Remove SSL certificate passphrase

A lot of people ask how they can remove the passphrase requirements from a private key so that Apache can be (re)started without the need to re-enter the key’s passphrase.

Security warning

Once you remove the requirement for the passphrase, the certificate can be easily copied and used elsewhere, thus raising the risk of it being abused. If you must remove the passphrase then you must take adequate protection in the storage of the file. Ensure that the permissions are set to only allow access to those who need it.

Now that you have been warned about the risks, we can continue onto the options

1) httpd has a directive you can use, SSLPassPhraseDialog.
2) You can use OpenSSL to remove the passphrase from the certificate completely.

An example usage of SSLPassPhraseDialog :

SSLPassPhraseDialog exec:/path/to/script

N.B. 'SSLPassPhraseDialog' can only be used in the main server config, and must be outside of any <Directory> or <Location> blocks.

Inside an example perl script:

#!/bin/sh
echo "put the passphrase here"

After saving the passphrase script, set the file executable

chmod +x /path/to/passphrase-script

How to strip a key with OpenSSL

With OpenSSL you can actually remove the passphrase from the SSL key completely. This will avoid Apache asking you to enter the passphrase every time it is started. To do this go to the command line and type

/path/to/openssl rsa -in /path/to/originalkeywithpass.key -out /path/to/newkeywithnopass.key

with the file names and paths appropriate for your environment.

Perfect Linux Ubuntu (Apache2, PHP, MySQL) Server on AWS EC2

Firstly, change the hostname

$ sudo echo server1.example.com > /etc/hostname 
$ sudo service hostname restart

Afterwards, run

$ hostname 
$ hostname -f

Both should show server1.example.com now.

Update the apt package database.

$ sudo apt-get update

Install the latest updates (if there are any).

$ sudo apt-get upgrade

If you see that a new kernel gets installed as part of the updates, you should reboot the system afterwards:

$ sudo reboot

Disable AppArmor.

$ sudo service apparmor stop 
$ sudo update-rc.d -f apparmor remove 
$ sudo apt-get remove apparmor apparmor-utils

Check Date and Time.

$ date
Wed Jul 16 22:52:47 EDT 2014

Check the Timezone.

$ cat /etc/timezone
America/New_York

To change and update Timezone.

$ sudo dpkg-reconfigure tzdata
$ sudo service cron stop && service cron start

It is a good idea to synchronize the system clock with an NTP (network time protocol) server over the Internet. Simply run

$ sudo apt-get install ntp ntpdate

and your system time will always be in sync.

Run locale to list what locales currently defined for the current user account:

$ sudo locale

Then generate the missing locale:

$ sudo locale-gen "en_US" "en_US.UTF-8"

Reconfigure locales to take notice

$ sudo dpkg-reconfigure locales

For Ubuntu Server 12.04 LTS, add following lines to /etc/environment

LC_ALL=en_US.UTF-8
LANG=en_US.UTF-8

The default settings are stored in the /etc/default/locale file.

$ sudo cat /etc/default/locale
LANG=en_US.UTF-8

This file can either be adjusted manually or updated using the tool, update-locale.

$ sudo update-locale LANG=en_US.UTF-8

Install MySQL.

$ sudo apt-get install mysql-client mysql-server

You will be asked the following questions:

New password for the MySQL "root" user: <-- yourrootsqlpassword 
Repeat password for the MySQL "root" user: <-- yourrootsqlpassword

We want MySQL to listen on all interfaces, not just localhost, therefore we edit /etc/mysql/my.cnf and comment out the line bind-address = 127.0.0.1:

$ sudo nano /etc/mysql/my.cnf
# Instead of skip-networking the default is now to listen only on
# localhost which is more compatible and is not less secure.
#bind-address = 127.0.0.1

Then we restart MySQL:

$ sudo service mysql restart

Now check that networking is enabled. Run

$ sudo netstat -tap | grep mysql

Install Apache2, PHP5, FCGI, suExec, Pear, and mcrypt.

Apache2, PHP5, FCGI, suExec, Pear, and mcrypt can be installed as follows:

$ sudo apt-get install apache2 apache2-doc apache2-utils libapache2-mod-php5 php5 php5-common php5-gd php5-mysql php5-imap php5-cli php5-cgi libapache2-mod-fcgid apache2-suexec php-pear php-auth php5-mcrypt mcrypt php5-imagick imagemagick libapache2-mod-suphp libruby libapache2-mod-python php5-curl php5-intl php5-memcache php5-memcached php5-ming php5-ps php5-pspell php5-recode php5-snmp php5-sqlite php5-tidy php5-xmlrpc php5-xsl memcached snmp

The PHP5 mcrypt module has to be enabled manually:

$ sudo php5enmod mcrypt

Then run the following command to enable the Apache modules suexec, rewrite, ssl, actions:

$ sudo a2enmod suexec rewrite ssl actions include cgi

Next open /etc/apache2/mods-available/suphp.conf

$ sudo nano /etc/apache2/mods-available/suphp.conf

Comment out the <FilesMatch “\.ph(p3?|tml)$”> section and add the line AddType application/x-httpd-suphp .php .php3 .php4 .php5 .phtml – otherwise all PHP files will be run by SuPHP:

<IfModule mod_suphp.c>
 #<FilesMatch "\.ph(p3?|tml)$">
 # SetHandler application/x-httpd-suphp
 #</FilesMatch>
 suPHP_AddHandler application/x-httpd-suphp
 AddType application/x-httpd-suphp .php .php3 .php4 .php5 .phtml

<Directory />
 suPHP_Engine on
 </Directory>

# By default, disable suPHP for debian packaged web applications as files
 # are owned by root and cannot be executed by suPHP because of min_uid.

 <Directory /usr/share>
 suPHP_Engine off
 </Directory>

# # Use a specific php config file (a dir which contains a php.ini file)
 # suPHP_ConfigPath /etc/php5/cgi/suphp/
 # # Tells mod_suphp NOT to handle requests with the type <mime-type>.
 # suPHP_RemoveHandler <mime-type>
</IfModule>

Restart Apache afterwards:

$ sudo service apache2 restart

If you want to host Ruby files with the extension .rb on your web sites created, you must comment out the line application/x-ruby rb in /etc/mime.types:

$ sudo /etc/mime.types
#application/x-ruby rb

(This is needed only for .rb files; Ruby files with the extension .rbx work out of the box.)

Restart Apache afterwards:

$ sudo service apache2 restart

Xcache is a free and open PHP opcode cacher for caching and optimizing PHP intermediate code. It’s similar to other PHP opcode cachers, such as eAccelerator and APC. It is strongly recommended to have one of these installed to speed up your PHP page.

Xcache can be installed as follows:

$ sudo apt-get install php5-xcache

Now restart Apache:

$ sudo service apache2 restart

The Perfect Ubuntu Server is now ready.