Apache reload SSL passphrase issue

[robowen1180]

Greetings all

I have spent ages searching and cannot find what Im looking for either in the apache documentation, on forums or in 2 books so Im definitely stuck!

I have written a shell script which amongst a heap of other stuff creates virtual hosts, and consequently also reloads apache, however my problem is that unless I include a restart in the shell script, the reload is causing the server to stop, yet restarting everytime a new vhost is created is not really an option since it will disrupt the service for other users.

I know this is directly to do with the SSL passphrase as simply restarting gets everything running again with no errors. I have configured mods-available/ssl.conf so the SSLPassPhraseDialog directive uses the passphrase file instead of bulletin, hence the restart can work fine from within the shell script, but obviously reload and force-reload must be running some sort of background process which involves reloading the SSL certs or something?? so my question is can I over ride this and if so what directive / params do I use?

Im on ubuntu lucid 10.04 server and apache v2.2.14.

Any help would be greatly appreciated.

Many Thanks
Rob

ps if anyone has any dovecot or postfix issues I may be able to help in the short term (until my memory fades!) as I have just had a riveting couple weeks working with them!

[JosePF]

I am a beginner using https but, why do you need to encript the private key?
You could set security using the folder permissions to avoid enter the password.

Regards

[robowen1180]

Hi Jose

Thanks for your reply.

I used passphrase so that maximum level of security is a achieved as the site will be getting lots of traffic and will probably be a target for malicious users.

Are you suggesting that by placing the SSL in a directory which only apache can read that an equal level of security would be provided?

Regards
Rob

[Irithori]

imho: yes, this should be enough security.

If you have the private key´s permissions set to 0400 and user root on the server,
then an attacker would need
- to have a login to the machines
- and root privileges

If this should happen, then you are already in big trouble.
Revoking the cert and getting a new one will then be probably the least of your issues :P

[Irithori]

Another thing:
Is *all* the traffic https, or only a part of it?

If the https part is fairly small (ymmv), you could maybe think of offloading https handling to some loadbalancers,
and keep the apaches to http only.

This makes sense
- as the apache config stays simple
- the certs are handled in central locations
- the apaches have more ressources for actual requests instead of dealing with ssl.

[robowen1180]

Hi Irithori

Thanks for the advice. In answer to your question the majority of the app will be ssl.

So just to clarify, if I make the key owner / group www-data and 0400 do you rekon that will be ok, as if I make the owner root then would apache not be able to access it?

Cheers
Rob

[robowen1180]

forgot to ask, Irithori

you don't have any idea what apache settings may be causing the problem on the reload do you, or would I be looking at a big can of worms there?!

Although it is good to know there is an alternative solution I'm reluctant to let this problem beat me!! also there is a slight fly in the ointment in that I will need to explain the cost of another wildcard SSL!

cheers

[robowen1180]

Hello

OK I gave up! Have got the ssl reissued without a passphrase.

Thanks for your replies guys.

Cheers
Rob

[Irithori]

sry, was too busy for a further reply yesterday
But as soon as the private key has a passphrase, you need to provide that passphrase before the key can be used in for example apache.

So the key has to be *somewhere*, where it can be automatically used at apache startup time.
If that somehwere is on the same machine, you can as well leave the private key without passphrase.
If it is on another m,achine, you need to make sure, the way of getting the passphrase is secure.

As you can see, this get´s complex..
Imho, leave the key without passphrase,
set it´s owner to root and 0400. The parent apache process runs as root, and can therefore read it.
Take care of overall security of that system.
That should do the job