Auto insert password for a Trusted SSL
Certificate / Automatically enter password for an SSL Certificate
during Apache startup on Debian Lenny
I've recently installed a Trusted certificate that I've previously
protected with a pass-phrase to an Apache server running on top of
Debian in order to have a better security.
Now everytime I restart Apache it's pretty annyoing and
non-practical at the same time, to enter the Passphrase assigned to
the SSL certificate.
It's also dangerous because if Apache crashes and tries to
resurrect itself restartig it might not start-up again.
Another unpleasant possible scenario is if for example some of the
php code developers tries to change something minor in some
Virtualhost and afterwards restarts Apache for the new
configurations to take place, again Apache won't bring up and a
chaos would emerge.
So I decided to configurate my Apache that it auto fills in the
passphrase each time it's being started or restarted. To do that I
consulted some online resources and I end up redirected by a blog
post to
the
mod_ssl ssl_reference web page
There is plenty of stuff on that document however in my case all I
needed was one directive in
/etc/apache2/mods-avalable/mods-available/ssl.conf :
SSLPassPhraseDialog
exec:/etc/apache2/mods-available/passphrase
The above code must replace:
SSLPassPhraseDialog builtin
Now last step is to prepare the
/etc/apache2/mods-available/passphrase .
Make sure the file has the following content:
#!/bin/sh
echo "yoursecretpassword"
Change above
yoursecretpassword with your configured
passphrase.
Also please make sure
/etc/apache2/mods-availabe/passphrase
has proper set permissions. In my case I've set the following
permissions for the file:
debian:~# chown www-data:www-data
/etc/apache2/mods-available/passphrase
debian:~# cmod 700
/etc/apache2/mods-available/passphrase
That should be it, Restart Apache and make sure Apache is properly
loaded without any SSL passphrase prompts.
However you should have in mind that auto enabling passphrase
loading on starting in Apache is much more insecure than typing in
the password every time you restart Apache. Storing the passphrase
in a file is quite insecure compared to if you type it every time
Apache starts.
For instance if a hacker breaks into your server he might be able
to steal your SSL certificate as well as the passphrase file.
And surely this is something you don't want. Anyways flexibility
has a price and if you decide to go the way described, please note
the risk first.