Conversation

Conversation

Notices

gomerx

Figured out how to make Apache restart without me having to type in the SSL key passphrase. I feel smarter now.

about a year ago from dent.gomertronic.com at Cincinnati, Ohio, United States
- laurelrusswurm repeated this.
- laurelrusswurm
  
  congratulations @gomerx :)
  
  about a year ago
- Windigo | ☴
  
  I don’t suppose you’d like to share? :D
  
  about a year ago
- gomerx
  
  To unencrypt the key, do ‘openssl rsa -in server.key -out server.key.new’. Swap the new unencrypted key for the old and restart apache.
  
  about a year ago
- gomerx
  
  My key lives in /etc/pki/tls/private/dent.goemrtronic.com/key. Make sure to chmod 600 the new key so only root can read it.
  
  about a year ago
- gomerx
  
  or rather /etc/pki/tls/private/dent.gomertronic.com.key
  
  about a year ago
- Windigo | ☴
  
  Thanks – I ran into that last year, and was terrified that something was going to restart apache and shut the server down. :P
  
  about a year ago
- jonkulp windigo
  
  @windigo @gomerx so there’s an apache setting that requires passphrase to restart? I guess mine isn’t configured that way.
  
  about a year ago
- Windigo | ☴ jonkulp
  
  It has to do with SSL keys; the SSL key stops the apache startup process and prompts for a password. :/
  
  about a year ago
- jonkulp windigo
  
  @windigo but is that a config option in apache? Mine never asks for a passphrase.
  
  about a year ago
- gomerx jonkulp
  
  Probably has to do with how you generated your key pair. In Red Hat theirs a Makefile, but it automatically encrypts the key.
  
  about a year ago
- gomerx
  
  I’ve been having problems everytime I update anything apache related. The ‘yum update’ process just hangs, which is kind of scary.\
  
  about a year ago
- jonkulp
  
  @gomerx well I have keys but they’re in no way connected with apache. I can just restart it as root without typing a passphrase for any key.
  
  about a year ago
- Windigo | ☴ jonkulp
  
  @gomerx is right, it’s an option for when you generate your cert/request. It sounds like a good idea at the time. :D
  
  about a year ago
- gomerx jonkulp
  
  Then you’re not running https? You have to have a key/cert pair to do SSL.
  
  about a year ago
- jonkulp windigo
  
  @windigo @gomerx hmm. Ok. I use passphrase-protected key for ssh login, but not for anything related to apache. I guess I’m glad. :)
  
  about a year ago
- jonkulp
  
  @gomerx yes I do https with an unverified cert.
  
  about a year ago
- jonkulp
  
  @gomerx I have the certificates but they don’t require me to type passphrase when restarting apache.
  
  about a year ago
- gomerx jonkulp
  
  That’s what I’m talking about then. The cert has a key.
  
  about a year ago
- ⒿⓅⓄⓅⒺ jonkulp
  
  It’s probably how you set the cert up. I’ve got mine setup to use a key as well. I set it up similar to http://url.jpope.org/e2
  
  about a year ago
- gomerx ⒿⓅⓄⓅⒺ
  
  Right. That will work. They don’t tell you to ‘chmod 600’ the key though, which is kind of important. Or maybe I missed it.
  
  about a year ago
- jonkulp
  
  @gomerx ok so it’s just that your key requires passphrase & mine doesn’t. I guess I chose to do it that way. Can’t remember what default is.
  
  about a year ago
- gomerx jonkulp
  
  Right. Red Hat generates and encrypted key, which requires a passphrase. You generated an unencrypted one. I just unencrypted mine.
  
  about a year ago
- ⒿⓅⓄⓅⒺ
  
  @gomerx Yep. It’s not there but, I did that on my own actually. ;)
  
  about a year ago
- jonkulp
  
  @gomerx got it. That should make life easier. :)
  
  about a year ago
- gomerx ⒿⓅⓄⓅⒺ
  
  I’m not sure what the best practice is. There’s a SSLPassPhraseDialog directive for apache, but I can’t get it to work.
  
  about a year ago

Public

Notices

Feeds