Archive for March 26th, 2010

Auto insert password for a Trusted SSL Certificate / Automatically enter password for an SSL Certificate during Apache startup on Debian Lenny

Friday, March 26th, 2010

Protect-Your-Private-SSL_keys-Apache-howto
I've recently installed a Trusted certificate that I've previously protected with a pass-phrase to an Apache server running on top of Debian in order to have a better security.
Now everytime I restart Apache it's pretty annyoing and non-practical at the same time, to enter the Passphrase assigned to the SSL certificate.
It's also dangerous because if Apache crashes and tries to resurrect itself restartig it might not start-up again.
Another unpleasant possible scenario is if for example some of the php code developers tries to change something minor in some Virtualhost and afterwards restarts Apache for the new configurations to take place, again Apache won't bring up and a chaos would emerge.
So I decided to configurate my Apache that it auto fills in the passphrase each time it's being started or restarted.To do that I consulted some online resources and I end up redirected by a blog post to the mod_ssl ssl_reference web page
There is plenty of stuff on that document however in my case all I needed was one directive in /etc/apache2/mods-avalable/mods-available/ssl.conf :

SSLPassPhraseDialog exec:/etc/apache2/mods-available/passphrase

The above code must replace:

SSLPassPhraseDialog builtin

Now last step is to prepare the /etc/apache2/mods-available/passphrase .
Make sure the file has the following content:

#!/bin/sh
echo "yoursecretpassword"

Change above yoursecretpassword with your configured passphrase.
Also please make sure /etc/apache2/mods-availabe/passphrase has proper set permissions. In my case I've set the following permissions for the file:

debian:~# chown www-data:www-data /etc/apache2/mods-available/passphrase
debian:~# chmod 700 /etc/apache2/mods-available/passphrase

That should be it, Restart Apache and make sure Apache is properly loaded without anySSL passphrase prompts.
However you should have in mind that auto enabling passphrase loading on starting in Apache is much more insecure than typing in the password every time you restart Apache. Storing the passphrase in a file is quite insecure compared to if you type it every time Apache starts.
For instance if a hacker breaks into your server he might be able to steal your SSL certificate as well as the passphrase file.
And surely this is something you don't want. Anyways flexibility has a price and if you decide to go the way described, please note the risk first.

 

   

If you haven't already added a password to your private key during certficate generation time,

Of course you can add/remove a passphrase at a later time.

    add one (assuming it was an rsa key, else use dsa)

    openssl rsa -des3 -in your.key -out your.encrypted.key
    mv your.encrypted.key your.key

    the -des3 tells openssl to encrypt the key with DES3.

    remove it

    openssl rsa -in your.key -out your.open.key

    you will be asked for your passphrase one last time
    by omitting the -des3 you tell openssl to not encrypt the output.

    mv your.open.key your.key

 

Tags: , , , , , , , , , , , ,
Posted in System Administration, Web and CMS | 4 Comments »

Fix to “Init: Private key not found” whenever trying to configure Apache to run with a Trusted SSL Certificate issued from RapidSSL

Friday, March 26th, 2010

Yesterday I had to fight for a while before I can properly install a Trusted SSL certificate issued by RapidSSL.
The problem persisted for a couple of hours before I can realize it was caused by myself.
So here is the error I encounted in my Apache error.log.


[Thu Mar 25 09:29:41 2010] [error] Init: Private key not found
[Thu Mar 25 09:29:41 2010] [error] SSL Library Error: 218710120 error:0D094068:asn1 encoding routines:d2i_ASN1_SET:bad tag
[Thu Mar 25 09:29:41 2010] [error] SSL Library Error: 218529960 error:0D0680A8:asn1 encoding routines:ASN1_CHECK_TLEN:wrong tag
[Thu Mar 25 09:29:41 2010] [error] SSL Library Error: 218595386 error:0D07803A:asn1 encoding routines:ASN1_ITEM_EX_D2I:nested asn1 error
[Thu Mar 25 09:29:41 2010] [error] SSL Library Error: 218734605 error:0D09A00D:asn1 encoding routines:d2i_PrivateKey:ASN1 lib

It took me a couple of hours in futile attempts to fix the error.
Anyways I’ll try to explain in a few words some of the things I tried following mostly suggestions by web forums and other blogs by which it was claimed that was the corner stone that drove Apache out of the the track.

1. I checked if the .PEM certificate files are readable by all users including www-data (since I’m running Apache on Debian).

It’s best if your .pem file permissions are set like:

-rw-r–r– 1 www-data www-data 3158 2010-03-25 11:07 /etc/apache2/ssl/www.domain.com.pem

2. I tried to hand out the .CRT file and the .KEY file from Apache directives as shown below:

SSLEngine On
SSLCertificateFile /etc/apache2/ssl/www.domain.com.crt
SSLCertificateKeyFile /etc/apache2/ssl/www.domain.com.key

3. I tried modifying /etc/apache2/mods-enabled/ssl.conf

There I attempted to change:

SSLProtocol all -SSLv2
to
SSLProtocol all
This try wasn’t helpful as well.

4. I tried Removing the encryption from the RSA private key (while preserving the original file)

debian:~# cp -rpf /etc/apache2/ssl/www.domain.com.key /etc/apache2/ssl/www.domain.com.key.orig
debian:~# /usr/bin/openssl rsa -in /etc/apache2/ssl/www.domain.com.key.orig -out /etc/apache2/ssl/www.domain.com.key

So unecrypting the RSA private key from it’s DES3 encryption and passing it to the Apache Webserver didn’t changed anything,
Whenever I restarted Apache it refused to run once again, though I was not asked for a passphrase after trying the above code.

Since all of the above failed I also tried checking if the .csr, the crt and .key file aren’t broken or something.

debian:~# /usr/bin/openssl x509 -noout -modulus -in /etc/apache2/ssl/www.domain.com.crt
debian:~# /usr/bin/openssl rsa -noout -modulus -in /etc/apache2/ssl/www.domain.com.key
debian:~# /usr/bin/openssl req -noout -modulus -in /etc/apache2/ssl/www.domain.com.csr

I checked the output from the above commands and I compared the output for Modulus.
If everything is okay with your .key .csr and .crt files then the result for Modulus from the above commands should be equal.
This prooved there is no match in the modulus between the www.domain.com.crt and the www.domain.com.key.
This gave me the idea that probably something is wrong with the www.domain.com.key and it’s not the same file I used to generate the .csr (Certificate Signing Request) file later.
I checked and realized all the time I was using a .key file from my notebook Desktop and the file from my notebook Desktop is not the original file from the server.
So I immediately jumped to the server ssh-ing and deleted the inappropriate .key file I have stored in /etc/apache2/ssl/www.domain.com.pem with the correct one.

Now after restarting the webserver, all worked like a charm! Praise God 🙂
This experience is another good example that the simplest human mistakes creates the biggest, which are also the hardest to track.

Tags: , , , , ,
Posted in System Administration | 1 Comment »