Forum Replies Created

Viewing 3 posts - 1 through 3 (of 3 total)
  • Author
    Posts
  • May 3, 2004 at 10:19 am in reply to: SSL Problems. . . #357928
    Hypnotoad
    Participant

    With the the help of an apple.com discussion BBS member, I finally traced the problem to Apple’s getsslpassphrase utility… it was somehow munging the passphrase entered in the Server Admin control panel. I finally had to do this in httpd.conf:

    [code:1:f0abbbb42d]
    <IfModule mod_ssl.c>
    SetEnvIf User-Agent ".*MSIE.*" nokeepalive ssl-unclean-shutdown
    # Comment out Apple’s buggy getsslpassphrase utility:
    # SSLPassPhraseDialog exec:/etc/httpd/getsslpassphrase
    # This will require starting the server manually (sudo apachectl start):
    SSLPassPhraseDialog builtin[/code:1:f0abbbb42d]
    This works, but from now on I will have to edit the *.conf files and start httpd manually, which sucks… what’s the point in buying $500 OS X Server if you have to drop down to the Terminal and a text editor to maintain everything anyway?! grr.

    April 28, 2004 at 1:00 am in reply to: mod_ssl errors calling Openssl #357893
    Hypnotoad
    Participant

    I think this may be what you are looking for:

    http://www.modssl.org/docs/2.8/ssl_faq.html#remove-passphrase

    And quoting from that page:

    [quote:31b466d1a4]
    The reason why this dialog pops up at startup and every re-start is that the RSA private key inside your server.key file is stored in encrypted format for security reasons. The pass-phrase is needed to be able to read and parse this file. When you can be sure that your server is secure enough you perform two steps:

    1. Remove the encryption from the RSA private key (while preserving the original file):

    $ cp server.key server.key.org
    $ openssl rsa -in server.key.org -out server.key

    2. Make sure the server.key file is now only readable by root:

    $ chmod 400 server.key

    Now server.key will contain an unencrypted copy of the key. If you point your server at this file it will not prompt you for a pass-phrase. HOWEVER, if anyone gets this key they will be able to impersonate you on the net. PLEASE make sure that the permissions on that file are really such that only root or the web server user can read it (preferably get your web server to start as root but run as another server, and have the key readable onl] by root).
    [/quote:31b466d1a4]

    April 28, 2004 at 12:49 am in reply to: SSL Problems. . . #357892
    Hypnotoad
    Participant

    I will add my voice to this unhappy chorus. I found apf548.com via the Apple OS X Server and macosxhints.com discussion groups, and I can report that I am having [i:dc8da53beb]exactly[/i:dc8da53beb] the same problem. I worked through the tutorial three times, and used a very, very simple passphrase ([b:dc8da53beb]1234[/b:dc8da53beb]) that I verified was correct in the servermgr_web_httpd_config.plist file… and the damn thing still insists that I have entered an incorrect passphrase.

    Removing the passphrase works, but that sucks–it’s a security hole. grr.

  • Author
    Posts
Viewing 3 posts - 1 through 3 (of 3 total)
Copyright © 2025 AFP548. All Rights Reserved.