Re: apache-ssl/woody cannot handle password protected keys?
One solution which I use is this... I have both my cert.pem and
cert.key file in in a directory... I then run the following:
openssl x509 -in cert.pem -out /etc/apache/ssl.crt/server.crt
openssl rsa -in cert.key -out /etc/apache/ssl.key/server.key
chown root:root /etc/apache/ssl.key/server.key
chmod 0600 /etc/apache/ssl.key/server.key
This allows me to restart apache without incident...
Jeremy
On Mon, Feb 25, 2002 at 03:30:08PM +0100, Thomas Gebhardt wrote:
> Hi,
>
> just upgraded a host from potato to woody, I observed that
> my apache-ssl failed to work.
>
> Well, it actually starts but goes down immediately:
>
> # /usr/sbin/apache-sslctl start
> Reading key for server <my.server>:443
> Enter PEM pass phrase:
> Launching... /usr/lib/apache-ssl/gcache
> pid=22730
> /usr/sbin/apache-sslctl start: httpsd started
>
> or similary:
>
> # /etc/init.d/apache-ssl start
> Starting web server: apache-sslReading key for server <my.server>:443
> Enter PEM pass phrase:
> Launching... /usr/lib/apache-ssl/gcache
> pid=22999
> .
>
> The error log says:
>
> [Mon Feb 25 15:20:36 2002] [crit] (22)Invalid argument: Error reading private
> key file /etc/apache-ssl/secret.key:
> [Mon Feb 25 15:20:36 2002] [crit] error:0906406D:PEM
> routines:DEF_CALLBACK:problems getting password
> [Mon Feb 25 15:20:36 2002] [crit] error:0906A068:PEM routines:PEM_do_header:bad
> password read
>
> My PEM pass phrase is ok; in case of a typo I get something like:
>
> # /usr/sbin/apache-sslctl start
> Reading key for server <my.server>:443
> Enter PEM pass phrase:
> Bad passphrase - try again
>
> When I remove the passphrase from /etc/apache-ssl/secret.key (such
> that it is only proteced by its file permissions) then apache-ssl
> works fine.
>
> I also tried apache-ssl from unstable (1.3.23.1+1.45-1) which
> gives the same results.
>
> I would appreciate any hints! Is it my fault or is this a bug
> (a feature?) within apache-ssl?
>
> Thanks, Thomas
>
>
>
> --
> To UNSUBSCRIBE, email to debian-security-request@lists.debian.org
> with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Reply to: