Why is my Apache asking for a passphrase every time I restart it?

Hello there,

To my knowledge this specific issue you are seeing is likely due to an SSL certificate file on your Linode being password protected. When Apache attempts to access that file, it is prompting you for the password.

One way to fix this would be to utilize the SSLPassPhraseDialog option in your httpd.conf file. There are a few steps you would need to take to accomplish this. First, you will want to create a simple script. You can call this script passphrase-file.conf, for example. In that file you will want to put:

#!/bin/sh
echo "[private key passphrase]"

Once you have created that file you will want to run the command chmod +x [/path/to/passphrase-file.conf] This will set the file to be executable.

From there, you will want to edit the httpd.conf file for your Apache configurations and add the following line:

SSLPassPhraseDialog exec:[/path/to/passphrase-file.conf]

From there you will want to stop then start your Apache service. You can read more about this method on DigiCert's Website.

Another way you can attempt to resolve this is to completely remove the password from your .pem file. You can do this by performing the following:

# you'll be prompted for your passphrase one last time
openssl rsa -in key.pem -out newkey.pem

If you have your private and public certificate stored in the same file, you'll want to do this in two steps instead.

# you'll need to type your passphrase once more
openssl rsa -in mycert.pem -out newcert.pem
openssl x509 -in mycert.pem >>newcert.pem

I hope this helps point you in the right direction. If you continue to experience issues with this, please share any outputs you receive in this question. Another useful command to help out is likely going to be tail -n 20 /path/to/apache/error/log.

I hope you have a great day!

Hello!

Please can you tell me from where I find my key.pem file to remove password?

I would recommend running the following command:

find / -name *.pem

I would also recommend taking a look at the configuration file for your webserver as that should specify the path to the file.

On Ubuntu or Debian that website configuration file would be, /etc/apache2/sites-available/example.com.conf, while on CentOS 7 it's typically /etc/httpd/conf.d/ssl.conf.

Thanks for your help.

I found four paths in default-ssl.conf file.

SSLCertificateFile /usr/local/ssl/project/thawte/server.crt
SSLCertificateKeyFile /usr/local/ssl/project/thawte/server.key
SSLCertificateChainFile /usr/local/ssl/project/thawte/ca.crt

So, what command should I run to remove password?

Is it as below?

openssl rsa -in /usr/local/ssl/project/thawte/server.key -out newkey.pem

Please correct me if I am wrong.

Hmmm, before we continue, can you share the output of tail -n 20 /var/log/apache2/error.log? Alternatively if you are on a CentOS 7 box it might be tail -n 20 /var/log/httpd/error.log. That should also help confirm a little bit more what specific file is password protected.

Output from tail -n 20 /var/log/apache2/error.log

[Thu May 16 04:08:58.318299 2019] [autoindex:error] [pid 11730] [client 191.255.20.184:36007] AH01276: Cannot serve directory /var/www/: No matching DirectoryIndex (index.html,index.cgi,index.pl,index.php,index.xhtml,index.htm) found, and server-generated directory index forbidden by Options directive
[Thu May 16 04:19:13.220625 2019] [autoindex:error] [pid 9501] [client 78.189.178.159:33883] AH01276: Cannot serve directory /var/www/: No matching DirectoryIndex (index.html,index.cgi,index.pl,index.php,index.xhtml,index.htm) found, and server-generated directory index forbidden by Options directive
[Fri May 17 05:27:51.154507 2019] [ssl:emerg] [pid 32334] AH02204: Init: Pass phrase incorrect for key of www.aswanu.com:443
[Fri May 17 05:27:51.154659 2019] [ssl:emerg] [pid 32334] SSL Library Error: error:0D0680A8:asn1 encoding routines:ASN1_CHECK_TLEN:wrong tag
[Fri May 17 05:27:51.154675 2019] [ssl:emerg] [pid 32334] SSL Library Error: error:0D08303A:asn1 encoding routines:ASN1_TEMPLATE_NOEXP_D2I:nested asn1 error
[Fri May 17 05:27:51.154682 2019] [ssl:emerg] [pid 32334] SSL Library Error: error:0D0680A8:asn1 encoding routines:ASN1_CHECK_TLEN:wrong tag
[Fri May 17 05:27:51.154690 2019] [ssl:emerg] [pid 32334] SSL Library Error: error:0D07803A:asn1 encoding routines:ASN1_ITEM_EX_D2I:nested asn1 error (Type=RSA)
[Fri May 17 05:27:51.154700 2019] [ssl:emerg] [pid 32334] SSL Library Error: error:04093004:rsa routines:OLD_RSA_PRIV_DECODE:RSA lib
[Fri May 17 05:27:51.154707 2019] [ssl:emerg] [pid 32334] SSL Library Error: error:0D0680A8:asn1 encoding routines:ASN1_CHECK_TLEN:wrong tag
[Fri May 17 05:27:51.154714 2019] [ssl:emerg] [pid 32334] SSL Library Error: error:0D07803A:asn1 encoding routines:ASN1_ITEM_EX_D2I:nested asn1 error (Type=PKCS8_PRIV_KEY_INFO)
[Fri May 17 05:27:51.154722 2019] [ssl:emerg] [pid 32334] AH02311: Fatal error initialising mod_ssl, exiting. See /var/log/apache2/error.log for more information
[Fri May 17 09:34:19.471894 2019] [ssl:emerg] [pid 7011] AH02204: Init: Pass phrase incorrect for key of www.aswanu.com:443
[Fri May 17 09:34:19.471995 2019] [ssl:emerg] [pid 7011] SSL Library Error: error:0D0680A8:asn1 encoding routines:ASN1_CHECK_TLEN:wrong tag
[Fri May 17 09:34:19.472009 2019] [ssl:emerg] [pid 7011] SSL Library Error: error:0D08303A:asn1 encoding routines:ASN1_TEMPLATE_NOEXP_D2I:nested asn1 error
[Fri May 17 09:34:19.472044 2019] [ssl:emerg] [pid 7011] SSL Library Error: error:0D0680A8:asn1 encoding routines:ASN1_CHECK_TLEN:wrong tag
[Fri May 17 09:34:19.472053 2019] [ssl:emerg] [pid 7011] SSL Library Error: error:0D07803A:asn1 encoding routines:ASN1_ITEM_EX_D2I:nested asn1 error (Type=RSA)
[Fri May 17 09:34:19.472062 2019] [ssl:emerg] [pid 7011] SSL Library Error: error:04093004:rsa routines:OLD_RSA_PRIV_DECODE:RSA lib
[Fri May 17 09:34:19.472069 2019] [ssl:emerg] [pid 7011] SSL Library Error: error:0D0680A8:asn1 encoding routines:ASN1_CHECK_TLEN:wrong tag
[Fri May 17 09:34:19.472076 2019] [ssl:emerg] [pid 7011] SSL Library Error: error:0D07803A:asn1 encoding routines:ASN1_ITEM_EX_D2I:nested asn1 error (Type=PKCS8_PRIV_KEY_INFO)
[Fri May 17 09:34:19.472084 2019] [ssl:emerg] [pid 7011] AH02311: Fatal error initialising mod_ssl, exiting. See /var/log/apache2/error.log for more information

Thank you for that. Let's try having you run the following command then edit your Apache SSL configurations to point to the new file:

openssl rsa -in /usr/local/ssl/project/thawte/server.key -out /usr/local/ssl/project/thawte/newkey.key

From there you will want to edit default-ssl.conf to have the following line:

SSLCertificateKeyFile /usr/local/ssl/project/thawte/newkey.key

openssl rsa -in /usr/local/ssl/project/thawte/server.key -out /usr/local/ssl/project/thawte/newkey.key

says

Enter pass phrase for /usr/local/ssl/project/thawte/server.key:

And I don't know pass phrase!

Hey I got the pass phrase. Created new key and set path in ssl.conf as well.

But now when I run

service apache2 start

It shows:

 * Starting web server apache2                                                                                                                                          (98)Address already in use: AH00072: make_sock: could not bind to address [::]:80
(98)Address already in use: AH00072: make_sock: could not bind to address 0.0.0.0:80
no listening sockets available, shutting down
AH00015: Unable to open logs
Action 'start' failed.
The Apache error log may have more information.
 * 
 * The apache2 instance did not start within 20 seconds. Please read the log files to discover problems

I'm sorry you're still experiencing an issue. Now that you're getting this error, what do you see with tail -n 10 /var/log/apache2/error.log? That might show some more information.

Thanks mate for all your help! Site is up now. :)