Question

I have an Apache 2 installation on Debian with mod_ssl installed. The server private key is protected by a passphase that needs to be entered on start-up. The error and access logs are subject to logrotate on a weekly basis. I find that Apache crashes with a passphrase-related error shortly after logrotate runs.

I understand that logrotate fires a SIGHUP to Apache after archiving logs and I suspect this is causing a reload and subsequent failure getting the passphrase for the server key.

Well, enough with my theories, here is the question:

Is there a "best practice" way in which to configure Apache to allow its SSL server keys to be protected by a passphrase (without storing that passphrase in a file somewhere) so that it won't crash when logrotate runs?

It is fine to require user input on server startup, but not restart or reload.

Was it helpful?

Solution

One option is to use Apache's provided log rotation tool. Its configured a bit differently than the system logrotate, but as it works with pipes, can move files around without an Apache restart.

OTHER TIPS

You could use Cronolog, which does not require a sighup. Here's an example:

CustomLog "| /usr/sbin/cronolog /pathtologs/%Y_%m/sitename.com-%Y%m%d.log" combined

you can also turn off the passphrase by using the following command:

openssl rsa -in example.tld.key -out example.tld.key
Licensed under: CC-BY-SA with attribution
Not affiliated with StackOverflow
scroll top