Results 1 to 2 of 2

Thread: Apache refuses to accept encrypted SSL keys

  1. #1

    Default Apache refuses to accept encrypted SSL keys

    Greetings!

    The following problem: I have set up https on my server, and when using an unencrypted private key, things work just fine.
    However, for security reasons I wish to have that key encrypted - but when I do so (RSA key encrypted with AES256) Apache complains.

    I have generated a small script that outputs the passphrase required for the private key (of course, access rights for this script are set to 0700, thus it's readable and executable only by root) and is supposed to get invoked by Apache - however, for some reason this is not the case (I tested this by inserting a line that should generate some sort of log message when the script is invoked, but that is not the case).

    When examining the error log associated with the virtual https server in question, I get the following:
    Code:
    [Tue Mar 25 15:27:37 2014] [error] Init: Unable to read pass phrase [Hint: key introduced or changed before restart?]
    [Tue Mar 25 15:27:37 2014] [error] SSL Library Error: 218529960 error:0D0680A8:asn1 encoding routines:ASN1_CHECK_TLEN:wrong tag
    [Tue Mar 25 15:27:37 2014] [error] SSL Library Error: 218640442 error:0D08303A:asn1 encoding routines:ASN1_TEMPLATE_NOEXP_D2I:nested asn1 error
    [Tue Mar 25 15:27:37 2014] [error] SSL Library Error: 218529960 error:0D0680A8:asn1 encoding routines:ASN1_CHECK_TLEN:wrong tag
    [Tue Mar 25 15:27:37 2014] [error] SSL Library Error: 218595386 error:0D07803A:asn1 encoding routines:ASN1_ITEM_EX_D2I:nested asn1 error
    [Tue Mar 25 15:27:37 2014] [error] SSL Library Error: 67710980 error:04093004:rsa routines:OLD_RSA_PRIV_DECODE:RSA lib
    [Tue Mar 25 15:27:37 2014] [error] SSL Library Error: 218529960 error:0D0680A8:asn1 encoding routines:ASN1_CHECK_TLEN:wrong tag
    [Tue Mar 25 15:27:37 2014] [error] SSL Library Error: 218595386 error:0D07803A:asn1 encoding routines:ASN1_ITEM_EX_D2I:nested asn1 error
    Anyone knows what's going on here?

    FYI: The init scheme used is systemd.

  2. #2

    Default Re: Apache refuses to accept encrypted SSL keys

    How is the script invoked by Apache?

    Maybe a better question is this: "How is this more secure than just having
    the unencrypted private key available for Apache directly? If that key is
    owned and readable only by root then that's the same as having its
    passphrase in a file only executable by 'root', right? It's never a
    comfortable situation to have a private key be unprotected, but it seems
    to me that whether you store the key in the clear or its passphrase in a
    script in the clear, you're at the same point where anybody who can become
    'root' can do whatever they want with little slowdown.

    --
    Good luck.

    If you find this post helpful and are logged into the web interface,
    show your appreciation and click on the star below...

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •