Nope; logrotate doesn't actually start and stop the apache process (ie, it doesn't use the /etc/rc.d/init.d/httpd script), it manually sends a SIGHUP to the currently running apache process to tell it to reload itself. This is done without requiring user intervention.
-Brian On Tue, 2003-02-18 at 11:59, Joe Polk wrote: > Brian, > That worked flawlessly! Thanks so much! I opted for the encrypted > private key. Question: Doesn't logrotate restart my apache server as it > rotates the logs? If so, I assume I'll need to be present to put in this > phrase. Is there any other way to have this step eliminated? > > <<JAV>> > > On Tue, 2003-02-18 at 14:13, Brian J. Smith-Sweeney wrote: > > There is a Makefile in /usr/share/ssl/certs for generating all kinds of > > stuff with openssl (csr's, certs, CA, keys, etc). You can use the > > makefile by running, in that directory... > > > > "make ANYNAME.crt" > > > > where ANYNAME is what you want the crt and key files to start with (I > > like to use the server name). > > > > This will generate a key and then guide you through the steps for > > generating a crt file. The only problem is, it requires the use of a > > PEM passphrase, which means every time you restart your webserver you > > have to be there to type in that password. If you want to avoid this, > > you can manually generate the key and make it unencrypted by typing > > > > /usr/bin/openssl genrsa 1024 > ANYNAME.key > > > > then run > > > > "make ANYNAME.crt" > > > > as above. Now you'll get guided through generating the crt as before, > > but it will use an unencrypted private key and you won't have to type > > the password in each time you restart apache. Of course, using an > > unencrypted private key has it's own nasty implications which I'll leave > > to your imagination. > > > > Once you have the crt and key files, you can replace the ones apache > > uses in the /etc/httpd/conf/httpd.conf file (by default they are > > server.crt and server.key). You can either point the conf file to the > > files in /usr/share/ssl/certs, make symlinks from the /etc/httpd/conf > > directory, copy the files over, etc.; however you want to set it up so > > that it's intuitive. > > > > Once you restart the apache server, you'll be able to go to your site > > with (hopefully) any browser, and remember the certificate permanently. > > You don't need to create a CA with this configuration which I like. > > > > A little side note: when you're create that crt file, make sure when it > > asks for "Common Name" that you point the name of the site you're > > clients will be pointing to. For instance, if you're server's name is > > "mail.example.com", but you have a DNS cname of "webmail.example.com" > > and that's the name you're clients will but using, that must be what you > > use as the Common Name for your cert. If you use mail.example.com, when > > people go to your site their browsers will give them an error saying the > > site name doesn't make the cert name. > > > > Good luck, > > Brian > > > > PS-I can rarely remember the syntax for this when necessary, so I often > > check the /usr/share/ssl/certs/makefile for the openssl lines I need. > > > > > > > > -- > > ======================================== > > Brian Smith-Sweeney > > Senior Systems Administrator > > University of California, Santa Barbara > > Physics Department > > [EMAIL PROTECTED] > > (805)-893-8366 > > ======================================== > > > > On Tue, 2003-02-18 at 10:32, Joe Polk wrote: > > > Okay, I am currently using the default cert on my Red Hat mail server to > > > provide (albeit crude) encryption to my web mail login page. Of course, > > > this cert is issued by localhost and will not save, so each visit a use > > > is prompted to accept the cert. I want to create a unique cert, but I > > > don't need a full-blown Thawte cert or anything. Do I need to create a > > > CA? RH7.3 doesn't appear to have CA.pl installed with OpenSSL by > > > default. I assume I will need this? Any help would be appreciated. > > > > > > <<JAV>> > > > > > > > > > > > > > > > > > -- > > redhat-list mailing list > > unsubscribe mailto:[EMAIL PROTECTED]?subject=unsubscribe > > https://listman.redhat.com/mailman/listinfo/redhat-list > > -- ======================================== Brian Smith-Sweeney Senior Systems Administrator University of California, Santa Barbara Physics Department [EMAIL PROTECTED] (805)-893-8366 ======================================== -- redhat-list mailing list unsubscribe mailto:[EMAIL PROTECTED]?subject=unsubscribe https://listman.redhat.com/mailman/listinfo/redhat-list
