Jun 18

Server hangs after installing a SSL cert with passphrase

Category: Linux   — Published by goeszen on June 18, 2014 at 1:23 pm

This is an important hint in case you switched from a "plain" RSA SSL Certificate, for example for Apache, or Dovecot, to a new certificate *with* password protection. Although having a passphrase on the cert adds another layer of security around your SSL certificates, it also raises burdens for programs that rely on access to the certificate. For example, Dovecot will not be able to let people log in unless it can access the certificate. It will do so silently, only writing errors to log. To solve this, you can provide the cert password via Dovecot's config file, although having it there (instead of in a separate file with adequate perm set) will counter having a password on the cert in the first place...

But Apache2 is another story: when Apache is restarted, it will prompt the user to enter the pass-phrase on console. You can't provide Apache with the password for the cert via config file, AFAIK. This can bring you into a dead-end situation on reboots. In case you don't have physical access to the server, and reboot after installing the cert with passphrase, Apache will usually start before SSHd and idle there, stopping the boot process, shutting you out completely without SSH access.
So either

A) make Apache not start up on system boot (described here) (at least until the apache devs add a timeout or so), or
B) remove the passphrase from the SSL cert - less secure

Leave a Reply