[arch-general] Lighttpd and passphrase protected SSL certificate
Hi guys, I just have switched my webserver from debian to arch. However, I ran into some tricks with one of my sites which uses a passphrase protected SSL certificate. Indeed, because of the way lighttpd is currently started, it is not possible to enter the passphrase for such certificates. For the moment, I have to start lighttd without using its rc script, which saddens me a little. Do you guys think this is worth opening a request feature in the arch bugtracker ? Thanks, Audric
Audric Schiltknecht <chemicalstorm@gmail.com> wrote:
Hi guys,
I just have switched my webserver from debian to arch. However, I ran into some tricks with one of my sites which uses a passphrase protected SSL certificate. Indeed, because of the way lighttpd is currently started, it is not possible to enter the passphrase for such certificates. For the moment, I have to start lighttd without using its rc script, which saddens me a little.
Do you guys think this is worth opening a request feature in the arch bugtracker ?
Thanks, Audric
Depends. How does upstream suggest it to be done? If upstream it should be entered during startup and our script doesn't allow for that then a bug report is the way to go. -- Sven-Hendrik
Le 15 janvier 2012 14:11, Sven-Hendrik Haase <sh@lutzhaase.com> a écrit :
Audric Schiltknecht <chemicalstorm@gmail.com> wrote:
Hi guys,
I just have switched my webserver from debian to arch. However, I ran into some tricks with one of my sites which uses a passphrase protected SSL certificate. Indeed, because of the way lighttpd is currently started, it is not possible to enter the passphrase for such certificates. For the moment, I have to start lighttd without using its rc script, which saddens me a little.
Depends. How does upstream suggest it to be done?
Upstream says (http://redmine.lighttpd.net/projects/1/wiki/Docs:SSL) that the SSL password must be enter manually on each lighttpd start (or to remove the passwod from the key file, which I don't want to do :))
If upstream it should be entered during startup and our script doesn't allow for that then a bug report is the way to go.
Ok, so I will fill a bug. Thanks !
Le 15 janvier 2012 14:11, Sven-Hendrik Haase <sh@lutzhaase.com> a écrit :
Audric Schiltknecht <chemicalstorm@gmail.com> wrote:
Hi guys,
I just have switched my webserver from debian to arch. However, I ran into some tricks with one of my sites which uses a passphrase protected SSL certificate. Indeed, because of the way lighttpd is currently started, it is not possible to enter the passphrase for such certificates. For the moment, I have to start lighttd without using its rc script, which saddens me a little.
Depends. How does upstream suggest it to be done?
Upstream says (http://redmine.lighttpd.net/projects/1/wiki/Docs:SSL) that the SSL password must be enter manually on each lighttpd start (or to remove the passwod from the key file, which I don't want to do :))
If upstream it should be entered during startup and our script doesn't allow for that then a bug report is the way to go.
Ok, so I will fill a bug.
Thanks ! If this was added to the rc.d file and you start the server at boot, it would hang indefinitely, waiting for input. It should have a timeout in
On 01/15/2012 05:38 PM, Audric Schiltknecht wrote: that case. But what about if you start it in background? There is more to this in order to make it sensible.
On 15-01-2012 16:38, Audric Schiltknecht wrote:
Upstream says (http://redmine.lighttpd.net/projects/1/wiki/Docs:SSL) that the SSL password must be enter manually on each lighttpd start (or to remove the passwod from the key file, which I don't want to do :))
Just out of curiosity (and maybe learn something) why not? If you have the certificate and the password stored together then I'd say the password is not protecting much. -- Mauro Santos
On Jan 15, 2012 12:58 PM, "Mauro Santos" <registo.mailling<registo.mailling@gmail.com> @ <registo.mailling@gmail.com>gmail.com <registo.mailling@gmail.com>> wrote:
On 15-01-2012 16:38, Audric Schiltknecht wrote:
Upstream says (http://<http://redmine.lighttpd.net/projects/1/wiki/Docs:SSL>
redmine.lighttpd.net <http://redmine.lighttpd.net/projects/1/wiki/Docs:SSL> /projects/1/wiki/ <http://redmine.lighttpd.net/projects/1/wiki/Docs:SSL> Docs:SSL <http://redmine.lighttpd.net/projects/1/wiki/Docs:SSL>) that
the SSL password must be enter manually on each lighttpd start (or to remove the passwod from the key file, which I don't want to do :))
Just out of curiosity (and maybe learn something) why not? If you have the certificate and the password stored together then I'd say the password is not protecting much.
I'm not aware of a reason to lock the keyfile ... fairly standard AFAIK. Though if you wanted to get fancy, you could probably store the pass in the kernel and use some request-key/keyctl trickery to pull it out when needed ... would need to be loaded at least once on boot, but its the same place SSH/GPG keeps your keys IIRC, so it's safe ... ... maybe enc the password with your TPM, then decrypt into kernel keyring, then load into openssl when requested ... :-O Or just unlock the keyfile. -- C Anthony
participants (4)
-
Audric Schiltknecht
-
C Anthony Risinger
-
Mauro Santos
-
Sven-Hendrik Haase