This service will be undergoing maintenance at 00:00 UTC, 2016-08-01. It is expected to last about 1 hours
Bug 707917 - please hook up SSL certificate password query with systemd by default
please hook up SSL certificate password query with systemd by default
Status: CLOSED ERRATA
Product: Fedora
Classification: Fedora
Component: httpd (Show other bugs)
15
Unspecified Unspecified
unspecified Severity unspecified
: ---
: ---
Assigned To: Jan Kaluža
Fedora Extras Quality Assurance
:
: 771572 (view as bug list)
Depends On: 729549
Blocks:
  Show dependency treegraph
 
Reported: 2011-05-26 06:30 EDT by Tom Hughes
Modified: 2015-06-15 02:20 EDT (History)
11 users (show)

See Also:
Fixed In Version: httpd-2.2.21-1.fc15
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2011-09-15 21:58:20 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:


Attachments (Terms of Use)

  None (edit)
Description Tom Hughes 2011-05-26 06:30:14 EDT
Description of problem:

Services (such as apache when using an SSL key with a password) that prompt for input during startup cannot be started using systemd.

Version-Release number of selected component (if applicable):

systemd-26-1.fc15.i686

How reproducible:

Every time.

Steps to Reproduce:
1. Configure apache with an SSL key that needs a password
2. Run "systemctl start httpd.service"
3. Watch it fail
  
Actual results:

centurion [~] % sudo systemctl start httpd.service
Job failed. See system logs and 'systemctl status' for details.

Expected results:

Something more like you get if you bypass systemd, namely:

centurion [~] % sudo SYSTEMCTL_SKIP_REDIRECT=yes service httpd start
Starting httpd: Apache/2.2.17 mod_ssl/2.2.17 (Pass Phrase Dialog)
Some of your private key files are encrypted for security reasons.
In order to read them you have to provide the pass phrases.

Server www.example.com:443 (RSA)
Enter pass phrase:

OK: Pass Phrase Dialog successful.
Comment 1 Michal Schmidt 2011-05-26 11:31:44 EDT
systemd provides a mechanism for giving passwords:
http://www.freedesktop.org/wiki/Software/systemd/PasswordAgents

In an ideal world httpd would be able to use it.

You can try configuring mod_ssl to use an external passphrase dialog:
SSLPassPhraseDialog exec:/usr/local/bin/httpd-ask-password

where /usr/local/bin/httpd-ask-password is just a wrapper for systemd-ask-password:

#!/bin/sh
exec systemd-ask-password "httpd passphrase for $1 ($2):"

I have not tried it, I'm just assuming this should work based on the mod_ssl documentation I found.
Comment 2 Lennart Poettering 2011-05-26 11:40:59 EDT
One of the features of systemd is that the environment a service is executed in is completely detached from the user session, that includes it has no access on the users TTY.

systemd actually provides an interface to query system passwords (i.e. encrypted disk passphrases, SSL certificate passphrases), which is not used by Apache yet. however, adding that should be reasonably easy. Apache supports the SSLPassPhraseDialog directive which could be used to prompt for the password with the systemd-ask-password tool. A script like the following should probably work:

<snip>
#!/bin/sh
while read a ; do
    systemd-ask-password "$a"
done
</snip>

And then in the apache config file:

SSLPassPhraseDialog |/path/to/this/script

We should probably ship this by default in apache, but I haven't tested this yet, so we'd need more feedback on this first.
Comment 3 Tom Hughes 2011-05-26 15:49:13 EDT
The solution using the pipe syntax is a non-starter I think. Trying to do it, at least in shell, is really nasty as the prompts are multiline so you have to loop reading lines until you get a timeout (it may ask for multiple passwords so you won't get an EOF until after the last password is done) and then join the lines together.

The major problem however is that systemd-ask-password blows up if you give it a multiline prompt with newlines in.

The other solution, using the exec syntax and creating our own prompt, does work however. I am using this:

<snip>
#!/bin/sh

exec /bin/systemd-ask-password "Enter SSL pass phrase for $1 ($2) : "
</snip>

and it works fine and I got something like this:

bristol [~] % sudo systemctl start httpd.service
Enter SSL pass phrase for bristol.example.com:443 (RSA) : ********
Comment 4 Tom Hughes 2011-05-26 16:46:58 EDT
One additional problem is that if selinux is enabled then the invocation of systemd-ask-password fails with a stack of AVCs being issued.
Comment 5 Lennart Poettering 2011-05-26 19:26:21 EDT
OK, I will now reassign this to Apache, so that we can get included the shell script from #3 in F16.

Apache folks, could you please consider shipping the shell script from comment #6 by default and SSLPassPhraseDialog set by default to it?
Comment 6 Jan Kaluža 2011-08-08 09:57:13 EDT
Just be sure, you mean shell script with exec from Comment #3, right? I'm going to test that one.
Comment 7 Jan Kaluža 2011-08-10 02:50:36 EDT
I've committed it to rawhide and filled Bug #729549 to add this to selinux policy.
Comment 8 Fedora Update System 2011-09-13 10:01:05 EDT
httpd-2.2.21-1.fc15 has been submitted as an update for Fedora 15.
https://admin.fedoraproject.org/updates/httpd-2.2.21-1.fc15
Comment 9 Jan Kaluža 2011-09-14 04:14:23 EDT
It should be also fixed in F16: https://admin.fedoraproject.org/updates/httpd-2.2.21-1.fc16

In F16, the fix is enabled, because selinux-policy has been updated there already.
In F15, the script is there, but it's not enabled in /etc/httpd/conf.d/ssl.conf by default, because selinux-policy in F15 does not contain needed change.

You can enable the script in in F15 by adding this into ssl.conf:

SSLPassPhraseDialog exec:/usr/libexec/httpd-ssl-pass-dialog
Comment 10 Fedora Update System 2011-09-14 18:37:23 EDT
Package httpd-2.2.21-1.fc15:
* should fix your issue,
* was pushed to the Fedora 15 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=updates-testing httpd-2.2.21-1.fc15'
as soon as you are able to.
Please go to the following url:
https://admin.fedoraproject.org/updates/httpd-2.2.21-1.fc15
then log in and leave karma (feedback).
Comment 11 Fedora Update System 2011-09-15 21:58:04 EDT
httpd-2.2.21-1.fc15 has been pushed to the Fedora 15 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 12 Patrick Sefton 2012-01-04 06:50:27 EST
*** Bug 771572 has been marked as a duplicate of this bug. ***
Comment 13 Patrick Sefton 2012-01-04 07:03:30 EST
This bug still present for me with:
httpd-2.2.21-1.fc15 (x86_64)
systemd-26.13.fc15 (x86_64)

(fixed for me by adding
SSLPassPhraseDialog exec:/usr/local/bin/httpd-ask-password
to /etc/httpd/conf.d/ssl.conf as noted in comment #1 above and following SELinux permissions / local policy changes as suggested by SELinux Alert Browser)

Note You need to log in before you can comment on or make changes to this bug.