Date: Tue, 07 Sep 2004 09:10:12 +0300 From: Cristi Tauber <cristi.tauber@sbhost.ro> To: Josh Hansen <josh222@sisna.com> Cc: FreeBSD Questions <freebsd-questions@freebsd.org> Subject: Re: httpd with SSL Message-ID: <1094537412.5632.194.camel@deepblue.rtc.ro> In-Reply-To: <413C8030.5080104@sisna.com> References: <1094482572.2959.212.camel@deepblue.rtc.ro> <413C8030.5080104@sisna.com>
next in thread | previous in thread | raw e-mail | index | archive | help
Yeessss ... thanks a lot.
Cristi
On Mon, 2004-09-06 at 18:20, Josh Hansen wrote:
> Cristi Tauber wrote:
>
> > Hello,
> > I installed from ports (switched from sources ... hope to learn :) )
> >apache 1.3.29 with mod-ssl. All good ... httpd works ... i issued a
> >certificate ... but now when my computer reboots and apache starts in
> >ssl mode it asks for pass phrase !!! So ... if computer reboots over
> >night someone have to write the pass phrase so the computer can start.
> >This is annoying ... how can i skip this ... can i enter the passphrase
> >in my boot script ? How ???
> >
> > Cristi
> >
> >_______________________________________________
> >freebsd-questions@freebsd.org mailing list
> >http://lists.freebsd.org/mailman/listinfo/freebsd-questions
> >To unsubscribe, send any mail to "freebsd-questions-unsubscribe@freebsd.org"
> >
> >
> Hello Cristi,
>
> This is from the apache site:
>
> How can I get rid of the pass-phrase dialog at Apache startup time?
>
> The reason why this dialog pops up at startup and every re-start is that
> the RSA private key inside your server.key file is stored in encrypted
> format for security reasons. The pass-phrase is needed to be able to
> read and parse this file. When you can be sure that your server is
> secure enough you perform two steps:
>
> 1. Remove the encryption from the RSA private key (while preserving
> the original file):
>
> $ cp server.key server.key.org
> $ openssl rsa -in server.key.org -out server.key
>
> 2. Make sure the server.key file is now only readable by root:
>
> $ chmod 400 server.key
>
> Now server.key will contain an unencrypted copy of the key. If you point
> your server at this file it will not prompt you for a pass-phrase.
> HOWEVER, if anyone gets this key they will be able to impersonate you on
> the net. PLEASE make sure that the permissions on that file are really
> such that only root or the web server user can read it (preferably get
> your web server to start as root but run as another server, and have the
> key readable only by root).
>
> As an alternative approach you can use the ``SSLPassPhraseDialog
> exec:/path/to/program'' facility. But keep in mind that this is neither
> more nor less secure, of course.
>
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?1094537412.5632.194.camel>