third answer.
remove auto start-up of http SSL in your server config files.
telnet to box - and start by hand. probably should use ssh to telnet
or your clearword password can be observed.
cliff rayman
genwax.com
hUnTeR wrote:
> andrew wrote:
> >
> > O.K. three weeks of my times been wasted so far in discovering that the
> > apache wasn't hanging or unable to find a valid cert file. BUT mod_ssl had it
> > waiting at the command prompt expecting me to enter the certificate pass-
> > phase.
> >
> > HOW is a person suppose to remotly start such a server ??
> >
> > ______________________________________________________________________
> > Apache Interface to OpenSSL (mod_ssl) www.modssl.org
> > User Support Mailing List [EMAIL PROTECTED]
> > Automated List Manager [EMAIL PROTECTED]
>
> Andrew -
>
> This is addressed in the mod_ssl FAQ quite well. I will quote from the
> FAQ directly since it describes the fixes quite well:
>
> How can I get rid of the pass-phrase dialog at Apache startup time?
> [L]
>
> The reason why this dialog pops up at startup and every re-start is that
> the
> RSA private key inside your server.key file is stored in encrypted
> format
> for security reasons. The pass-phrase is needed to be able to read and
> parse
> this file. When you can be sure that your server is secure enough you
> perform
> two steps:
>
> 1.Remove the encryption from the RSA private key (while preserving the
> original file):
>
> cp server.key server.key.org
> openssl rsa -in server.key.org -out server.key
>
> 2.Make sure the server.key file is now only readable by root:
>
> chmod 400 server.key
>
> Now server.key will contain an unencrypted copy of the key. If you point
> your server at this file it will not prompt you for a pass-phrase.
> HOWEVER,
> if anyone gets this key they will be able to impersonate you on the net.
> PLEASE make sure that the permissions on that file are really such that
> only
> root or the web server user can read it (preferably get your web server
> to
> start as root but run as another server, and have the key readable only
> by
> root).
>
> As an alternative approach you can use the ``SSLPassPhraseDialog
> exec:/path/to/program'' facility. But keep in mind that this is neither
> more
> nor less secure, of course.
>
> I hope that helps and answers your question. Cheers!
> --
> Michael B. Weiner
> Systems Administrator/Partner
> The UserFriendly Network (UFN)
> --
>
> / / (_)__ __ ____ __
> / /__/ / _ \/ // /\ \/ /
> /____/_/_//_/\_,_/ /_/\_\
>
> * * * CHOICE OF A GNU GENERATION * * *
> ______________________________________________________________________
> Apache Interface to OpenSSL (mod_ssl) www.modssl.org
> User Support Mailing List [EMAIL PROTECTED]
> Automated List Manager [EMAIL PROTECTED]
______________________________________________________________________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
