– OVERVIEW / THOUGHT PROCESS –
This experiment was conducted on a CentOS 6 installation of Linux. As always, with any other installations of Linux, there may be slightly different commands and directories to consider, but the theory is the same. Try it out if you like the concept… WHY NOT?!?
This experiment began when I realized that I was taking my routine for granted. You see, upon reboots related to normal server maintenance, when I was asked for the SSL passphrase, I would enter it so that the server would continue its boot up process. Although I was blessed with a 99.9% uptime, I wondered what would happen if the power were to go out and the server rebooted on its own. Of course, I already knew the answer… the boot process would stick when it got to the part where I had to enter the SSL passphrase.
That’s when I decided to make it automated using this, the setting to enter the passphrase using a shell script. For now, this particular tutorial calls for using an executable script that calls the password in plain text. Perhaps later, I’ll post a way to encrypt it. Either way, the file permissions need to be set to allow only root execution for security purposes.
Remember, WHAT IF AND WHY NOT?!? Try it out and see if you like it. If you don’t, throw it out and try something else. Regardless, Here’s how I made it happen:
– APACHE – ACCEPT PASSPHRASE ON BOOT –
# Nano happens to be my favorite command line text editor. If I were using a Graphical User Interphase (GUI), I would use gvim, but for SSH, nano is awesome and quick! (use ctl-o to save and ctl-x to exit). This command will create the script file that we will use to produce the passphrase when asked by the httpd startup process.
$ sudo nano /etc/httpd/conf/passphrase
INSERT THIS TEXT (all of it):
CHANGE PERMISSIONS TO USER EXECUTE ONLY:
sudo chmod 700 /etc/httpd/conf/passphrase
AS ALWAYS, VERIFY THAT IT WORKED:
$ ls -al passphrase
-rwx—— 1 root root 30 Feb 20 05:06 passphrase
ADD THIS TO THE END OF /etc/httpd/conf/https.conf
RESTART httpd SERVICE:
$ sudo service httpd restart
Stopping httpd: [ OK ]
Starting httpd: [ OK ]
IF YOU SEE [failed], CHECK THE LOG FILES:
$ sudo tail -10 /var/log/httpd/ssl_error_log
YOU CAN ALSO CHECK THE SHELL COMMAND TO MAKE SURE IT WORKED:
$ sudo bash /etc/httpd/conf/passphrase
# NOTE: When you use the bash command to see if your script worked, know that anyone watching your screen will be able to see your passphrase. It’s a small detail, but sometimes, it’s worth mentioning.
– PROBLEM SOLVED / EXPLANATION –
It doesn’t take much to make your server, and yourself more efficient. This process took only five minutes to implement, but saved you hours upon hours of possible downtime due to your server not starting up right away.
Always take the time to think about your implementations and do what’s right. Don’t be in such a rush that you miss the smallest things. Take care of your server, and it will take care of you!
Always remember… WHAT IF AND WHY NOT?!?