I've recently installed a Trusted certificate that I've previously protected with a pass-phrase to an Apache server running on top of Debian in order to have a better security.
Now everytime I restart Apache it's pretty annyoing and non-practical at the same time, to enter the Passphrase assigned to the SSL certificate.
It's also dangerous because if Apache crashes and tries to resurrect itself restartig it might not start-up again.
Another unpleasant possible scenario is if for example some of the php code developers tries to change something minor in some Virtualhost and afterwards restarts Apache for the new configurations to take place, again Apache won't bring up and a chaos would emerge.
So I decided to configurate my Apache that it auto fills in the passphrase each time it's being started or restarted.To do that I consulted some online resources and I end up redirected by a blog post to the mod_ssl ssl_reference web page
There is plenty of stuff on that document however in my case all I needed was one directive in /etc/apache2/mods-avalable/mods-available/ssl.conf :
SSLPassPhraseDialog exec:/etc/apache2/mods-available/passphrase
The above code must replace:
SSLPassPhraseDialog builtin
Now last step is to prepare the /etc/apache2/mods-available/passphrase .
Make sure the file has the following content:
#!/bin/sh
echo "yoursecretpassword"
Change above yoursecretpassword with your configured passphrase.
Also please make sure /etc/apache2/mods-availabe/passphrase has proper set permissions. In my case I've set the following permissions for the file:
debian:~# chown www-data:www-data /etc/apache2/mods-available/passphrase
debian:~# chmod 700 /etc/apache2/mods-available/passphrase
That should be it, Restart Apache and make sure Apache is properly loaded without anySSL passphrase prompts.
However you should have in mind that auto enabling passphrase loading on starting in Apache is much more insecure than typing in the password every time you restart Apache. Storing the passphrase in a file is quite insecure compared to if you type it every time Apache starts.
For instance if a hacker breaks into your server he might be able to steal your SSL certificate as well as the passphrase file.
And surely this is something you don't want. Anyways flexibility has a price and if you decide to go the way described, please note the risk first.
If you haven't already added a password to your private key during certficate generation time,
Of course you can add/remove a passphrase at a later time.
add one (assuming it was an rsa key, else use dsa)
openssl rsa -des3 -in your.key -out your.encrypted.key
mv your.encrypted.key your.key
the -des3 tells openssl to encrypt the key with DES3.
remove it
openssl rsa -in your.key -out your.open.key
you will be asked for your passphrase one last time
by omitting the -des3 you tell openssl to not encrypt the output.
mv your.open.key your.key
Enable Rsyslog and Syslog cron events logging in /var/log/cron.log on Debian Lenny
Friday, April 9th, 2010By default Debian doesn’t log it’s cron events in a separate log file.
All the cron events got logged along with all the other syslog events configured by default in either syslog or rsyslog.
So you end up with a /var/log/syslog which includes many versatile messages. That’s really unpleasent if you want to keep track of your cron events separately.
I always change this behaviour while configuring new servers or Desktop systems running Debian.
Therefore I decided to share here what I do to enable separate cron logging. The logged cron events would go to var/log/cron.log.
As a starter please make sure you have the file /var/log/cron.log existing on your filesystem tree, if you have it not then please create it:
debian:~# touch /var/log/cron.log
To configure your crond to log to /var/log/cron.log on a system running syslogd all you have to do is edit /etc/syslog.conf and either include the line:
cron.* /var/log/cron.log
or simply uncomment the same line already laying commented in the syslog.conf.
If you’re using the enhanced version of syslogd for Linux (Rsyslog) the code syntax that is necessery to be included is absolutely identical.
Again you have to include:
cron.* /var/log/cron.log
in /etc/rsyslog.conf or uncomment the line shown above in /etc/rsyslog.conf.
Now last step to do is to reload syslogd or rsyslogd.
With syslogd running on your system execute:
debian:~# killall -HUP syslogd
With rsyslogd as a default system logger:
debian:~# killall -HUP rsyslogd
Now you should have your crond logging to the separate /var/log/cron.log, wish you happy cron.log reading 🙂
Tags: configured, cron, Debian Lenny, default, filesystem, line, Linux Rsyslog, running, uncomment, var
Posted in System Administration | 2 Comments »