I have an Apache 2 installation on Debian with mod_ssl installed. The server private key is protected by a passphase that needs to be entered on start-up. The error and access logs are subject to logrotate on a weekly basis. I find that Apache crashes with a passphrase-related error shortly after logrotate runs.
I understand that logrotate fires a SIGHUP to Apache after archiving logs and I suspect this is causing a reload and subsequent failure getting the passphrase for the server key.
Well, enough with my theories, here is the question:
Is there a "best practice" way in which to configure Apache to allow its SSL server keys to be protected by a passphrase (without storing that passphrase in a file somewhere) so that it won't crash when logrotate runs?
It is fine to require user input on server startup, but not restart or reload.
-
One option is to use Apache's provided log rotation tool. Its configured a bit differently than the system logrotate, but as it works with pipes, can move files around without an Apache restart.
From Yann Ramin -
You could use Cronolog, which does not require a sighup. Here's an example:
CustomLog "| /usr/sbin/cronolog /pathtologs/%Y_%m/sitename.com-%Y%m%d.log" combinedFrom Andrew Cholakian -
you can also turn off the passphrase by using the following command:
openssl rsa -in example.tld.key -out example.tld.keyFrom Derek P.
0 comments:
Post a Comment