Hi Jose, You could certainly use our metadata server to provide the apache passphrase at boot time, if you then integrate it with the apache startup process. I'm not an expert on Apache's initialization procedure so I'll leave advice on that to others. As far as I know, no code has been written yet to do that.
The dist-upgrade was probably only relevant as your first reason to reboot after making the change, I'd expect, nothing specific to the new kernel or to GCE. However, I do have one bit of positive feature clarification to provide: gcutil, gcloud, and our web UI do allow you to fully shut down an instance, which will let you attach the disk to another instance. Just delete it while preserving the boot disk (it's an option for all of those tools). This will send a clean ACPI power down signal to the VM, giving it an approximate maximum of 2 minutes before pulling the virtual power cord. Good luck, and glad you're trying GCE! - Jimmy On Oct 19, 2014 9:12 AM, "Jose R R" <[email protected]> wrote: > Niltze, all- > > Well, doing my part in the security of the Web :p > > I run Apache web server in a GCE VM [different email account than this > one] and decided to acquire an SSL certificate which I successfully > installed under Debian Wheezy a few days ago. > > For added security, I pass-phrased-protected the SSL certificate so > that when I restart the web server I need to input my pass phrase. > > I had no issues whatsoever until today that I did an: apt-get > dist-upgrade for a newer kernel. Upon doing a reboot I found out that > my port 22 is closed but my web server ports 80 and 443 are open. > > I used nmap to scan for my open ports as well as the tcping utility. > > Accordingly, I get the message connection refused whenever I use > gcloud or ssh to attempt to log into my GCE instance. > > After using gcutil and gcloud to reset my GCE instance -- multiple > times -- the outcome was the same. Accordingly I did: > > gcloud compute instances get-serial-port-output myInstance > > Below is the last message of the output that indicates that GCE Debian > Wheezy instance needs the passphrase before proceeding further (and > starting sshd): > > > ---------------------------------------------------------------------------------------- > ... > Oct 19 07:53:51 myInstance acpid: 1 rule loaded > Oct 19 07:53:51 myInstance acpid: waiting for events: event logging is off > [....] Starting web server: apache2Apache/2.2.22 mod_ssl/2.2.22 (Pass > Phrase Dialog) > Some of your private key files are encrypted for security reasons. > In order to read them you have to provide the pass phrases. > > Server myInstance.x.xyz-host.internal:443 (RSA) > Enter pass phrase: > > -------------------------------------------------------------------------------------- > > I tried detaching the disk to subsequently mount onto another instance > but the command fails with: > > -------------------------------------------------------------------------------- > ERROR: (gcloud.compute.instances.detach-disk) There was a problem > modifying the resource: > - Hot-remove of the root disk is not supported. > > ------------------------------------------------------------------------------- > > Now, gcutil and gcloud utilities can reset (reboot) the instance but > can not shut it down completely (that I'm aware) -- which would allow > me to detach the disk. > > Is there a way to provide (as parameter) the passphrase that the web > server requires to start apache2 and thus continue/complete the boot > process to start ssh server so that port 22 will be opened? > > Best Professional Regards > > > -- > Jose R R > http://www.metztli-it.com > > --------------------------------------------------------------------------------------------- > NEW Apache OpenOffice 4.1.1! Download for GNU/Linux, Mac OS, Windows. > > --------------------------------------------------------------------------------------------- > Daylight Saving Time in USA & Canada ends: Sunday, November 02, 2014 > > --------------------------------------------------------------------------------------------- > > > -- > To UNSUBSCRIBE, email to [email protected] > with a subject of "unsubscribe". Trouble? Contact > [email protected] > Archive: > https://lists.debian.org/CAM12Q5Ti_w8-GQ2LJbN1f9P-nzH1U_HRbmdEVOk=hu+azhi...@mail.gmail.com > >
