[temhawk]

I am trying to set up SSL for the first time, and I'm getting these messages in the Apache error log when I start it.

[Mon Jan 31 15:11:15 2011] [error] Init: Unable to read pass phrase [Hint: key introduced or changed before restart?]
[Mon Jan 31 15:11:15 2011] [error] SSL Library Error: 218710120 error:0D094068:asn1 encoding routines:d2i_ASN1_SET:bad tag
[Mon Jan 31 15:11:15 2011] [error] SSL Library Error: 218529960 error:0D0680A8:asn1 encoding routines:ASN1_CHECK_TLEN:wrong tag
[Mon Jan 31 15:11:15 2011] [error] SSL Library Error: 218595386 error:0D07803A:asn1 encoding routines:ASN1_ITEM_EX_D2I:nested asn1 error
[Mon Jan 31 15:11:15 2011] [error] SSL Library Error: 218734605 error:0D09A00D:asn1 encoding routines:d2i_PrivateKey:ASN1 lib

It's probably just that I didn't enter the private key's passphrase, my certificate should be okay. So how do I give Apache the passphrase to make it work?

[Rob Kaper]

Doesn't Apache prompt you for it? It should...

Anyway:

http://httpd.apache....aq.html#startup

Quote

How can I get rid of the pass-phrase dialog at Apache startup time?

The reason this dialog pops up at startup and every re-start is that the RSA private key inside your server.key file is stored in encrypted format for security reasons. The pass-phrase is needed to decrypt this file, so it can be read and parsed. Removing the pass-phrase removes a layer of security from your server - proceed with caution!

1. Remove the encryption from the RSA private key (while keeping a backup copy of the original file):

$ cp server.key server.key.org
$ openssl rsa -in server.key.org -out server.key

2. Make sure the server.key file is only readable by root:

$ chmod 400 server.key

Now server.key contains an unencrypted copy of the key. If you point your server at this file, it will not prompt you for a pass-phrase. HOWEVER, if anyone gets this key they will be able to impersonate you on the net. PLEASE make sure that the permissions on this file are such that only root or the web server user can read it (preferably get your web server to start as root but run as another user, and have the key readable only by root).

As an alternative approach you can use the ``SSLPassPhraseDialog exec:/path/to/program'' facility. Bear in mind that this is neither more nor less secure, of course.

This post has been edited by Rob Kaper: 02 February 2011 - 05:23 AM

[temhawk]

Thanks for your reply, Rob, but there is no password prompt when I start Apache. I run "sudo apachectl start" and nothing happens. Maybe it's because I set the permissions of the file to "400" and Apache is not running as that user. (I don't have a good grip on permissions...)

In fact I just found that there are two "httpd" instances in the system processes list, one running as "root" and the other as "_www". That's confusing me. Do you have an explanation for it?

Also, in my SSL configuration file I have this setting: "SSLPassPhraseDialog builtin". Maybe I need a different value? But I have no idea what I would put there. I'm on Unix/Mac.

Attached File(s)

•  Screen shot 2011-02-02 at 21.29.10.png (87.75K)
  Number of downloads: 3

[Rob Kaper]

I believe it's just the permissions on your file that need fixing: change the group of the file to a group the _www user is in and set the permissions to 440, or change the owner of the file to _www in which case 400 is sufficient.

Permissions under UNIX consist of three parts: user rights, group rights and other. Each part is the sum of (1 for execute, 2 for write and 4 for read). So permission 640 (quite common) would mean read and write rights for the owner (2+4=6), read rights for the group (4) and no rights for the rest (0).

Don't worry about the root and _www processes, that's normal: the main process is root but the children actually handling the requests have lower privileges.

PS: Doesn't Apple give you a graphical user interface to manage file permissions? That'd surprise me...

[temhawk]

Thank you very much Rob. A file can have only one owner, but multiple groups, all of which's access is equally limited (by the second digit of the "permissions number"), is that correct?

Of course Mac has a GUI for file permissions, but it's not possible to do certain things like to add the "_www" group, so I use the command-line tools. I have actually given a tip here on WR on how to change file permissions (using ACL's) so that PHP can have access, but I researched it a while ago and haven't needed to improve my understanding until now.

The trouble is I still don't get a prompt for the key's password when I start Apache, and still getting the same error messages in the log. I even gave "everyone" Read+Write permissions (using the Mac GUI this time). But what if "everyone" doesn't actually mean "other" as in the Unix file permissions, but is instead a layer created by Apple to mean "other human users", in an attempt to make it more user-friendly and safer... just like there is no "execute" permission in the GUI and no "Write but not Read" permission, things which can be set using the command-line tools but would seldom be something the average user needs to do.

It would help if I could inspect the actual file permissions in detail. Could you tell me please what the command is or where I can read to learn more about this stuff? I only know "chown", "chmod" and "chgrp", there must be some command to tell me the owner, group, etc and their permissions.

Attached File(s)

•  Screen shot 2011-02-04 at 01.01.12.png (60.61K)
  Number of downloads: 2

[Rob Kaper]

temhawk, on 03 February 2011 - 08:04 PM, said:

Thank you very much Rob. A file can have only one owner, but multiple groups, all of which's access is equally limited (by the second digit of the "permissions number"), is that correct?

Correct about the equal rights, although under UNIX a file ordinarily has one owner and also just one group. A group can of course consist of multiple users and a user can be in multiple groups. So I don't think file permissions are still your problem, unfortunately I can't help you with the specific error message as it looks like you're using a different SSL engine than what's standard in LAMP environments.

It's one reason why I dislike OSX for servers: it's UNIX, but then always so slightly different that it might as well have been a completely different system.

Did you try removing the passphrase from your key? Don't worry much about the security: if people get access to that file on your server you probably have bigger concerns anyway.

[EncoderDecoder]

wow.. everything seems so complicated.. so you can sun apache through codes..? i usually open the control application for that and start it up by just clicking a button.. well, this shows how much i have yet to learn.. thanks a lot guys!