Menu
▾
▴
Re: [webmin-l] Webmin certificate(s) location and TinyCA2
|
From: Jamie C. <jca...@we...> - 2006-07-31 05:42:12
|
On 30/Jul/2006 18:53 Robert Moskowitz wrote .. > Jamie Cameron wrote: > > On 27/Jul/2006 21:01 Robert Moskowitz wrote .. > > > >> Well, > >> > >> I have finally gotten TinyCA2 up and working! Many things got in the > >> way; but it is now up and running on my notebook (running Centos 4.3). > >> > >> > >> But the server cert, I suspect I DO have to keep it informed, so WHEN > I > >> move it to a better directory than my home directory, I will have to > >> update the file location in the SSL module. > >> > >> > >> Now about that file being password protected.... > >> > >> When I supplied Webmin with the cert location (I put the cert and > >> private key in a single file), the update failed with a message that > >> webmin did not restart. > >> > >> So from a terminal window I issued: /etc/webmin/start > >> > >> And was asked: > >> > >> Enter PEM pass phrase: > >> > >> So either I have to live with being asked for the PEM pass phrase > >> everytime I start Webmin (reasonable for running it occationally on > my > >> notebook), or creat the server cert without a passphrase? > >> > >> I can see that needing a passphrase on a server would require that said > >> passphrase be somewhere on the filesystem (or in a token) anyway, so > >> just put it in a root controled directory and don't passphrase protect > >> it? What does Webmin do what it creates its own cert? > >> > > > > Webmin always creates non-password-protected cert files, to avoid the > problem > > of the openssl library prompting for the password at startup time. I > suppose > > I could add code to allow a password to be specified in Webmin's config > files > > somewhere (like Apache does), but security-wise this would be no different > > from not having a passphrase at all! > > > > Basically, I recommend creating certs without a passphrase, if you want > to > > use them with a web server than can be started automatically at boot > time. > I cannot see how to get TinyCA to create a server cert without a > password. When I leave the password field blank, I get a error about no > password.... > > So until I can get the author to accommodate non-passworded server > certs, I worked out the following: > > echo password > /etc/webmin/start > > I can put that into the webmin start script. I guess you really mean echo password | /etc/webmin/start right? I looked in the SSL Perl library for a way of automating this so that the passphrase can be in the Webmin configuration, but there doesn't seem to be any :-( - Jamie |
