Starting apache at boot with SSL.
Cristi Tauber
cristi.tauber at sbhost.ro
Mon Oct 4 04:08:40 PDT 2004
Remko Lodder wrote:
> > I chose to protect my SSL cert with a passphrase. This makes automatic
> > startup at boot impossible. I use FBSD 4.10, and apache would normally
> > start via a script in /usr/local/etc/rc.conf. I just made sure there
> > was
>
> ehm this is not totally true, you can startup automatically by
> havnig a little script that does the following
>
> #!/bin/sh
>
> echo '<passphrase>'
>
> Then there is thingy with the phrase 'builtin' into it. You can change
> that so that the previous bin sh script gets invoked and the server
> will startup at that point.
>
> For the correct syntax i would need to look into my own configuration
> which i cannot access at this moment.
>
> > no .sh script for apache, and start it myself using apachectl startssl.
> > The problem with this setup is that if the server reboots in the middle
> > of the night the web server does not come on, but this almost never
> > happens anyway. You have to balance security with convenience to fit
> > your situation, and I chose security.
> >
> >
> >
>
> Cheers!
>
> --
> Kind regards,
>
> Remko Lodder |remko at elvandar.org
> Reporter DSINet |remko at dsinet.org
> Projectleader Mostly-Harmless |remko at mostly-harmless.nl
> Founder Tienervaders |remko at tienervaders.org
>
For a same question here was my response from Josh Hansen
<josh222 at sisna.com> :
________
Hello Cristi,
This is from the apache site:
How can I get rid of the pass-phrase dialog at Apache startup time?
The reason why this dialog pops up at startup and every re-start is that
the RSA private key inside your server.key file is stored in encrypted
format for security reasons. The pass-phrase is needed to be able to
read and parse this file. When you can be sure that your server is
secure enough you perform two steps:
1. Remove the encryption from the RSA private key (while preserving
the original file):
$ cp server.key server.key.org
$ openssl rsa -in server.key.org -out server.key
2. Make sure the server.key file is now only readable by root:
$ chmod 400 server.key
Now server.key will contain an unencrypted copy of the key. If you point
your server at this file it will not prompt you for a pass-phrase.
HOWEVER, if anyone gets this key they will be able to impersonate you on
the net. PLEASE make sure that the permissions on that file are really
such that only root or the web server user can read it (preferably get
your web server to start as root but run as another server, and have the
key readable only by root).
As an alternative approach you can use the ``SSLPassPhraseDialog
exec:/path/to/program'' facility. But keep in mind that this is neither
more nor less secure, of course.
____________________________
>
> _______________________________________________
> freebsd-questions at freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-questions
> To unsubscribe, send any mail to "freebsd-questions-unsubscribe at freebsd.org"
>
> ---------------------------------------------------
> This message and its contents have been scanned and certified for
> transmission as being free from malicious code by <<eTrust Antivirus>>. This
> message may contain confidential, privileged or other legally protected
> information. It is intended for the addressee(s) only. If you are not the
> addressee, or someone the addressee authorized to receive this message, you
> are prohibited from copying, distributing or otherwise using it. Please
> notify the sender and return it.Thank you.
>
>
---------------------------------------------------
This message and its contents have been scanned and certified for
transmission as being free from malicious code by <<eTrust Antivirus>>. This
message may contain confidential, privileged or other legally protected
information. It is intended for the addressee(s) only. If you are not the
addressee, or someone the addressee authorized to receive this message, you
are prohibited from copying, distributing or otherwise using it. Please
notify the sender and return it.Thank you.
More information about the freebsd-questions
mailing list