure that your server is
secure enough you perform two steps:

1.      Remove the encryption from the RSA private key (while preserving
the original file):

$ cp server.key server.key.org
$ openssl rsa -in server.key.org -out server.key 

2.      Make sure the server.key file is now only readable by root:

$ chmod 400 server.key 

Now server.key will contain an unencrypted copy of the key. If you point
your server at this file it will not prompt you for a pass-phrase.
HOWEVER, if anyone gets this key they will be able to impersonate you on
the net. PLEASE make sure that the permissions on that file are really
such that only root or the web server user can read it (preferably get
your web server to start as root but run as another server, and have the
key readable only by root).




Denise O. James
Systems Project Analyst
Florida Department of Education
Education Data Center Rm. B2-24
325 W. Gaines Street
Tallahassee, FL 32399-0400
Phone and Fax:  (850) 245-9805
denise.james@fldoe.org
 

-----Original Message-----
From: Mark H. Wood [mailto:mwood@IUPUI.Edu] 
Sent: Monday, August 15, 2005 9:52 AM
To: users@httpd.apache.org
Subject: Re: [users@httpd] apachectl startssl --need to start without
entering password

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On Sun, 14 Aug 2005, James, Denise wrote:
> Please point me to where I can find documentation on starting apache
> with ssl and NOT having to enter the password.  I am new to managing
> this web server and was recently asked to setup a new certificate
which
> expired.
>
> I did that, but now whenever apache is restarted, or the server itself
> is taken offline, at boot time the password is required.  I didn't
have
> this problem until I added the new certificate.

The usual way is to remove the password from the private key.  For
example (from OpenSSL's 'man rsa'):

  openssl rsa -in key.pem -out keyout.pem

Do something similar for a DSA key, using the 'openssl dsa' command
instead.  You'll be asked for the input key's passphrase if it has one.
If you don't specify a cipher then the output key won't have a
passphrase.
Instruct Apache to use the output key instead of the input key and the
SSL
library should no longer prompt for a passphrase, since it won't need
one
to decrypt the private key.

- -- 
Mark H. Wood, Lead System Programmer   mwood@IUPUI.Edu
Open-source executable:  $0.00.  Source:  $0.00  Control:  priceless!

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2 (GNU/Linux)
Comment: pgpenvelope 2.10.2 - http://pgpenvelope.sourceforge.net/

iD8DBQFDAJ4fs/NR4JuTKG8RAhygAJ9m2QopD1+iozwDfNvtpmTUlSdoegCfcbs9
Mv0QE9J3g/dPSvtg3KlPohA=
=wEf3
-----END PGP SIGNATURE-----

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server
Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org



---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org


Mime
View raw message