[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: GCE Debian Wheezy VM stops at Pass phrase protected Apache2 SSL Cert. dialog

Hi Jose,

You could certainly use our metadata server to provide the apache passphrase at boot time, if you then integrate it with the apache startup process. I'm not an expert on Apache's initialization procedure so I'll leave advice on that to others. As far as I know, no code has been written yet to do that.

The dist-upgrade was probably only relevant as your first reason to reboot after making the change, I'd expect, nothing specific to the new kernel or to GCE.

However, I do have one bit of positive feature clarification to provide: gcutil, gcloud, and our web UI do allow you to fully shut down an instance, which will let you attach the disk to another instance. Just delete it while preserving the boot disk (it's an option for all of those tools). This will send a clean ACPI power down signal to the VM, giving it an approximate maximum of 2 minutes before pulling the virtual power cord.

Good luck, and glad you're trying GCE!

- Jimmy

On Oct 19, 2014 9:12 AM, "Jose R R" <Jose.r.r@metztli-it.com> wrote:
Niltze, all-

Well, doing my part in the security of the Web :p

I run Apache web server in a GCE VM [different email account than this
one] and decided to acquire an SSL certificate which I successfully
installed under Debian Wheezy a few days ago.

For added security, I pass-phrased-protected the SSL certificate so
that when I restart the web server I need to input my pass phrase.

I had no issues whatsoever until today that I did an: apt-get
dist-upgrade for a newer kernel. Upon doing a reboot I found out that
my port 22 is closed but my web server ports 80 and 443 are open.

I used nmap to scan for my open ports as well as the tcping utility.

Accordingly, I get the message connection refused whenever I use
gcloud or ssh to attempt to log into my GCE instance.

After using gcutil and gcloud to reset my GCE instance -- multiple
times -- the outcome was the same. Accordingly I did:

gcloud compute instances get-serial-port-output myInstance

Below is the last message of the output that indicates that GCE Debian
Wheezy instance needs the passphrase before proceeding further (and
starting sshd):

Oct 19 07:53:51 myInstance acpid: 1 rule loaded
Oct 19 07:53:51 myInstance acpid: waiting for events: event logging is off
[....] Starting web server: apache2Apache/2.2.22 mod_ssl/2.2.22 (Pass
Phrase Dialog)
Some of your private key files are encrypted for security reasons.
In order to read them you have to provide the pass phrases.

Server myInstance.x.xyz-host.internal:443 (RSA)
Enter pass phrase:

I tried detaching the disk to subsequently mount onto another instance
but the command fails with:
ERROR: (gcloud.compute.instances.detach-disk) There was a problem
modifying the resource:
 - Hot-remove of the root disk is not supported.

Now, gcutil and gcloud utilities can reset (reboot) the instance but
can not shut it down completely (that I'm aware) -- which would allow
me to detach the disk.

Is there a way to provide (as parameter) the passphrase that the web
server requires to start apache2 and thus continue/complete the boot
process to start ssh server so that port 22 will be opened?

Best Professional Regards

Jose R R
NEW Apache OpenOffice 4.1.1! Download for GNU/Linux, Mac OS, Windows.
Daylight Saving Time in USA & Canada ends: Sunday, November 02, 2014

To UNSUBSCRIBE, email to debian-cloud-request@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Archive: [🔎] CAM12Q5Ti_w8-GQ2LJbN1f9P-nzH1U_HRbmdEVOk=hU+azHiseA@mail.gmail.com" target="_blank">https://lists.debian.org/[🔎] CAM12Q5Ti_w8-GQ2LJbN1f9P-nzH1U_HRbmdEVOk=hU+azHiseA@mail.gmail.com

Reply to: