Re: Remote Startup ????

hUnTeR Mon, 8 Nov 1999 05:42:01 -0800
andrew wrote:
> 
> O.K. three weeks of my times been wasted so far in discovering that the
> apache wasn't hanging or unable to find a valid cert file. BUT mod_ssl had it
> waiting at the command prompt expecting me to enter the certificate pass-
> phase.
> 
>  HOW is a person suppose to remotly start such a server ??
> 
> ______________________________________________________________________
> Apache Interface to OpenSSL (mod_ssl)                   www.modssl.org
> User Support Mailing List                      [EMAIL PROTECTED]
> Automated List Manager                            [EMAIL PROTECTED]

Andrew - 

This is addressed in the mod_ssl FAQ quite well. I will quote from the
FAQ directly since it describes the fixes quite well:

How can I get rid of the pass-phrase dialog at Apache startup time?  
[L] 

The reason why this dialog pops up at startup and every re-start is that
the
RSA private key inside your server.key file is stored in encrypted
format
for security reasons. The pass-phrase is needed to be able to read and
parse
this file. When you can be sure that your server is secure enough you
perform
two steps: 

1.Remove the encryption from the RSA private key (while preserving the
original file): 

cp server.key server.key.org
openssl rsa -in server.key.org -out server.key 

2.Make sure the server.key file is now only readable by root: 

chmod 400 server.key 

Now server.key will contain an unencrypted copy of the key. If you point
your server at this file it will not prompt you for a pass-phrase.
HOWEVER,
if anyone gets this key they will be able to impersonate you on the net.
PLEASE make sure that the permissions on that file are really such that
only
root or the web server user can read it (preferably get your web server
to
start as root but run as another server, and have the key readable only
by
root). 

As an alternative approach you can use the ``SSLPassPhraseDialog
exec:/path/to/program'' facility. But keep in mind that this is neither
more
nor less secure, of course. 

I hope that helps and answers your question. Cheers!
-- 
Michael B. Weiner
Systems Administrator/Partner
The UserFriendly Network (UFN)
--

             / /  (_)__  __ ____  __
            / /__/ / _ \/ // /\ \/ /  
           /____/_/_//_/\_,_/ /_/\_\ 

     * * * CHOICE OF A GNU GENERATION * * *
______________________________________________________________________
Apache Interface to OpenSSL (mod_ssl)                   www.modssl.org
User Support Mailing List                      [EMAIL PROTECTED]
Automated List Manager                            [EMAIL PROTECTED]
Re: Remote Startup ????

Reply via email to
