On Oct 18, 2006, at 10:10 AM, Robin Becker wrote:
I have a number of servers which don't have console access, but I would like to have apache started automatically if the server is rebooted. However, it seems that if https is used then I need to type in a secret at boot time (on the console).

Is there a way to start processes up automatically after the boot is finished?

Sure. Cron or at will do so, for example. But you're not going to truly resolve the actual problem of needing human input for a passphrase by having some other machine do something automatically.

I could imagine asking another, trusted, server to supply the magic string using scp or some other secure transport and then using the decoded result to start up apache.

The "magic string" is normally called the SSH private key, ~/.ssh/ id_rsa or ~/.ssh/id_dsa. :-)

I suppose you could use SSH from some remote trusted server to do an "apachectl startssl" and then feed it the passphrase, but then you've ended up putting the passphrase in cleartext on the trusted host, and you need to permit the trusted host to login to the webserver without needing human intervention via SSH keypairs, so you're just moving the problem from one place to another.

If you've got 24-7 sysadmin availability, then keeping your x.509 certs passphrase-protected might well make sense-- if a machine is rebooted, a sysadmin needs to login and start apache by hand. Otherwise, most people leave the x.509 certs unsecured with a passphrase so that the webserver can be setup to start itself upon a reboot without manual intervention.


freebsd-questions@freebsd.org mailing list
To unsubscribe, send any mail to "[EMAIL PROTECTED]"

Reply via email to