How can I start Apache on Arch Linux w/systemd using passphrase protected SSL keys?

arch-linux systemd startup ssl apache-httpd

9,484

Solution 1

Write a wrapper script around apache and put it to ExecStart= of the unit (you may use drop-ins for that; no need to copy whole unit into /etc)
From the wrapper script, use systemd-ask-password <PROMPT>, read password from its stdout and feed it to apache in whatever way is required
Don't forget to exec apache from the end of your script in order not to leave an extra bash process hanging around

This will make systemd query the password immediately (if you start apache using systemctl) or using one of so-called agents (there are default ones which ask passwords using wall or directly on the console). This is the best thing you can do to stay compliant.

Solution 2

I'm not sure about the systemd way of doing it, but Apache makes this possible however it is started with the SSLPassPhraseDialog directive. Basically, you create a small shell script in a file:

SSLPassPhraseDialog  /etc/domain.com_ssl_passphrase.sh

The contents of the file:

#!/bin/bash
echo "passphrase"

Make sure the file is executable:

chmod +x /etc/domain.com_ssl_passphrase.sh

Now when you start Apache via systemd it will execute that script upon loading the SSL configuration for the site(s).

9,484

tcoolspy

Updated on September 18, 2022

Comments

tcoolspy over 1 year
I'm relatively new to using Arch Linux and think I must be missing the obvious way to do this correctly, but –short of starting the daemon on my own– I can't figure out how to get passphrase protected SSL keys unlocked when starting the service normally. With unprotected keys or without the SSL configuration Apache starts normally using the systemd service. As soon as I try to use protected keys, I get something like this:
```
$ sudo systemctl start httpd
Job for httpd.service failed.

$ sudo systemctl status httpd
httpd.service - Apache Web Server
   Loaded: loaded (/usr/lib/systemd/system/httpd.service; disabled)
   Active: failed (Result: exit-code) since Mon 2014-02-10 11:47:07 UTC; 13ms ago
  Process: 26035 ExecStop=/usr/bin/apachectl graceful-stop (code=exited, status=0/SUCCESS)
  Process: 26042 ExecStart=/usr/bin/apachectl start (code=exited, status=1/FAILURE)
 Main PID: 25500 (code=exited, status=0/SUCCESS)

systemd[1]: Starting Apache Web Server...
apachectl[26042]: Apache/2.2.26 mod_ssl/2.2.26 (Pass Phrase Dialog)
apachectl[26042]: Some of your private key files are encrypted for security reasons.
apachectl[26042]: In order to read them you have to provide the pass phrases.
apachectl[26042]: Server {name redacted}:443 (RSA)
apachectl[26042]: Enter pass phrase:Apache:mod_ssl:Error: Private key not found.
apachectl[26042]: **Stopped
systemd[1]: httpd.service: control process exited, code=exited status=1
systemd[1]: Failed to start Apache Web Server.
systemd[1]: Unit httpd.service entered failed state.
```
Is far as I can tell, Apache knows it needs to unlock my keys, but if systemd knows the passphrase prompt needs to be shown, any attempt to do so is not reaching my shell and silently failing.

What is the best practice way (or Arch Way™) to start Apache and unlock protected SSL keys using systemd?
- Admin over 10 years
  
  You typically strip the passphrase so the server can start w/o the challenge. wiki.apache.org/httpd/RemoveSSLCertPassPhrase. I'm assuming you know this and want to keep it regardless, am I correct in my assumption?
- Admin over 10 years
  
  @slm Yes, I am aware of this. I stripped the passphrase for testing this problem, but I need to configure it such that my intervention is required to unlock the cert.
- Admin over 10 years
  
  That's what I figured but had to ask 8-)
- Admin over 10 years
  
  Have you tried making use of the SSLPassPhraseDialog facility in Apache? serverfault.com/questions/160768/…
- Admin over 10 years
  
  This is not the way it is intended for, if yes please provide a reference. btw: for what reason?
- Admin over 10 years
  
  @bersch - it's perfectly acceptable to have a passphrase here. It won't protect the setup, but it will protect the private 1/2 of the key pair from getting out.
- Admin over 10 years
  
  @slm sorry I meant Caleb. My opinion is, that if the server have to be secure, i.e. accessible only by trusted admins, if it is not possible then forget thinking about security.
- Admin over 10 years
  
  @bersch Your opinion an security practices does not invalidate my question about Arch's implementation of systemd/apache. You have a point about system security, but some certs do more than secure data over the wire, they also verify the identity of the provider. I want to be able to run an SSL service that is signed with my personal credentials on a box in a virtual machine in a shared environment where another admin could snapshot my machine and extract the file system. I realize it won't make the service and data the cert protects any more secure but it will prevent my ID from exploitation.
- Admin over 10 years
  
  @bersch - I was replying to your concern though. What Caleb wants to do will protect the keys, so at the very least it would prevent anyone from gaining access to the keys who may have done something nefarious like captured all the encrypted traffic, and now wants to decrypt it. There are other reasons too, but his request is perfectly legit.
- Admin over 10 years
  
  To whomever DV'ed this Q. It is a legitimate Q and does not warrant it. There are many technical reasons why someone would want to do this. Think out of the box on this! Do not assume that the OP is simply trying to naively secure his system by requiring a passphrase in a vain attempt to accomplish this!
- Admin over 10 years
  
  Ok, agree, so the reason is that one cannot extract the keys from a backup or image. But beside of the reason, I am interested on the solution though, because any solution would be also vulnerable through other attacks. I am already delighted by this question +1.
- Admin over 10 years
  
  @bersch These kinds of concerns would be something for answers to address, not the question.
- Admin over 10 years
  
  @caleb - man ppl really have it in for this Q today. It was cycling to be closed as unclear too. I dropped a note in chat telling others to pls leave it open.
- Admin over 10 years
  
  @slm Thanks. I'm open to suggestions on how to improve it. I'm a little surprised at the reaction myself. Maybe it's my dig at Arch-' "The Way"? I'm not a fanboy here, I'm just trying to use the tools the way they were intended to be used.
- Admin over 10 years
  
  @Caleb - I'm surprised too. Q seems perfectly suited to this site. I think ppl are going with their knee jerk reaction rather then reading it. I'd hoped to cut that off by getting your clarification in the comments wrt to the stripped keys but it doesn't appear to be having the effect. I'm waiting for a Arch regular to jump in here, I don't use that distro so I can't offer more help, I believe Strugee and Jasonwryan are our 2 resident Archies/ers?. Jason most likely may not have seen it. If it gets worse I'll try and spin up a VM to see if I can't help though 8-)
- Admin over 9 years
  
  I've had this same problem, I think it should be filed as a bug.
- Admin over 9 years
  
  @user3467349 Feature request maybe, but I don't see how it's a bug.
- Admin over 9 years
  
  @Caleb well it's been awhile since I tried this (so feel free to correct me) - but last-time I tried a passworded ssl-key it was silently dropping the passphrase prompt as your question states, - that's an obvious bug (if it's not a feature it shouldn't be there at all).
user3467349 over 9 years

So your passphrase is saved as plaintext - what's the point then?