13

I have an apache server running that required a minor configuration update. I want to force Apache to reload the config (e.g. via /etc/init.d/httpd reload or apachectl graceful), but I do not posses our SSL cert passwords. The admin who has the passwords is not available right now.

If I gracefully reload the apache config, will the SSL certificates need the password again? Or does that only happen during a full restart of the server?

Colin K
  • 233
  • 1
  • 2
  • 6

3 Answers3

21

No. SSL certificates are only reloaded on a full restart, not a graceful one.

This means you won't need to re-enter the password on a reload/graceful, and also means that changes to the certificates/new certificates/etc require a full restart to take effect.

Shane Madden
  • 114,520
  • 13
  • 181
  • 251
  • 7
    I don't know if anything has changed, but at least on httpd 2.4.20, `apachectl graceful` as well as SIGHUP do cause a reload of SSL certificates. – rustyx Aug 09 '16 at 11:35
  • 1
    A graceful restart is not the same as a reload. The former just waits for all child processes to exit gracefully before restarting. – Dennis Feb 12 '17 at 21:33
  • 2
    @Dennis They are the same; "/etc/init.d/apache2 reload" runs "apachectl -k graceful". – Nicolás Mar 11 '18 at 01:23
15

Because there is a bit of confusion about full restart and graceful restart I must say that

apachectl restart

Fully restarts the server but that is not gracefully done. This means that current connections are aborted.

What you want to achieve can be done gracefully with:

apachectl graceful

Both methods reload the certificates.

Which does a full apache restart, but the active connections are not aborted. It does not accept new connections until the current ones finish processing and restarts after that.

In conclusion, both restart and graceful do a full apache restart, but graceful does not abort connections, waits for them to be closed, then it restarts.

Daniel Luca CleanUnicorn
  • 251
  • 2
  • 5
  • 2
    And to answer the question, it seems that `apachectl graceful` does reload the certificates – at least it did in my case (though my certificates are not password-protected). – Lucas Werkmeister Jul 12 '18 at 10:41
  • *It does not accept new connections until the current ones finish processing and restarts after that.* This is wrong, according to the docs. Only the old workers do not accept new connections, but the new workers replace the old ones one by one, as the old ones die. https://httpd.apache.org/docs/2.2/stopping.html – Palec Feb 07 '22 at 02:36
1

Make sure you actually changed something.

Find the location of the certificate in your webserver-config. Mine is here: /etc/apache2/sites-enabled/ssl.conf

It looks like this on my box:

SSLCertificateFile      /etc/ssl/certs/example.de.pem

Inspect the certificate with openssl x509 -text -in /etc/ssl/certs/example.de.pem and check if that is actually the certificate that you want.

I had to swap the cert because it would become invalid soon and I replaced the old cert with a copy of the same old cert. That would obviously not change anything and I ended up here.

Chris
  • 921
  • 1
  • 7
  • 11