3

I have an Apache 2 installation on Debian with mod_ssl installed. The server private key is protected by a passphase that needs to be entered on start-up. The error and access logs are subject to logrotate on a weekly basis. I find that Apache crashes with a passphrase-related error shortly after logrotate runs.

I understand that logrotate fires a SIGHUP to Apache after archiving logs and I suspect this is causing a reload and subsequent failure getting the passphrase for the server key.

Well, enough with my theories, here is the question:

Is there a "best practice" way in which to configure Apache to allow its SSL server keys to be protected by a passphrase (without storing that passphrase in a file somewhere) so that it won't crash when logrotate runs?

It is fine to require user input on server startup, but not restart or reload.

Mike Tunnicliffe
  • 10,674
  • 3
  • 31
  • 46

3 Answers3

2

you can also turn off the passphrase by using the following command:

openssl rsa -in example.tld.key -out example.tld.key
Derek P.
  • 1,569
  • 10
  • 19
2

You could use Cronolog, which does not require a sighup. Here's an example:

CustomLog "| /usr/sbin/cronolog /pathtologs/%Y_%m/sitename.com-%Y%m%d.log" combined
Andrew Cholakian
  • 4,392
  • 3
  • 26
  • 27
1

One option is to use Apache's provided log rotation tool. Its configured a bit differently than the system logrotate, but as it works with pipes, can move files around without an Apache restart.

Yann Ramin
  • 32,895
  • 3
  • 59
  • 82