OS X Server Apache – Problem using certificates with a passphrase

Bill@mac-special

18 years ago

OS X SERVER : [BUG] SSLPassPhraseDialog exec:/etc/httpd/getsslpassphrase I have spent untold hours, over the period of several days, tracking down this problem... There is a problem using commercial, or self signed SSL certificates that contain a key passphrase. OS X Server Web GUI inserts in the httpd.conf code the following line : SSLPassPhraseDialog exec:/etc/httpd/getsslpassphrase The apache httpd.conf stuff below is generated by OS X Server GUI SetEnvIf User-Agent ".*MSIE.*" nokeepalive ssl-unclean-shutdown SSLPassPhraseDialog exec:/etc/httpd/getsslpassphrase SSLSessionCache dbm:/var/log/httpd/ssl_scache SSLSessionCacheTimeout 300 SSLMutex file:/var/log/httpd/ssl_mutex SSLRandomSeed startup builtin SSLRandomSeed connect builtin SSLLogLevel info AddType application/x-x509-ca-cert crt AddType application/x-pkcs7-crl crl ## Default Virtual Host Configuration ServerName www.boats.com_ssl ServerAdmin admin@boats.com DocumentRoot "/usr/local/httpd/htdocs/boats.com/www" DirectoryIndex "index.php" "index.html" CustomLog '|/usr/sbin/rotatelogs "/var/log/httpd/access_log" 2592000' "%h %l %u %t \"%r\" %>s %b" ErrorLog '|/usr/sbin/rotatelogs "/var/log/httpd/error_log" 2592000' ErrorDocument 404 error.html SSLEngine On SSLLog "/var/log/httpd/ssl_engine_log" # THESE SELF SIGNED certs WORK FINE # SSLCertificateFile "/etc/certs/Default.crt" # SSLCertificateKeyFile "/etc/certs/Default.key" # THESE [ from RapidSSL ] DO NOT WORK CORRECTLY # SSLCertificateFile "/etc/certs/RapidSSL/boats.com.crt" # SSLCertificateKeyFile "/etc/certs/RapidSSL/boats.com.key" # SSLCACertificateFile "/etc/certs/RapidSSL/rapidssl_01.crt" # THESE [ from Thawte ] DO NOT WORK CORRECTLY SSLCertificateFile "/etc/certs/Thawte/boats.com.crt" SSLCertificateKeyFile "/etc/certs/Thawte/boats.com.key" # THESE DO NOT WORK CORRECTLY # SSLCertificateFile "/usr/local/httpd/ssl.crt/boats.com.crt" # SSLCertificateKeyFile "/usr/local/httpd/ssl.key/boats.com.key" SSLCipherSuite "ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM:+LOW:!SSLv2:+EXP:+eNULL" DAVLockDB "/var/run/davlocks/.davlockany_80_default" DAVMinTimeout 600 Options All -Indexes -ExecCGI -Includes +MultiViews DAV Off AllowOverride None RewriteEngine On RewriteCond %{REQUEST_METHOD} ^TRACE RewriteRule .* - [F] Alias "/images/" "/usr/local/httpd/htdocs_extra/images/" Alias "/javascript/" "/usr/local/httpd/htdocs_extra/javascript/" LogLevel warn ServerAlias * I only included the stuff pertinent to SSL. I have four domains, each of which are running on port 80 and port 443. As long as I use the "Default.crt" and "Default.key" as shown below, the Apache Server starts up, and all four websites run on both http, and https, bu as soon as I install a set of certificates provided by a CA, apache will not start. I generated the csr and private keys using openssl 0.9.71 and got certificates from RapidSSL, and even re-generated them a couple of times with no luck. After trying to figure out what was causing apache to fail startup for a several days, I eventually erased the drive, re-installed OS X Server with a pristine apache 1.3.x so that I could start over with OS X Server's GUI. I still could not get SSL to work with the RapidSSL commercial certificates, so I decided to try a Thawte certificate, and still no luck. As soon as I would change the config file to use the self signed default certificates, all four sites work perfectly once again, but this was not an acceptable option. The error_log did not show anything that provided a clue except : CAUGHT SIGTERM, SHUTDOWN The SSL_engine_log revealed a possible problem with getsslpassphrase which OS X Server includes in http.conf SSLPassPhraseDialog exec:/etc/httpd/getsslpassphrase [01/Jun/2007 19:37:04 00567] [info] Init: Loading certificate & private key of SSL-aware server www.domain1.com_ssl:443 [01/Jun/2007 19:37:04 00567] [info] Init: Loading certificate & private key of SSL-aware server www.domain2.com_ssl:443 [01/Jun/2007 19:37:04 00567] [info] Init: Loading certificate & private key of SSL-aware server www.domain3.com_ssl:443 [01/Jun/2007 19:37:04 00567] [info] Init: Loading certificate & private key of SSL-aware server www.domain4.com_ssl:443 [01/Jun/2007 19:37:04 00567] [info] Init: Requesting pass phrase from dialog filter program (/etc/httpd/getsslpassphrase) [01/Jun/2007 19:37:04 00567] [error] Init: Pass phrase incorrect (OpenSSL library error follows) [01/Jun/2007 19:37:04 00567] [error] OpenSSL: error:0D07207B:asn1 encoding routines:ASN1_get_object:header too long I found a number of messages a couple of years old that dealt with items that did not apply to my situation. After commenting out the next line : # SSLPassPhraseDialog exec:/etc/httpd/getsslpassphrase I VERIFIED THAT getsslpassphrase WAS IN FACT THE CULPRIT : Here is the result shown in the terminal after doing $ sudo /usr/sbin/apachectl start Processing config file: /etc/httpd/sites/virtual_host_global.conf Apache/1.3.33 mod_ssl/2.8.24 (Pass Phrase Dialog) Some of your private key files are encrypted for security reasons. In order to read them you have to provide us with the pass phrases. Server www.domain1.com_ssl:443 (RSA) Enter pass phrase: *********** I MANUALLY ENTERED THE PASSPHRASE HERE AND APACHE FINALLY STARTED OK WITH THE VALID CERTIFICATES Ok: Pass Phrase Dialog successful. /usr/sbin/apachectl start: httpd started [2007.01.06](08:55PM) -> [username] ~ $ ps aux | grep httpd root 428 0.0 0.4 41300 4628 ?? Ss 8:55PM 0:00.15 /usr/sbin/httpd http 442 0.0 0.1 36392 1376 ?? S 8:55PM 0:00.01 /usr/sbin/httpd username 446 0.0 0.0 27376 428 p1 S+ 8:55PM 0:00.01 grep httpd [2007.01.06](08:55PM) -> [username] ~ $ APPARENTLY THE DEFAULT CERTIFICATES MUST NOT CONTAIN A PASSPHRASE, AND THAT IS WHY THEY ARE ABLE TO START APACHE OK I TRIED COMMENTING ON/OFF THE LINE CONTAINING getsslpassphrase SEVERAL TIMES AND THE OUTCOME WAS ALWAYS THE SAME. WHEN I COMMENTED IT OUT, AND ENTERED THE PASSPHRASE MANUALLY APACHE WOULD START, OTHERWISE IT WOULD NOT... The Question is how to get Apple to fix SSLPassPhraseDialog exec:/etc/httpd/getsslpassphrase Any ideas ? Best regards, Bill Hernandez Plano, Texas