Creating A CSR
A CSR is a Certificate Signing Request. Its what you send to the SSL provider so they can create your actual certificate.
sudo openssl req -new -key /path/to/your/private/ssl/server.key \
-out /path/to/your/new/signingrequest.csr
The server.key is the private key for your server. It identifies your computer and should be locked with a password. In case someone breaks in and copies it, they can't use it without the password. If evil doers manage to get a hold of your server key, they can pretend to be your website and people will trust them, because they have your ID.
The only draw back to using a password protected key is that apache will not start until you put in the password manually. If you have apache set to load on boot up, it will actually keep you from logging into the server, because the boot process will stop, waiting on you to enter your password.
FreeBSD RC Scripts
The real problem is that SSH hasn't started at the time apache is trying to load. One way to solve this problem is to add/modify the following line in the FreeBSD rc.d script for apache.
# REQUIRE: LOGIN cleanvar sshd
The REQUIRE field tells the RC system to wait for certain things to happen before loading. Since I use sshd to login remotely, I absolutely want to make sure that sshd is running before apache tries to load and things get stuck.
Yes, the # is part of the line. I worried the first time I tried it that it was commented out and I would have to remove the # to make it work. But it works fine with the # sign, because it is parsed by the RC scripts as a directive instead of by the shell parser as a command to be executed.
Normally, I don't bother running secure apache from the rc scripts. I just run apache manually, but just in case, I like to make sure it won't hang the server on boot up.
One side effect this will have though. If sshd isn't running for any reason, you won't be able to start apache using the RC scripts. You can still start it using apachectl though.
No comments:
Post a Comment