How to Avoid PassPhrase Dialog

If you have ever provided a passphrase while creating a private key for SSL configuration, then you are required to enter passphrase every time restarting httpd service.

[root@test ~]# systemctl restart httpd
Enter SSL pass phrase for www.example.com:443 (RSA) : ********

This could be annoying during configuring and testing your web server. Worse, you have no change to enter the passphrase if system reboot is scheduled as a cron job.

There're two methods to stop prompting passphrase entering dialog.

Method 1: Removing PassPhrase from Private Key

Using OpenSSL to remove the passphrase from the private key.

[root@test ~]# openssl rsa -in /etc/pki/tls/private/www.example.com.key -out /etc/pki/tls/private/www.example.com.key-no-passphrase
Enter pass phrase for /etc/pki/tls/private/www.example.com.key:
writing RSA key

As you can see, we have an output file which is the PKI without passphrase.

Then we use the no-passphrase PKI as our key file.

[root@test ~]# vi /etc/httpd/conf/httpd.conf
...
#SSLCertificateKeyFile /etc/pki/tls/private/www.example.com.key
SSLCertificateKeyFile /etc/pki/tls/private/www.example.com.key-no-passphrase

Now, you can restart httpd server without prompting the passphrase dialog.

Please note that, an unencrypted private key may add some security risk to your server. However, it's convenient during system testing phase. Besides, you can switch it back afterward.

Method 2: Provide PassPhrase in Advance

To provide the passphrase, you have to create a file to echo it.

[root@test ~]# vi /etc/httpd/passphrase
#!/bin/sh
echo "Your_Passphrase_Goes_Here"

Please note that, if your passphrase contains any special character, for example, a dollar sign ($) or a semi-colon (;), you have to use back slash (\) to escape it. Otherwise, the service fails to start.

Then make it executable.

[root@test ~]# chmod u+x /etc/httpd/passphrase

Go back to SSL configuration file, and replace the dialog file at around line 18 with the new file.

[root@test ~]# vi /etc/httpd/conf.d/ssl.conf -c "se nu"
...
     18 #SSLPassPhraseDialog exec:/usr/libexec/httpd-ssl-pass-dialog
     19 SSLPassPhraseDialog exec:/etc/httpd/passphrase

It's done.

Leave a Reply

Your email address will not be published. Required fields are marked *