You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@httpd.apache.org by Igor Cicimov <ic...@gmail.com> on 2009/04/28 01:12:42 UTC
Re: [users@httpd] Shell Script to automatically start Apache with SSL
passphrase?
Recreate the certificate without passphrase, what do you need it for any
way?
On Tue, Apr 28, 2009 at 8:50 AM, Mike Lyon <mi...@gmail.com> wrote:
> Hello All,
>
> There has to be an easy answer to this question. When I restart apache, it
> prompts me to enter in the passphrase for the SSL certs. How can I create a
> shell script to automatically enter in the passphrase for me when apache
> starts up at boot-up?
>
> Thank you,
> Mike
>
>
Re: [users@httpd] Shell Script to automatically start Apache with SSL
passphrase?
Posted by Jeff Sadowski <je...@gmail.com>.
On Mon, Apr 27, 2009 at 5:40 PM, Nick Kew <ni...@webthing.com> wrote:
> Doug Bell wrote:
>
>> Perl's Expect module might be able to help you, if you know Perl, but I
>> second the notion to remove the passphrase. You don't need to ask the CA to
>> resign the cert if I'm not mistaken.
>
> Yow! How history gets rewritten!
>
> (Expect is a Tcl thing, adopted like so many other good
> things by the Perl folks).
>
> To the OP: encoding your passphrase in a script has serious
> security implications. Who else might find a way to read it?
>
> --
> Nick Kew
>
> ---------------------------------------------------------------------
> The official User-To-User support forum of the Apache HTTP Server Project.
> See <URL:http://httpd.apache.org/userslist.html> for more info.
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> " from the digest: users-digest-unsubscribe@httpd.apache.org
> For additional commands, e-mail: users-help@httpd.apache.org
>
>
problem with expect is it requires a terminal I'd like to know how to
get around that for other projects.
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] Shell Script to automatically start Apache with
SSL passphrase?
Posted by Nick Kew <ni...@webthing.com>.
Doug Bell wrote:
> Perl's Expect module might be able to help you, if you know Perl, but I
> second the notion to remove the passphrase. You don't need to ask the CA
> to resign the cert if I'm not mistaken.
Yow! How history gets rewritten!
(Expect is a Tcl thing, adopted like so many other good
things by the Perl folks).
To the OP: encoding your passphrase in a script has serious
security implications. Who else might find a way to read it?
--
Nick Kew
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] Shell Script to automatically start Apache with SSL passphrase?
Posted by Doug Bell <do...@plainblack.com>.
On Apr 27, 2009, at 6:16 PM, Mike Lyon wrote:
> It's another link in the security of that certificate... I'd prefer
> to keep it. It guarantees continuity from the creation of the CSR
> until you get the cert back from the CA.
>
> -Mike
>
>
> On Mon, Apr 27, 2009 at 4:12 PM, Igor Cicimov <ic...@gmail.com>
> wrote:
> Recreate the certificate without passphrase, what do you need it for
> any way?
>
>
> On Tue, Apr 28, 2009 at 8:50 AM, Mike Lyon <mi...@gmail.com>
> wrote:
> Hello All,
>
> There has to be an easy answer to this question. When I restart
> apache, it prompts me to enter in the passphrase for the SSL certs.
> How can I create a shell script to automatically enter in the
> passphrase for me when apache starts up at boot-up?
>
> Thank you,
> Mike
>
>
>
Perl's Expect module might be able to help you, if you know Perl, but
I second the notion to remove the passphrase. You don't need to ask
the CA to resign the cert if I'm not mistaken.
# openssl rsa -in www.domain.com.key -out www.domain.com.nopassphrase.key
Doug Bell -- Senior Developer, Plain Black Corp.
[ http://plainblack.com ]
all that groks is
Re: [users@httpd] Shell Script to automatically start Apache with SSL
passphrase?
Posted by Igor Cicimov <ic...@gmail.com>.
Usually I use expect in the shell script for interactive programs. Look at
the example bellow I have wrote for SFTP and try to adopt it for your needs.
/usr/bin/expect <<EOF
spawn /usr/bin/sftp USER@IP_ADDRESS
expect {
"Password: " {
send "PASSWORD\r"
}
"Are you sure you want to continue connecting (yes/no)? " {
send "yes\n"
expect "Password: "
send "PASSWORD\r"
}
}
expect "sftp> "
send "cd $DIR \r"
expect "sftp> "
send "lcd $LOCALDIR \r"
expect "sftp> "
send "get $file \r"
expect "sftp> "
send "bye \r"
EOF
So in short you expect the program interactive prompt with the expect
statement (modify it to suite your prompt) and you send the response back
with send command. But I'm not sure if this can help you and if you get any
prompt at all when restarting the apache with SSL password, I have never
tried that.
On Tue, Apr 28, 2009 at 9:16 AM, Mike Lyon <mi...@gmail.com> wrote:
> It's another link in the security of that certificate... I'd prefer to keep
> it. It guarantees continuity from the creation of the CSR until you get the
> cert back from the CA.
>
> -Mike
>
>
>
> On Mon, Apr 27, 2009 at 4:12 PM, Igor Cicimov <ic...@gmail.com> wrote:
>
>> Recreate the certificate without passphrase, what do you need it for any
>> way?
>>
>>
>> On Tue, Apr 28, 2009 at 8:50 AM, Mike Lyon <mi...@gmail.com> wrote:
>>
>>> Hello All,
>>>
>>> There has to be an easy answer to this question. When I restart apache,
>>> it prompts me to enter in the passphrase for the SSL certs. How can I create
>>> a shell script to automatically enter in the passphrase for me when apache
>>> starts up at boot-up?
>>>
>>> Thank you,
>>> Mike
>>>
>>>
>>
>
Re: [users@httpd] Shell Script to automatically start Apache with SSL
passphrase?
Posted by Jeff Sadowski <je...@gmail.com>.
On Tue, Apr 28, 2009 at 12:05 AM, Mike Lyon <mi...@gmail.com> wrote:
> So I would be able to create new keys without having to get new certs?
>
Read the howto on how to change the passphrase on your key. I seem to
recall changing the passphrase being possible. I also seem to recall
there being a stage with the key has no passphrase. If you bought
certs for that key you should try this if not replace all your certs.
> Thanks,
> Mike
>
>
> On Mon, Apr 27, 2009 at 10:25 PM, Krist van Besien
> <kr...@gmail.com> wrote:
>>
>> On Tue, Apr 28, 2009 at 1:16 AM, Mike Lyon <mi...@gmail.com> wrote:
>> > It's another link in the security of that certificate... I'd prefer to
>> > keep
>> > it. It guarantees continuity from the creation of the CSR until you get
>> > the
>> > cert back from the CA.
>>
>> The passphrase is on the key, not the certificate. The key should
>> never leave your server. You could have created your original key
>> without a passphrase even, and the CA wouldn't have known it.
>>
>> Having the certificate itself encrypted is pointless, as you will be
>> handing it out to anyone contacting your server.
>>
>> Krist
>>
>> --
>> krist.vanbesien@gmail.com
>> krist@vanbesien.org
>> Bremgarten b. Bern, Switzerland
>> --
>> A: It reverses the normal flow of conversation.
>> Q: What's wrong with top-posting?
>> A: Top-posting.
>> Q: What's the biggest scourge on plain text email discussions?
>>
>> ---------------------------------------------------------------------
>> The official User-To-User support forum of the Apache HTTP Server Project.
>> See <URL:http://httpd.apache.org/userslist.html> for more info.
>> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
>> " from the digest: users-digest-unsubscribe@httpd.apache.org
>> For additional commands, e-mail: users-help@httpd.apache.org
>>
>
>
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] Shell Script to automatically start Apache with SSL
passphrase?
Posted by Krist van Besien <kr...@gmail.com>.
On Tue, Apr 28, 2009 at 8:05 AM, Mike Lyon <mi...@gmail.com> wrote:
> So I would be able to create new keys without having to get new certs?
No, you don't generate new keys (that would break your cert) but you
can remove the pasphrase from the key. Make sure only root can read
the key. This will even give you better security than relying on a
script to provide a password.
See the docs here:
http://httpd.apache.org/docs/2.2/ssl/ssl_faq.html#removepassphrase
Krist
--
krist.vanbesien@gmail.com
krist@vanbesien.org
Bremgarten b. Bern, Switzerland
--
A: It reverses the normal flow of conversation.
Q: What's wrong with top-posting?
A: Top-posting.
Q: What's the biggest scourge on plain text email discussions?
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] Shell Script to automatically start Apache with SSL
passphrase?
Posted by Mike Lyon <mi...@gmail.com>.
So I would be able to create new keys without having to get new certs?
Thanks,
Mike
On Mon, Apr 27, 2009 at 10:25 PM, Krist van Besien <
krist.vanbesien@gmail.com> wrote:
> On Tue, Apr 28, 2009 at 1:16 AM, Mike Lyon <mi...@gmail.com> wrote:
> > It's another link in the security of that certificate... I'd prefer to
> keep
> > it. It guarantees continuity from the creation of the CSR until you get
> the
> > cert back from the CA.
>
> The passphrase is on the key, not the certificate. The key should
> never leave your server. You could have created your original key
> without a passphrase even, and the CA wouldn't have known it.
>
> Having the certificate itself encrypted is pointless, as you will be
> handing it out to anyone contacting your server.
>
> Krist
>
> --
> krist.vanbesien@gmail.com
> krist@vanbesien.org
> Bremgarten b. Bern, Switzerland
> --
> A: It reverses the normal flow of conversation.
> Q: What's wrong with top-posting?
> A: Top-posting.
> Q: What's the biggest scourge on plain text email discussions?
>
> ---------------------------------------------------------------------
> The official User-To-User support forum of the Apache HTTP Server Project.
> See <URL:http://httpd.apache.org/userslist.html> for more info.
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> " from the digest: users-digest-unsubscribe@httpd.apache.org
> For additional commands, e-mail: users-help@httpd.apache.org
>
>
Re: [users@httpd] Shell Script to automatically start Apache with SSL
passphrase?
Posted by Krist van Besien <kr...@gmail.com>.
On Tue, Apr 28, 2009 at 1:16 AM, Mike Lyon <mi...@gmail.com> wrote:
> It's another link in the security of that certificate... I'd prefer to keep
> it. It guarantees continuity from the creation of the CSR until you get the
> cert back from the CA.
The passphrase is on the key, not the certificate. The key should
never leave your server. You could have created your original key
without a passphrase even, and the CA wouldn't have known it.
Having the certificate itself encrypted is pointless, as you will be
handing it out to anyone contacting your server.
Krist
--
krist.vanbesien@gmail.com
krist@vanbesien.org
Bremgarten b. Bern, Switzerland
--
A: It reverses the normal flow of conversation.
Q: What's wrong with top-posting?
A: Top-posting.
Q: What's the biggest scourge on plain text email discussions?
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] Shell Script to automatically start Apache with SSL
passphrase?
Posted by Mike Lyon <mi...@gmail.com>.
It's another link in the security of that certificate... I'd prefer to keep
it. It guarantees continuity from the creation of the CSR until you get the
cert back from the CA.
-Mike
On Mon, Apr 27, 2009 at 4:12 PM, Igor Cicimov <ic...@gmail.com> wrote:
> Recreate the certificate without passphrase, what do you need it for any
> way?
>
>
> On Tue, Apr 28, 2009 at 8:50 AM, Mike Lyon <mi...@gmail.com> wrote:
>
>> Hello All,
>>
>> There has to be an easy answer to this question. When I restart apache, it
>> prompts me to enter in the passphrase for the SSL certs. How can I create a
>> shell script to automatically enter in the passphrase for me when apache
>> starts up at boot-up?
>>
>> Thank you,
>> Mike
>>
>>
>