OS X Server Apache – Problem using certificates with a passphrase

[Bill@mac-special]

OS X SERVER : [BUG] SSLPassPhraseDialog exec:/etc/httpd/getsslpassphrase

I have spent untold hours, over the period of several days, tracking down this problem…

There is a problem using commercial, or self signed SSL certificates that contain a key passphrase. OS X Server Web GUI inserts in the httpd.conf code the following line :

SSLPassPhraseDialog exec:/etc/httpd/getsslpassphrase

The apache httpd.conf stuff below is generated by OS X Server GUI

    SetEnvIf User-Agent “.*MSIE.*” nokeepalive ssl-unclean-shutdown
    SSLPassPhraseDialog exec:/etc/httpd/getsslpassphrase
    SSLSessionCache dbm:/var/log/httpd/ssl_scache
    SSLSessionCacheTimeout 300
    SSLMutex file:/var/log/httpd/ssl_mutex
    SSLRandomSeed startup builtin
    SSLRandomSeed connect builtin
    SSLLogLevel info
    AddType application/x-x509-ca-cert crt
    AddType application/x-pkcs7-crl crl

## Default Virtual Host Configuration

    ServerName http://www.boats.com_ssl
    ServerAdmin [email protected]
    DocumentRoot “/usr/local/httpd/htdocs/boats.com/www”
    DirectoryIndex “index.php” “index.html”
    CustomLog ‘|/usr/sbin/rotatelogs “/var/log/httpd/access_log” 2592000’ “%h %l %u %t \”%r\” %>s %b”
    ErrorLog ‘|/usr/sbin/rotatelogs “/var/log/httpd/error_log” 2592000’
    ErrorDocument 404 error.html
    
        SSLEngine On
        SSLLog “/var/log/httpd/ssl_engine_log”
        
        # THESE SELF SIGNED certs WORK FINE
        # SSLCertificateFile “/etc/certs/Default.crt”
        # SSLCertificateKeyFile “/etc/certs/Default.key”

        # THESE [ from RapidSSL ] DO NOT WORK CORRECTLY
        # SSLCertificateFile “/etc/certs/RapidSSL/boats.com.crt”
        # SSLCertificateKeyFile “/etc/certs/RapidSSL/boats.com.key”
        # SSLCACertificateFile “/etc/certs/RapidSSL/rapidssl_01.crt”

        # THESE [ from Thawte ] DO NOT WORK CORRECTLY
        SSLCertificateFile “/etc/certs/Thawte/boats.com.crt”
        SSLCertificateKeyFile “/etc/certs/Thawte/boats.com.key”

        # THESE DO NOT WORK CORRECTLY
        # SSLCertificateFile “/usr/local/httpd/ssl.crt/boats.com.crt”
        # SSLCertificateKeyFile “/usr/local/httpd/ssl.key/boats.com.key”
        
        SSLCipherSuite “ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM:+LOW:!SSLv2:+EXP:+eNULL”
    
    
        DAVLockDB “/var/run/davlocks/.davlockany_80_default”
        DAVMinTimeout 600
    
    
        Options All -Indexes -ExecCGI -Includes +MultiViews
        
            DAV Off
        
        AllowOverride None
    
    
        RewriteEngine On
        RewriteCond %{REQUEST_METHOD} ^TRACE
        RewriteRule .* – [F]
    
    
        Alias “/images/” “/usr/local/httpd/htdocs_extra/images/”
        Alias “/javascript/” “/usr/local/httpd/htdocs_extra/javascript/”
    
    LogLevel warn
    ServerAlias *

I only included the stuff pertinent to SSL.

I have four domains, each of which are running on port 80 and port 443.

As long as I use the “Default.crt” and “Default.key” as shown below, the Apache Server starts up, and all four websites run on both http, and https, bu as soon as I install a set of certificates provided by a CA, apache will not start. I generated the csr and private keys using openssl 0.9.71 and got certificates from RapidSSL, and even re-generated them a couple of times with no luck.

After trying to figure out what was causing apache to fail startup for a several days, I eventually erased the drive, re-installed OS X Server with a pristine apache 1.3.x so that I could start over with OS X Server’s GUI.

I still could not get SSL to work with the RapidSSL commercial certificates, so I decided to try a Thawte certificate, and still no luck.

As soon as I would change the config file to use the self signed default certificates, all four sites work perfectly once again, but this was not an acceptable option.

The error_log did not show anything that provided a clue except : CAUGHT SIGTERM, SHUTDOWN

The SSL_engine_log revealed a possible problem with getsslpassphrase which OS X Server includes in http.conf

    SSLPassPhraseDialog exec:/etc/httpd/getsslpassphrase

[01/Jun/2007 19:37:04 00567] [info] Init: Loading certificate & private key of SSL-aware server http://www.domain1.com_ssl:443
[01/Jun/2007 19:37:04 00567] [info] Init: Loading certificate & private key of SSL-aware server http://www.domain2.com_ssl:443
[01/Jun/2007 19:37:04 00567] [info] Init: Loading certificate & private key of SSL-aware server http://www.domain3.com_ssl:443
[01/Jun/2007 19:37:04 00567] [info] Init: Loading certificate & private key of SSL-aware server http://www.domain4.com_ssl:443

[01/Jun/2007 19:37:04 00567] [info] Init: Requesting pass phrase from dialog filter program (/etc/httpd/getsslpassphrase)
[01/Jun/2007 19:37:04 00567] [error] Init: Pass phrase incorrect (OpenSSL library error follows)
[01/Jun/2007 19:37:04 00567] [error] OpenSSL: error:0D07207B:asn1 encoding routines:ASN1_get_object:header too long

I found a number of messages a couple of years old that dealt with items that did not apply to my situation.

After commenting out the next line :

# SSLPassPhraseDialog exec:/etc/httpd/getsslpassphrase

I VERIFIED THAT getsslpassphrase WAS IN FACT THE CULPRIT :

Here is the result shown in the terminal after doing

$ sudo /usr/sbin/apachectl start

Processing config file: /etc/httpd/sites/virtual_host_global.conf
Apache/1.3.33 mod_ssl/2.8.24 (Pass Phrase Dialog)
Some of your private key files are encrypted for security reasons.
In order to read them you have to provide us with the pass phrases.

Server http://www.domain1.com_ssl:443 (RSA)

Enter pass phrase: ***********
I MANUALLY ENTERED THE PASSPHRASE HERE AND
APACHE FINALLY STARTED OK WITH THE VALID CERTIFICATES

Ok: Pass Phrase Dialog successful.
/usr/sbin/apachectl start: httpd started

[2007.01.06](08:55PM) -> [username] ~ $ ps aux | grep httpd

root 428 0.0 0.4 41300 4628 ?? Ss 8:55PM 0:00.15 /usr/sbin/httpd
http 442 0.0 0.1 36392 1376 ?? S 8:55PM 0:00.01 /usr/sbin/httpd
username 446 0.0 0.0 27376 428 p1 S+ 8:55PM 0:00.01 grep httpd

[2007.01.06](08:55PM) -> [username] ~ $

APPARENTLY THE DEFAULT CERTIFICATES MUST NOT CONTAIN A PASSPHRASE,
AND THAT IS WHY THEY ARE ABLE TO START APACHE OK

I TRIED COMMENTING ON/OFF THE LINE CONTAINING getsslpassphrase
SEVERAL TIMES AND THE OUTCOME WAS ALWAYS THE SAME. WHEN I
COMMENTED IT OUT, AND ENTERED THE PASSPHRASE MANUALLY APACHE
WOULD START, OTHERWISE IT WOULD NOT…

The Question is how to get Apple to fix SSLPassPhraseDialog exec:/etc/httpd/getsslpassphrase

Any ideas ?

Best regards,

Bill Hernandez
Plano, Texas

[darkstar]

Just curious……does it work using a certificate created using your own certificate authority?

There’s a really great step-by-step guide to creating your own CA and rolling certs right here on this site. It’s pretty easy if you haven’t tried yet. Only thing I would do is change is the name of the CA, which is “demo” unless you change it in the /System/Library/OpenSSL/openssl.cnf before you start.

ON a related note, has anyone set up their own CA and been able to get it to show up as one of the CAs or the default CA when using the certificate assistant in the keychain program?

[[email protected]]

The only solution I have every been able to use (and I think this is more of a problem with multi SSL domain sites) is to replace the contents of “getphassphrase” with a single line:

[code]echo TheValueForMyPassPhrase[/code]

Then you have to use the exact same passphrase for all of your SSL sites.

Stupid but true.

Robert

[Author]

Posts