Apache 2上的logrotate使用密码保护SSL密钥导致的故障

I have an Apache 2 installation on Debian with mod_ssl installed. The server private key is protected by a passphase that needs to be entered on start-up. The error and access logs are subject to logrotate on a weekly basis. I find that Apache crashes with a passphrase-related error shortly after logrotate runs.

我在Debian上安装了一个安装了mod_ssl的Apache 2。服务器私钥受需要在启动时输入的passphase保护。错误和访问日志每周都需要logrotate。我发现在logrotate运行后不久,Apache就会出现与密码短语相关的错误。

I understand that logrotate fires a SIGHUP to Apache after archiving logs and I suspect this is causing a reload and subsequent failure getting the passphrase for the server key.

我知道logrotate在归档日志后会向Apache激活一个SIGHUP,我怀疑这会导致重新加载,并且后续失败会获得服务器密钥的密码。

Well, enough with my theories, here is the question:

嗯,对我的理论来说,这就是问题:

Is there a "best practice" way in which to configure Apache to allow its SSL server keys to be protected by a passphrase (without storing that passphrase in a file somewhere) so that it won't crash when logrotate runs?

是否有一种“最佳实践”方式,可以配置Apache以允许其SSL服务器密钥受密码保护(不在某个文件中存储该密码),以便在logrotate运行时不会崩溃?

It is fine to require user input on server startup, but not restart or reload.

可以在服务器启动时要求用户输入,但不能重新启动或重新加载。

3 个解决方案

#1

One option is to use Apache's provided log rotation tool. Its configured a bit differently than the system logrotate, but as it works with pipes, can move files around without an Apache restart.

一种选择是使用Apache提供的日志轮换工具。它的配置与系统logrotate略有不同,但是当它与管道一起使用时,可以在没有Apache重启的情况下移动文件。

#2

You could use Cronolog, which does not require a sighup. Here's an example:

您可以使用Cronolog,它不需要叹气。这是一个例子:

CustomLog "| /usr/sbin/cronolog /pathtologs/%Y_%m/sitename.com-%Y%m%d.log" combined

#3

you can also turn off the passphrase by using the following command:

您还可以使用以下命令关闭密码:

openssl rsa -in example.tld.key -out example.tld.key

#1