Red Hat Bugzilla – Bug 707917
please hook up SSL certificate password query with systemd by default
Last modified: 2015-06-15 02:20:00 EDT
Description of problem:
Services (such as apache when using an SSL key with a password) that prompt for input during startup cannot be started using systemd.
Version-Release number of selected component (if applicable):
Steps to Reproduce:
1. Configure apache with an SSL key that needs a password
2. Run "systemctl start httpd.service"
3. Watch it fail
centurion [~] % sudo systemctl start httpd.service
Job failed. See system logs and 'systemctl status' for details.
Something more like you get if you bypass systemd, namely:
centurion [~] % sudo SYSTEMCTL_SKIP_REDIRECT=yes service httpd start
Starting httpd: Apache/2.2.17 mod_ssl/2.2.17 (Pass Phrase Dialog)
Some of your private key files are encrypted for security reasons.
In order to read them you have to provide the pass phrases.
Server www.example.com:443 (RSA)
Enter pass phrase:
OK: Pass Phrase Dialog successful.
systemd provides a mechanism for giving passwords:
In an ideal world httpd would be able to use it.
You can try configuring mod_ssl to use an external passphrase dialog:
where /usr/local/bin/httpd-ask-password is just a wrapper for systemd-ask-password:
exec systemd-ask-password "httpd passphrase for $1 ($2):"
I have not tried it, I'm just assuming this should work based on the mod_ssl documentation I found.
One of the features of systemd is that the environment a service is executed in is completely detached from the user session, that includes it has no access on the users TTY.
systemd actually provides an interface to query system passwords (i.e. encrypted disk passphrases, SSL certificate passphrases), which is not used by Apache yet. however, adding that should be reasonably easy. Apache supports the SSLPassPhraseDialog directive which could be used to prompt for the password with the systemd-ask-password tool. A script like the following should probably work:
while read a ; do
And then in the apache config file:
We should probably ship this by default in apache, but I haven't tested this yet, so we'd need more feedback on this first.
The solution using the pipe syntax is a non-starter I think. Trying to do it, at least in shell, is really nasty as the prompts are multiline so you have to loop reading lines until you get a timeout (it may ask for multiple passwords so you won't get an EOF until after the last password is done) and then join the lines together.
The major problem however is that systemd-ask-password blows up if you give it a multiline prompt with newlines in.
The other solution, using the exec syntax and creating our own prompt, does work however. I am using this:
exec /bin/systemd-ask-password "Enter SSL pass phrase for $1 ($2) : "
and it works fine and I got something like this:
bristol [~] % sudo systemctl start httpd.service
Enter SSL pass phrase for bristol.example.com:443 (RSA) : ********
One additional problem is that if selinux is enabled then the invocation of systemd-ask-password fails with a stack of AVCs being issued.
OK, I will now reassign this to Apache, so that we can get included the shell script from #3 in F16.
Apache folks, could you please consider shipping the shell script from comment #6 by default and SSLPassPhraseDialog set by default to it?
Just be sure, you mean shell script with exec from Comment #3, right? I'm going to test that one.
I've committed it to rawhide and filled Bug #729549 to add this to selinux policy.
httpd-2.2.21-1.fc15 has been submitted as an update for Fedora 15.
It should be also fixed in F16: https://admin.fedoraproject.org/updates/httpd-2.2.21-1.fc16
In F16, the fix is enabled, because selinux-policy has been updated there already.
In F15, the script is there, but it's not enabled in /etc/httpd/conf.d/ssl.conf by default, because selinux-policy in F15 does not contain needed change.
You can enable the script in in F15 by adding this into ssl.conf:
* should fix your issue,
* was pushed to the Fedora 15 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=updates-testing httpd-2.2.21-1.fc15'
as soon as you are able to.
Please go to the following url:
then log in and leave karma (feedback).
httpd-2.2.21-1.fc15 has been pushed to the Fedora 15 stable repository. If problems still persist, please make note of it in this bug report.
*** Bug 771572 has been marked as a duplicate of this bug. ***
This bug still present for me with:
(fixed for me by adding
to /etc/httpd/conf.d/ssl.conf as noted in comment #1 above and following SELinux permissions / local policy changes as suggested by SELinux Alert Browser)