5

I'm relatively new to using Arch Linux and think I must be missing the obvious way to do this correctly, but –short of starting the daemon on my own– I can't figure out how to get passphrase protected SSL keys unlocked when starting the service normally. With unprotected keys or without the SSL configuration Apache starts normally using the systemd service. As soon as I try to use protected keys, I get something like this:

$ sudo systemctl start httpd
Job for httpd.service failed.

$ sudo systemctl status httpd
httpd.service - Apache Web Server
   Loaded: loaded (/usr/lib/systemd/system/httpd.service; disabled)
   Active: failed (Result: exit-code) since Mon 2014-02-10 11:47:07 UTC; 13ms ago
  Process: 26035 ExecStop=/usr/bin/apachectl graceful-stop (code=exited, status=0/SUCCESS)
  Process: 26042 ExecStart=/usr/bin/apachectl start (code=exited, status=1/FAILURE)
 Main PID: 25500 (code=exited, status=0/SUCCESS)

systemd[1]: Starting Apache Web Server...
apachectl[26042]: Apache/2.2.26 mod_ssl/2.2.26 (Pass Phrase Dialog)
apachectl[26042]: Some of your private key files are encrypted for security reasons.
apachectl[26042]: In order to read them you have to provide the pass phrases.
apachectl[26042]: Server {name redacted}:443 (RSA)
apachectl[26042]: Enter pass phrase:Apache:mod_ssl:Error: Private key not found.
apachectl[26042]: **Stopped
systemd[1]: httpd.service: control process exited, code=exited status=1
systemd[1]: Failed to start Apache Web Server.
systemd[1]: Unit httpd.service entered failed state.

Is far as I can tell, Apache knows it needs to unlock my keys, but if systemd knows the passphrase prompt needs to be shown, any attempt to do so is not reaching my shell and silently failing.

What is the best practice way (or Arch Way™) to start Apache and unlock protected SSL keys using systemd?

Improve this question
21
  • 1
    You typically strip the passphrase so the server can start w/o the challenge. wiki.apache.org/httpd/RemoveSSLCertPassPhrase. I'm assuming you know this and want to keep it regardless, am I correct in my assumption? Commented Feb 10, 2014 at 14:16
  • 1
    @bersch - it's perfectly acceptable to have a passphrase here. It won't protect the setup, but it will protect the private 1/2 of the key pair from getting out. Commented Feb 10, 2014 at 15:05
  • 1
    @bersch Your opinion an security practices does not invalidate my question about Arch's implementation of systemd/apache. You have a point about system security, but some certs do more than secure data over the wire, they also verify the identity of the provider. I want to be able to run an SSL service that is signed with my personal credentials on a box in a virtual machine in a shared environment where another admin could snapshot my machine and extract the file system. I realize it won't make the service and data the cert protects any more secure but it will prevent my ID from exploitation. Commented Feb 10, 2014 at 15:18
  • 1
    To whomever DV'ed this Q. It is a legitimate Q and does not warrant it. There are many technical reasons why someone would want to do this. Think out of the box on this! Do not assume that the OP is simply trying to naively secure his system by requiring a passphrase in a vain attempt to accomplish this! Commented Feb 10, 2014 at 15:23
  • 1
    @bersch These kinds of concerns would be something for answers to address, not the question. Commented Feb 10, 2014 at 15:43

2 Answers 2

Reset to default
2
  • Write a wrapper script around apache and put it to ExecStart= of the unit (you may use drop-ins for that; no need to copy whole unit into /etc)
  • From the wrapper script, use systemd-ask-password <PROMPT>, read password from its stdout and feed it to apache in whatever way is required
  • Don't forget to exec apache from the end of your script in order not to leave an extra bash process hanging around

This will make systemd query the password immediately (if you start apache using systemctl) or using one of so-called agents (there are default ones which ask passwords using wall or directly on the console). This is the best thing you can do to stay compliant.

Improve this answer
1

I'm not sure about the systemd way of doing it, but Apache makes this possible however it is started with the SSLPassPhraseDialog directive. Basically, you create a small shell script in a file:

SSLPassPhraseDialog  /etc/domain.com_ssl_passphrase.sh

The contents of the file:

#!/bin/bash
echo "passphrase"

Make sure the file is executable:

chmod +x /etc/domain.com_ssl_passphrase.sh

Now when you start Apache via systemd it will execute that script upon loading the SSL configuration for the site(s).

Improve this answer
1
  • 2
    So your passphrase is saved as plaintext - what's the point then? Commented Feb 15, 2015 at 7:23

You must log in to answer this question.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.