I just set up a secure server.
Followed the godaddy instructions for key generation/installation - and the server wanted my pass phrase to start.
When I started developing I followed instructions for a self signed cert and everything went dandy.
Anyway - after a little googling and an uneasy feeling that I messed up and godaddy might charge me a fee to resubmit for a new cert, I found the following solution -
openssl rsa -in secure.shastaherps.key.old -out secure.shastaherps.key
After running that and entering my pass phrase, no pass phrase is required to start the server and it seems like the browsers don't complain, so I think I'm set, but I thought I'd verify that all really is well and that doing that isn't going to cause any issues.
If I understand it correctly, the phrase was needed when Apache starts in order to decrypt the key, and all I did above was decrypt the key so that apache doesn't have to, correct?
Michael A. Peters wrote:
openssl rsa -in secure.shastaherps.key.old -out secure.shastaherps.key
After running that and entering my pass phrase, no pass phrase is required to start the server and it seems like the browsers don't complain, so I think I'm set, but I thought I'd verify that all really is well and that doing that isn't going to cause any issues.
I've been doing that for years and it works fine so I think your good to go.
nate
On Fri, 3 Apr 2009, Michael A. Peters wrote:
After running that and entering my pass phrase, no pass phrase is required to start the server and it seems like the browsers don't complain, so I think I'm set, but I thought I'd verify that all really is well and that doing that isn't going to cause any issues.
If I understand it correctly, the phrase was needed when Apache starts in order to decrypt the key, and all I did above was decrypt the key so that apache doesn't have to, correct?
You are correct. As long as you can guarantee limited access to the file containing the key, then storing it in decrypted form is probably worth the risk.
On a server with untrusted users, however, I'd keep it decrypted.
On Fri, 3 Apr 2009, Paul Heinlein wrote:
On a server with untrusted users, however, I'd keep it decrypted.
Er, I'd keep it encrypted.
There's also the issue of how it gets stored in your backup system.
On Fri, Apr 3, 2009 at 3:25 PM, Paul Heinlein heinlein@madboa.com wrote:
On Fri, 3 Apr 2009, Paul Heinlein wrote:
On a server with untrusted users, however, I'd keep it decrypted.
Er, I'd keep it encrypted. There's also the issue of how it gets stored in your backup system.
During the very recent (March 21st?) attack on http://www.webhostingtalk.com/ the backup server(s) were attacked first. That made it much more difficult for them to get the site up and running properly. I'm not sure if they have it fully restored yet. Backup servers need *maximum* protection too......
On Fri, 03 Apr 2009 17:06:38 -0500, Lanny Marcus wrote:
Backup servers need *maximum* protection too......
agreed, but... maximum protection would mean turning network off. but that could turn out as a little inconvinience.
webservers that cant boot without human intervention are not acceptable for me. but thats me. i understand that other people may have another opinion, and thats fine.
best regards, markus
Markus Falb wrote:
On Fri, 03 Apr 2009 17:06:38 -0500, Lanny Marcus wrote:
Backup servers need *maximum* protection too......
agreed, but... maximum protection would mean turning network off. but that could turn out as a little inconvinience.
webservers that cant boot without human intervention are not acceptable for me. but thats me. i understand that other people may have another opinion, and thats fine.
I agree. Apache has to start for me.
My server is a linode hosted xen vm. It does not have 100% uptime - it's rarely down, but it has been down before (I can tell from the logs - this site w/ the ssl is new but I have other stuff hosted on it).
Anyway - the site is just a site to record reptiles and amphibian sightings in my county, the only thing I'm using ssl for is user registration and login so that password is not sent plain text.
Hardly cause to be overly paranoid (I was a good boy and did set root:root 0600 permissions though). In fact using ssl may already be overly paranoid, most sites of this type don't - which is a pet peeve of mine (too many people use wireless and too many people use the same password for everything, passwords really need to be encrypted when sent)
I don't backup /etc/pki - I have the apache keys backed up, the server's ssl keys backed up, but only backup I have planned of the server is weekly rpm -qa, /etc/httpd, /etc/php.ini, mysql database, and user uploaded images. Everything else is cake to do from a fresh install and what I have at home.
-
Lanny Marcus -
Markus Falb -
Michael A. Peters -
nate -
Paul Heinlein