Bug 707917

Summary: please hook up SSL certificate password query with systemd by default
Product: [Fedora] Fedora Reporter: Tom Hughes <tom>
Component: httpdAssignee: Jan Kaluža <jkaluza>
Status: CLOSED ERRATA QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 15CC: harald, jkaluza, johannbg, jorton, lpoetter, metherid, mschmidt, notting, pahan, plautrba, plgs
Target Milestone: ---   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Fixed In Version: httpd-2.2.21-1.fc15 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2011-09-16 01:58:20 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---
Bug Depends On: 729549    
Bug Blocks:    

Description Tom Hughes 2011-05-26 10:30:14 UTC
Description of problem:

Services (such as apache when using an SSL key with a password) that prompt for input during startup cannot be started using systemd.

Version-Release number of selected component (if applicable):


How reproducible:

Every time.

Steps to Reproduce:
1. Configure apache with an SSL key that needs a password
2. Run "systemctl start httpd.service"
3. Watch it fail
Actual results:

centurion [~] % sudo systemctl start httpd.service
Job failed. See system logs and 'systemctl status' for details.

Expected results:

Something more like you get if you bypass systemd, namely:

centurion [~] % sudo SYSTEMCTL_SKIP_REDIRECT=yes service httpd start
Starting httpd: Apache/2.2.17 mod_ssl/2.2.17 (Pass Phrase Dialog)
Some of your private key files are encrypted for security reasons.
In order to read them you have to provide the pass phrases.

Server www.example.com:443 (RSA)
Enter pass phrase:

OK: Pass Phrase Dialog successful.

Comment 1 Michal Schmidt 2011-05-26 15:31:44 UTC
systemd provides a mechanism for giving passwords:

In an ideal world httpd would be able to use it.

You can try configuring mod_ssl to use an external passphrase dialog:
SSLPassPhraseDialog exec:/usr/local/bin/httpd-ask-password

where /usr/local/bin/httpd-ask-password is just a wrapper for systemd-ask-password:

exec systemd-ask-password "httpd passphrase for $1 ($2):"

I have not tried it, I'm just assuming this should work based on the mod_ssl documentation I found.

Comment 2 Lennart Poettering 2011-05-26 15:40:59 UTC
One of the features of systemd is that the environment a service is executed in is completely detached from the user session, that includes it has no access on the users TTY.

systemd actually provides an interface to query system passwords (i.e. encrypted disk passphrases, SSL certificate passphrases), which is not used by Apache yet. however, adding that should be reasonably easy. Apache supports the SSLPassPhraseDialog directive which could be used to prompt for the password with the systemd-ask-password tool. A script like the following should probably work:

while read a ; do
    systemd-ask-password "$a"

And then in the apache config file:

SSLPassPhraseDialog |/path/to/this/script

We should probably ship this by default in apache, but I haven't tested this yet, so we'd need more feedback on this first.

Comment 3 Tom Hughes 2011-05-26 19:49:13 UTC
The solution using the pipe syntax is a non-starter I think. Trying to do it, at least in shell, is really nasty as the prompts are multiline so you have to loop reading lines until you get a timeout (it may ask for multiple passwords so you won't get an EOF until after the last password is done) and then join the lines together.

The major problem however is that systemd-ask-password blows up if you give it a multiline prompt with newlines in.

The other solution, using the exec syntax and creating our own prompt, does work however. I am using this:


exec /bin/systemd-ask-password "Enter SSL pass phrase for $1 ($2) : "

and it works fine and I got something like this:

bristol [~] % sudo systemctl start httpd.service
Enter SSL pass phrase for bristol.example.com:443 (RSA) : ********

Comment 4 Tom Hughes 2011-05-26 20:46:58 UTC
One additional problem is that if selinux is enabled then the invocation of systemd-ask-password fails with a stack of AVCs being issued.

Comment 5 Lennart Poettering 2011-05-26 23:26:21 UTC
OK, I will now reassign this to Apache, so that we can get included the shell script from #3 in F16.

Apache folks, could you please consider shipping the shell script from comment #6 by default and SSLPassPhraseDialog set by default to it?

Comment 6 Jan Kaluža 2011-08-08 13:57:13 UTC
Just be sure, you mean shell script with exec from Comment #3, right? I'm going to test that one.

Comment 7 Jan Kaluža 2011-08-10 06:50:36 UTC
I've committed it to rawhide and filled Bug #729549 to add this to selinux policy.

Comment 8 Fedora Update System 2011-09-13 14:01:05 UTC
httpd-2.2.21-1.fc15 has been submitted as an update for Fedora 15.

Comment 9 Jan Kaluža 2011-09-14 08:14:23 UTC
It should be also fixed in F16: https://admin.fedoraproject.org/updates/httpd-2.2.21-1.fc16

In F16, the fix is enabled, because selinux-policy has been updated there already.
In F15, the script is there, but it's not enabled in /etc/httpd/conf.d/ssl.conf by default, because selinux-policy in F15 does not contain needed change.

You can enable the script in in F15 by adding this into ssl.conf:

SSLPassPhraseDialog exec:/usr/libexec/httpd-ssl-pass-dialog

Comment 10 Fedora Update System 2011-09-14 22:37:23 UTC
Package httpd-2.2.21-1.fc15:
* should fix your issue,
* was pushed to the Fedora 15 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=updates-testing httpd-2.2.21-1.fc15'
as soon as you are able to.
Please go to the following url:
then log in and leave karma (feedback).

Comment 11 Fedora Update System 2011-09-16 01:58:04 UTC
httpd-2.2.21-1.fc15 has been pushed to the Fedora 15 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 12 Patrick Sefton 2012-01-04 11:50:27 UTC
*** Bug 771572 has been marked as a duplicate of this bug. ***

Comment 13 Patrick Sefton 2012-01-04 12:03:30 UTC
This bug still present for me with:
httpd-2.2.21-1.fc15 (x86_64)
systemd-26.13.fc15 (x86_64)

(fixed for me by adding
SSLPassPhraseDialog exec:/usr/local/bin/httpd-ask-password
to /etc/httpd/conf.d/ssl.conf as noted in comment #1 above and following SELinux permissions / local policy changes as suggested by SELinux Alert Browser)