Plain Black, makers of WebGUI

neodymiumex

Date: 7/31/2008 3:14 pm · Subject: SSL Passphrase · Rating: 0

Hey all,

I'm having trouble getting ssl working. I think I've narrowed the problem down to the fact that in order to use the certificates I'm feeding modproxy, it needs a passphrase. However, at no point in the startup of modproxy does it request one from me. I'm assuming that I will need to edit the start up script for modproxy, but I don't have any idea where to start.

A little background: I'm running WebGUI 7.4.40 with WRE 0.8.3. I've edited mysite.modproxy in order to uncomment the SSL section, editing it for the server's ip address and name. Now, when I try to restart modproxy, everything just seems to hang.

Under the last setup we had, the apache startup script would prompt for a passphrase before starting. However, I've never been prompted for one here.

Is there some way I can get modproxy to prompt for the passphrase to decode the ssl certificates?

--- (Edited on 7/31/2008 3:14 pm [GMT-0500] by neodymiumex) ---

Back to Top

Rate [ | ]

preaction

Date: 7/31/2008 3:23 pm · Subject: Re: SSL Passphrase · Rating: 0

Better, in my opinion, to remove the passphrase entirely.

To remove a passphrase from a DSA key: openssl rsa -in example.tld.key -out example.tld.key

--- (Edited on 7/31/2008 3:23 pm [GMT-0500] by preaction) ---

Back to Top

Rate [ | ]

neodymiumex

Date: 8/1/2008 7:16 am · Subject: Re: SSL Passphrase · Rating: 0

I don't believe that is an option at this point. There has to be a way to modify either the wreconsole or the modproxy config/startup script to make it prompt for a passphrase.

--- (Edited on 8/1/2008 7:16 am [GMT-0500] by neodymiumex) ---

Back to Top

Rate [ | ]

preaction

Date: 8/1/2008 7:22 am · Subject: Re: SSL Passphrase · Rating: 0

So you'd rather have someone need to manually restart apache after it goes down.

Then use the apachectl that comes with the WRE perhaps?

--- (Edited on 8/1/2008 7:22 am [GMT-0500] by preaction) ---

Back to Top

Rate [ | ]

neodymiumex

Date: 8/1/2008 7:28 am · Subject: Re: SSL Passphrase · Rating: 0

I would love to use apachectl and have the server restart all by itself. For security reasons, I don't think there is a way to implement that.

-edit: nevermind I found apachectl afterall

--- (Edited on 8/1/2008 7:28 am [GMT-0500] by neodymiumex) ---

--- (Edited on 8/1/2008 7:43 am [GMT-0500] by neodymiumex) ---

Back to Top

Rate [ | ]

knowmad

Date: 8/1/2008 7:42 am · Subject: Re: SSL Passphrase · Rating: 0

I would love to use apachectl and have the server restart all by itself. For security reasons, I don't think there is a way to implement that.

Check out the SSLPassPhraseDialog directive in Apache. You can have it use an external app to manage the password entry automatically.

William

----
Knowmad Technologies
http://www.knowmad.com

--- (Edited on 8/1/2008 8:42 am [GMT-0400] by knowmad) ---

Back to Top

Rate [ | ]

neodymiumex

Date: 8/1/2008 8:22 am · Subject: Re: SSL Passphrase · Rating: 0

In that case, where is the mod_ssl conf file? Or do I just use the mysite.modproxy file?

The reason I ask is that I add the sslpassphrase builtin directive to the mysite.modproxy file and tried to start mod_proxy, but it says mod_proxy did not start successfully in the wre console.

--- (Edited on 8/1/2008 8:22 am [GMT-0500] by neodymiumex) ---

--- (Edited on 8/1/2008 8:29 am [GMT-0500] by neodymiumex) ---

Back to Top

Rate [ | ]

knowmad

Date: 8/1/2008 9:01 am · Subject: Re: SSL Passphrase · Rating: 0

In that case, where is the mod_ssl conf file? Or do I just use the mysite.modproxy file?

The master modproxy config is in /data/wre/etc/modproxy.conf. However, I would think you would want to set this in your site config file since you'll have different SSL certs for each site.

The reason I ask is that I add the sslpassphrase builtin directive to the mysite.modproxy file and tried to start mod_proxy, but it says mod_proxy did not start successfully in the wre console.

I don't think you understand how this directive works. Builtin is the default which displays the prompt. According to your original post, this is not compatible with the WRE startup scripts. So, you'll need to write your own script to pass in the passphrase. I think it can be as simple as an echo of a protected file with the password in it. Google is your friend.

Good luck,
William

----
Knowmad Technologies
http://www.knowmad.com

--- (Edited on 8/1/2008 10:01 am [GMT-0400] by knowmad) ---

Back to Top

Rate [ | ]

neodymiumex

Date: 8/4/2008 3:14 pm · Subject: Re: SSL Passphrase · Rating: 0

OK. Thanks everyone for their help. I've got modproxy starting up finally. It is listening and responding on port 443 finally, and all the certificates appear to be working correctly. Unfortunately, I'm now encountering another error. When I attempt to navigate to my page it gives a 502 Bad Gateway error message. I'm assuming it is because port 8081 is being blocked. 8081 is the port Spectre is running on.

I guess my question is: What is spectre and what does webgui use it for? I can always have the admin open up 8081, but I'd rather not if there is anyway to avoid it.

--- (Edited on 8/4/2008 3:14 pm [GMT-0500] by neodymiumex) ---

Back to Top

Rate [ | ]

SSL Passphrase

Recent Discussions Color Key