Re: Starting apache at boot with SSL.
> > Not secure. My passphrase is not stored in cleartext anywhere except on > a piece of paper in a locked vault. That may be overkill for some > situations, but not mine. > You are correct about it not being secure, although you can restrict permissions to the file. But it _is_ possible to automate the task. I think you are quite right when you choose for your method :-) Cheers! -- Kind regards, Remko Lodder |[EMAIL PROTECTED] Reporter DSINet|[EMAIL PROTECTED] Projectleader Mostly-Harmless |[EMAIL PROTECTED] ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: Starting apache at boot with SSL.
Remko Lodder wrote: > > I chose to protect my SSL cert with a passphrase. This makes automatic > > startup at boot impossible. I use FBSD 4.10, and apache would normally > > start via a script in /usr/local/etc/rc.conf. I just made sure there > > was > > ehm this is not totally true, you can startup automatically by > havnig a little script that does the following > > #!/bin/sh > > echo '' > > Then there is thingy with the phrase 'builtin' into it. You can change > that so that the previous bin sh script gets invoked and the server > will startup at that point. > > For the correct syntax i would need to look into my own configuration > which i cannot access at this moment. > > > no .sh script for apache, and start it myself using apachectl startssl. > > The problem with this setup is that if the server reboots in the middle > > of the night the web server does not come on, but this almost never > > happens anyway. You have to balance security with convenience to fit > > your situation, and I chose security. > > > > > > > > Cheers! > > -- > Kind regards, > > Remko Lodder |[EMAIL PROTECTED] > Reporter DSINet|[EMAIL PROTECTED] > Projectleader Mostly-Harmless |[EMAIL PROTECTED] > Founder Tienervaders |[EMAIL PROTECTED] > For a same question here was my response from Josh Hansen <[EMAIL PROTECTED]> : Hello Cristi, This is from the apache site: How can I get rid of the pass-phrase dialog at Apache startup time? The reason why this dialog pops up at startup and every re-start is that the RSA private key inside your server.key file is stored in encrypted format for security reasons. The pass-phrase is needed to be able to read and parse this file. When you can be sure that your server is secure enough you perform two steps: 1. Remove the encryption from the RSA private key (while preserving the original file): $ cp server.key server.key.org $ openssl rsa -in server.key.org -out server.key 2. Make sure the server.key file is now only readable by root: $ chmod 400 server.key Now server.key will contain an unencrypted copy of the key. If you point your server at this file it will not prompt you for a pass-phrase. HOWEVER, if anyone gets this key they will be able to impersonate you on the net. PLEASE make sure that the permissions on that file are really such that only root or the web server user can read it (preferably get your web server to start as root but run as another server, and have the key readable only by root). As an alternative approach you can use the ``SSLPassPhraseDialog exec:/path/to/program'' facility. But keep in mind that this is neither more nor less secure, of course. > > ___ > [EMAIL PROTECTED] mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-questions > To unsubscribe, send any mail to "[EMAIL PROTECTED]" > > --- > This message and its contents have been scanned and certified for > transmission as being free from malicious code by <>. This > message may contain confidential, privileged or other legally protected > information. It is intended for the addressee(s) only. If you are not the > addressee, or someone the addressee authorized to receive this message, you > are prohibited from copying, distributing or otherwise using it. Please > notify the sender and return it.Thank you. > > --- This message and its contents have been scanned and certified for transmission as being free from malicious code by <>. This message may contain confidential, privileged or other legally protected information. It is intended for the addressee(s) only. If you are not the addressee, or someone the addressee authorized to receive this message, you are prohibited from copying, distributing or otherwise using it. Please notify the sender and return it.Thank you. ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: Starting apache at boot with SSL.
> I chose to protect my SSL cert with a passphrase. This makes automatic > startup at boot impossible. I use FBSD 4.10, and apache would normally > start via a script in /usr/local/etc/rc.conf. I just made sure there > was ehm this is not totally true, you can startup automatically by havnig a little script that does the following #!/bin/sh echo '' Then there is thingy with the phrase 'builtin' into it. You can change that so that the previous bin sh script gets invoked and the server will startup at that point. For the correct syntax i would need to look into my own configuration which i cannot access at this moment. > no .sh script for apache, and start it myself using apachectl startssl. > The problem with this setup is that if the server reboots in the middle > of the night the web server does not come on, but this almost never > happens anyway. You have to balance security with convenience to fit > your situation, and I chose security. > > > Cheers! -- Kind regards, Remko Lodder |[EMAIL PROTECTED] Reporter DSINet|[EMAIL PROTECTED] Projectleader Mostly-Harmless |[EMAIL PROTECTED] Founder Tienervaders |[EMAIL PROTECTED] ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: Starting apache at boot with SSL.
On Sun, 2004-10-03 at 21:14, Remko Lodder wrote: > > > I chose to protect my SSL cert with a passphrase. This makes automatic > > startup at boot impossible. I use FBSD 4.10, and apache would normally > > start via a script in /usr/local/etc/rc.conf. I just made sure there > > was > > ehm this is not totally true, you can startup automatically by > havnig a little script that does the following > > #!/bin/sh > > echo '' Not secure. My passphrase is not stored in cleartext anywhere except on a piece of paper in a locked vault. That may be overkill for some situations, but not mine. ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: Starting apache at boot with SSL.
On Sat, 2004-10-02 at 12:08, Remko Lodder wrote: > Eric Crist wrote: > > > > Remko, > > > > My bad. I'm using apache 1: > > Ah, that's a bit of a different story, > > Do you use the next generation startup script? > If so then it would have had the following options > available to you: > > apache_enable="YES" (which you have) > apache_flags="-DSSL" (which you do not yet have). > > This should work according to > /usr/ports/www/apache13-modssl/files/rcng.sh > > Cheers! > > > > > grog# /usr/local/sbin/httpd -v > > Server version: Apache/1.3.31 (Unix) > > Server built: Jul 13 2004 17:51:03 > > > > I have apache_enable="YES" in /etc/rc.conf. I would assume I use > > apachessl_enable="YES"? Thanks. I chose to protect my SSL cert with a passphrase. This makes automatic startup at boot impossible. I use FBSD 4.10, and apache would normally start via a script in /usr/local/etc/rc.conf. I just made sure there was no .sh script for apache, and start it myself using apachectl startssl. The problem with this setup is that if the server reboots in the middle of the night the web server does not come on, but this almost never happens anyway. You have to balance security with convenience to fit your situation, and I chose security. ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: Starting apache at boot with SSL.
Eric Crist wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Hello all, I must be missing something. I have apache starting correctly during boot, but without SSL. I have to log in and type apachectl startssl to get it to work correctly. What did I miss? Hi Eric, Since you are not very verbose on your information, i guess that you use apache2, did you specify apache2ssl_enable="YES" in /etc/rc.conf ? That should enable SSL based webservices during startup. Cheers! - - Eric F Crist Secure Computing Networks -- Kind regards, Remko Lodder |[EMAIL PROTECTED] Reporter DSINet|[EMAIL PROTECTED] Projectleader Mostly-Harmless |[EMAIL PROTECTED] Founder Tienervaders |[EMAIL PROTECTED] ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: Starting apache at boot with SSL.
Eric Crist wrote: Remko, My bad. I'm using apache 1: Ah, that's a bit of a different story, Do you use the next generation startup script? If so then it would have had the following options available to you: apache_enable="YES" (which you have) apache_flags="-DSSL" (which you do not yet have). This should work according to /usr/ports/www/apache13-modssl/files/rcng.sh Cheers! grog# /usr/local/sbin/httpd -v Server version: Apache/1.3.31 (Unix) Server built: Jul 13 2004 17:51:03 I have apache_enable="YES" in /etc/rc.conf. I would assume I use apachessl_enable="YES"? Thanks. -- Kind regards, Remko Lodder |[EMAIL PROTECTED] Reporter DSINet|[EMAIL PROTECTED] Projectleader Mostly-Harmless |[EMAIL PROTECTED] Founder Tienervaders |[EMAIL PROTECTED] ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: Starting apache at boot with SSL.
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On Oct 2, 2004, at 4:16 PM, Remko Lodder wrote: Eric Crist wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Hello all, I must be missing something. I have apache starting correctly during boot, but without SSL. I have to log in and type apachectl startssl to get it to work correctly. What did I miss? Hi Eric, Since you are not very verbose on your information, i guess that you use apache2, did you specify apache2ssl_enable="YES" in /etc/rc.conf ? That should enable SSL based webservices during startup. Cheers! Remko, My bad. I'm using apache 1: grog# /usr/local/sbin/httpd -v Server version: Apache/1.3.31 (Unix) Server built: Jul 13 2004 17:51:03 I have apache_enable="YES" in /etc/rc.conf. I would assume I use apachessl_enable="YES"? Thanks. - - Eric F Crist Secure Computing Networks -BEGIN PGP SIGNATURE- Version: GnuPG v1.2.4 (Darwin) iEYEARECAAYFAkFfJMEACgkQRAAY9knOW+qOmgCfSJcVX8gRVm4iDot+wmCfyklg 88IAn1eqYl7L/EKfSSTKLGZhqI9jKoin =G2Je -END PGP SIGNATURE- ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: Starting apache at boot with SSL.
Eric Crist wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Hello all, I must be missing something. I have apache starting correctly during boot, but without SSL. I have to log in and type apachectl startssl to get it to work correctly. What did I miss? From /usr/ports/UPDATING 20040605: AFFECTS: users of www/apache2 AUTHOR: [EMAIL PROTECTED] The apache2 port must now be enabled / disabled and configured in rc.conf. See the pkg-message or script for details. Im not sure about apache13 ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Starting apache at boot with SSL.
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Hello all, I must be missing something. I have apache starting correctly during boot, but without SSL. I have to log in and type apachectl startssl to get it to work correctly. What did I miss? - - Eric F Crist Secure Computing Networks -BEGIN PGP SIGNATURE- Version: GnuPG v1.2.4 (Darwin) iEYEARECAAYFAkFfGM4ACgkQRAAY9knOW+qbFACcDzXjuDRWejnfBgiUbp0OJOrm trsAn2GIVSAVMZP8sAFzSWsEX1dIyVRU =XBJJ -END PGP SIGNATURE- ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"