From owner-freebsd-questions@FreeBSD.ORG Mon Sep 6 15:12:43 2004 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 5429B16A4CE for ; Mon, 6 Sep 2004 15:12:43 +0000 (GMT) Received: from mail.sisna.com (mailx.sisna.com [216.126.204.104]) by mx1.FreeBSD.org (Postfix) with ESMTP id 1F72443D53 for ; Mon, 6 Sep 2004 15:12:43 +0000 (GMT) (envelope-from josh222@sisna.com) Received: from [192.168.1.2] [67.172.253.240] by mail.sisna.com with ESMTP (SMTPD32-8.12) id AE6839680022; Mon, 06 Sep 2004 09:12:40 -0600 Message-ID: <413C8030.5080104@sisna.com> Date: Mon, 06 Sep 2004 09:20:16 -0600 From: Josh Hansen User-Agent: Mozilla Thunderbird 0.7.1 (X11/20040626) X-Accept-Language: en-us, en MIME-Version: 1.0 To: Cristi Tauber References: <1094482572.2959.212.camel@deepblue.rtc.ro> In-Reply-To: <1094482572.2959.212.camel@deepblue.rtc.ro> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit X-RBL-Warning: SORBS-DUHL: Dynamic IP Address See: http://www.dnsbl.sorbs.net/lookup.shtml?67.172.253.240 X-Declude-Sender: josh222@sisna.com [67.172.253.240] X-Spam-Tests-Failed: SORBS-DUHL, IPNOTINMX [-1] X-Note: This E-mail was scanned by Declude JunkMail (www.declude.com) for spam. cc: FreeBSD Questions Subject: Re: httpd with SSL X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 06 Sep 2004 15:12:43 -0000 Cristi Tauber wrote: > Hello, > I installed from ports (switched from sources ... hope to learn :) ) >apache 1.3.29 with mod-ssl. All good ... httpd works ... i issued a >certificate ... but now when my computer reboots and apache starts in >ssl mode it asks for pass phrase !!! So ... if computer reboots over >night someone have to write the pass phrase so the computer can start. >This is annoying ... how can i skip this ... can i enter the passphrase >in my boot script ? How ??? > > Cristi > >_______________________________________________ >freebsd-questions@freebsd.org mailing list >http://lists.freebsd.org/mailman/listinfo/freebsd-questions >To unsubscribe, send any mail to "freebsd-questions-unsubscribe@freebsd.org" > > Hello Cristi, This is from the apache site: How can I get rid of the pass-phrase dialog at Apache startup time? The reason why this dialog pops up at startup and every re-start is that the RSA private key inside your server.key file is stored in encrypted format for security reasons. The pass-phrase is needed to be able to read and parse this file. When you can be sure that your server is secure enough you perform two steps: 1. Remove the encryption from the RSA private key (while preserving the original file): $ cp server.key server.key.org $ openssl rsa -in server.key.org -out server.key 2. Make sure the server.key file is now only readable by root: $ chmod 400 server.key Now server.key will contain an unencrypted copy of the key. If you point your server at this file it will not prompt you for a pass-phrase. HOWEVER, if anyone gets this key they will be able to impersonate you on the net. PLEASE make sure that the permissions on that file are really such that only root or the web server user can read it (preferably get your web server to start as root but run as another server, and have the key readable only by root). As an alternative approach you can use the ``SSLPassPhraseDialog exec:/path/to/program'' facility. But keep in mind that this is neither more nor less secure, of course.