35

I setup wildcard SSL certificate from Godaddy on Apache2. Whenever the server restarts it asks for the passphrase for the SSL certificate's private key.

What's the best way to remove this obstacle to restarts, because when logfile rotation restart occurs in the middle of the night, the server doesn't come back up, and I get an unhappy client call in the morning, as it is a shared server.

voretaq7
  • 79,345
  • 17
  • 128
  • 213
ryw
  • 461
  • 1
  • 4
  • 6
  • 5
    While the actual question has been answered, let me add: Logfile rotation does not require a restart. A reload will be fine and won't require you to present any credentials. – Jan Jungnickel Oct 04 '09 at 09:33
  • Thanks Jan - good point - I'm actually not sure why the slice is restarting -- seems to happen about 1x week I need to dig in more to figure out why – ryw Oct 05 '09 at 01:10

2 Answers2

32

To make apache receive the passphrase everytime it restarts, add this to the httpd.conf:

SSLPassPhraseDialog exec:/path/to/passphrase-file

in your passphrase-file:

#!/bin/sh
echo "passphrase"

and make the passphrase-file executable:

chmod +x passphrase-file
Gert
  • 3
  • 2
coolwater
  • 468
  • 3
  • 4
  • 1
    worked for me too! :D – markcial Sep 01 '10 at 08:57
  • 5
    ***Remember to set proper permissions on the script containing the passphrase***, otherwise you've effectively removed any security that having the passphrase gave you. (You should also set proper permissions on the key, as described in Max's answer). – voretaq7 Feb 24 '12 at 23:23
  • 6
    How is storing the key (with passphrase) with 600 permissions and this script with 700 permissions more secure than just storing the key without passphrase with 600 permissions given that the owner of both files will need to be root user, right? – zelanix Jan 31 '15 at 23:34
  • 5
    I agree; this is pointless security. Do, by all means, remove a passphrase from a key, for automated restarts; but don't think you can in any way claw back the security loss you've just made. It's often a good trade-off, but it **is** a trade-off. – MadHatter Feb 28 '15 at 08:07
  • For completeness the link to the related Apache documentation: http://httpd.apache.org/docs/2.2/mod/mod_ssl.html#sslpassphrasedialog – alk Mar 16 '16 at 18:19
  • Apache started to give really strange errors during startup (nothing related to the actual problem) before I did this `chmod +x /usr/bin/ssl_passphrase.sh` – Panu Haaramo Nov 30 '16 at 16:17
29

You need to remove encryption from your private key file like this:

openssl rsa -in server.key -out server.key.new

mv server.key.new server.key

Make sure the new key file is only readable by root - otherwise anyone with shell access to this server will be able to grab the private key and impersonate your server.

To make the key readable only by root, do 'chmod 600 server.key.new' before swapping keys.

Community
  • 1
Max Alginin
  • 3,284
  • 14
  • 11
  • i tried your idea, still get challenge on sudo ./apache2 restart :( – ryw Oct 03 '09 at 19:02
  • 4
    +1 because that's not an "idea", it's an actual procedure – codehead Oct 03 '09 at 20:01
  • i used term "idea" because it didn't work for me. – ryw Oct 05 '09 at 01:02
  • 2
    how does the passphrase make a ssl certificate more secure if you can remove it that easy without requirering the passphrase ? (or does it ask you for the passphrase ?) – user2693017 Mar 12 '14 at 21:15
  • 3
    @user2693017 - The openssl command described here will ask for the passphrase of the encrypted private key. Without knowing the password, removing it will not work. – Michael Paesold Apr 15 '16 at 11:13