Tag: Linux

Synchronizing with time server: [FAILED]

ntpd: Synchronizing with time server: [FAILED]
Starting ntpd: [ OK ]

When does it do the sync?

# Synchronize with servers if step-tickers exists

# or the -x option is used
echo -n $”$prog: Synchronizing with time server: ”
/usr/sbin/ntpdate $dropstr -s -b -p 8 $tickers 2>/dev/null >/dev/null
RETVAL=$?
[ $RETVAL -eq 0 ] && success || failure It does the sync when the /etc/ntp/step-tickers file is there. [root@localhost ~]#

cat /etc/ntp/step-tickers
time.vmware.com

Why would this happen? Strange stuff…

[root@localhost ~]# /etc/init.d/ntpd stop
Shutting down ntpd: [ OK ]
[root@localhost ~]# ntpdate time.vmware.com
28 Jun 10:49:44 ntpdate[25663]: step time server 10.16.12.148 offset 90.895171 sec

The ntpdate command doesn’t fail … wonder why… tail /var/log/messages shows:
Jun 28 10:52:31 localhost ntpd: ntpd shutdown failed
un 28 10:52:31 localhost ntpdate[26038]: can’t find host time.vmware.com
Jun 28 10:52:31 localhost ntpdate[26038]: no servers can be used, exiting
Jun 28 10:52:31 localhost ntpd: failed
Jun 28 10:52:31 localhost ntpd[26043]: ntpd [email protected] Wed Nov 17 15:43:55 EST 2004 (1)
Jun 28 10:52:32 localhost ntpd: ntpd startup succeeded

Can’t find host? Why’s that? Let’s try using the IP address instead of the name in the step-tickers file. Well, the IP address fixes it in Redhat Enterprise Linux 4, but I had this problem with ESX server (based on Redhat 7.2).

The problem was
[root@localhost ~]# file /etc/ntp/step-tickers
/etc/ntp/step-tickers: ASCII text, with CRLF line terminators The file was a DOS file. When the problem was in ESX, I was able to see the ^M character in /var/log/messages, so I was able to fix it after finding that. Fun stuff huh?

Interesting time issue …

Interesting Time issue in Linux.<-->

To complicate things a little, this was Redhat Enterprise Linux 4 update 2 in a VMware VM – reason why it makes it a little more complicated is because that there’s a time problem for Virtual Machines – in virtualization, you can’t afford to give the clock ticks that the older 2.6 kernels ask for (default 1000HZ). You can read more on it here: http://www.vmware.com/vmtn/resources/238.

So in this case, virtualization wasn’t the problem.

Here’s where I started:

ln -sf /usr/share/zoneinfo/America/Chicago /etc/localtime

date

Mon Feb 13 18:25:28 UTC 2006

ls -ld /etc/localtime

lrwxrwxrwx 1 root root 35 Feb 13 18:25 /etc/localtime -> /usr/share/zoneinfo/America/Chicago

cat /etc/sysconfig/clock

ZONE=”America/Chicago”

UTC=false

ARC=false

run hwclock – it just gives you the prompt back.

date -s “Feb 13 20:25:28 PST 2006”

run date and get

Mon Feb 13 04:25:28 UTC 2006

run setup – go through the options set it to America/Chicago and still … UTC … why!?

set:

export TZ=America/chicago

still … date shows UTC!

reboot the Vm, go into the bios … same thing …. why!!??

zdump -v America/Chicago … shows a bunch of bullshit – nothing that helps.

finally:

rpm -qf /usr/share/zoneinfo/America/Chicago

rpm –verify tzdata-2004e-2

S.5….T. /usr/share/zoneinfo/America/Chicago

S.5….T. /usr/share/zoneinfo/CST6CDT

S.5….T. /usr/share/zoneinfo/SystemV/CST6CDT

S.5….T. /usr/share/zoneinfo/US/Central

ahh … wonder how the files got changed. Anyways, it doesn’t matter.

reinstalled rpm

rpm –force -Uvh tzdata-2004e-2.noarch.rpm

Now run:

ln -sf /usr/share/zoneinfo/America/Chicago /etc/localtime

Now the date’s okay … cool deal!

Anti-SPAM gateway/mail server links

http://www.freespamfilter.org/ – site with links to the following: http://www200.pair.com/mecham/spam/ – maia – cool diff http://forums.theonpc.com/viewtopic.php?t=11
THE DEFINITIVE GUIDE TO SETTING UP A LINUX RELAY SERVER – cool exchange server trick http://www.flakshack.com/anti-spam – the first one I used – openbsd http://www.securitysage.com/antispam/amavis.html – great site on antispam / security tips. http://www-personal.umich.edu/~malth/gaptuning/postfix/ – dirsync like script – sync your db with Active Directory.]]>

Modify Apache webserver to show something else on Netcraft

I guess I was wrong. I guess the other reason might be just to look cool for geeks. So here are the steps: 1) download the source rpm for my distro.
2) install it.
rpm -ivh apache-2.0.55-3tr.src.rpm
3) make a patch. Here’s how:
cd /usr/src/trustix/sources
tar jxvf httpd-2.0.55.tar.bz2
cp -pr httpd-2.0.55 httpd-2.0.55-orig
vi httpd-2.0.55/include/ap_release.h
— then change the AP_SERVER_BASEPRODUCT to whatever you want. In my case, I used ShocKNetworK.
4) create a patch.
diff -urN httpd-2.0.55-orig/include/ap_release.h httpd-2.0.55/include/ap_release.h > shock.patch
5) add the patch to the spec file list
vi /usr/src/trustix/specs/apache.spec
added to where it lists the patches (your numbers may vary):
Patch6: shock.patch
and where it does the prep:
%patch6 -p1
(Just do a search for patches and you’ll find it)
6) build the rpm:
rpmbuild -ba /usr/src/trustix/specs/apache.spec In my case, I ran into a dependencies problem:
root@chunli /usr/src/trustix/specs# rpmbuild -ba apache.spec
error: failed build dependencies:
expat-devel is needed by apache-2.0.55-3tr
gdbm-devel is needed by apache-2.0.55-3tr So I just downloaded installed them:
swup –install expat-devel gdbm-devel
Trustix (http://www.trustix.org) has a pretty cool tool called “swup” which is similar to yum (that Fedora http://fedora.redhat.com includes or some others. If you don’t have either of these, you could easily just download the rpms from your mirrors and install them manually. So, after all of the stuff’s built and done, I found my rpms in /usr/src/trustix/rpms/i586 So, I just reinstalled it.
root@chunli /usr/src/trustix/specs# rpm -e –nodeps apache
warning: /etc/httpd/conf/httpd.conf saved as /etc/httpd/conf/httpd.conf.rpmsave
root@chunli /usr/src/trustix/specs# rpm –nodeps –force -Uvh /usr/src/trustix/rpms/i586/apache-2.0.55-3tr.i586.rpm
Preparing… ########################################### [100%]
1:apache ########################################### [100%]
root@chunli /usr/src/trustix/specs# cp /etc/httpd/conf/httpd.conf.rpmsave /etc/httpd/conf/httpd.conf
root@chunli /usr/src/trustix/specs# /etc/init.d/httpd restart It’s pretty simple stuff – definitely not rocket science. Something to do when you’re bored I guess. Another thing is, if you go to Netcraft and you see something like this:
ShocKNetworK/2.0.55 (Trustix Secure Linux/Linux) You can hide the version and stuff by opening the httpd.conf and adding to the Section 1: Global Environment:
ServerTokens Prod I also set
ServerSignature Off
just so that it doesn’t show up where I have some directory file listings when there’s no index file. Fun stuff, huh?]]>

Sendmail routing through Microsoft Active Directory

Sendmail routing through Microsoft Active Directory

To give credit where credit is due, the attachment was sent to me from Randy Fox from csgsystems. There’s one bug with public folders. The workaround is to create a mailing list by the same name and make the public folder a member of the list.

If you’re reading this, you are probably running a Microsoft Exchange
Server or probably currently already have sendmail relaying to an Exchange
Server and want to improve your setup.

Most sendmail to exchange setups will take mail and blindly relay the mail
over. If yours is like this, you will know that you get email bounces that
can go nowhere because most of the initial intentions of the emails were
for spam and they would just send messages to users that they don’t know
even exist. A major problem with this is that it will hold up your sendmail
queue and hinder your performance as it will try to send these emails just
as much as the ones that are important and need to be sent out immediately.
This article will show you how to use sendmail’s ldap features to look into
the Active Directory to see where the mail should go and have sendmail send
it there. By having sendmail look into the Active Directory, it will know
whether users exist and will stop immediately after the “RCPT TO” in the
envelope if users don’t exist, eliminating the useless, bounce emails that
never get anywhere.

This procedure is not fully supported by Sun support because of the amount
of customization required.

First off, you will need a version of sendmail that has ldap capabilities
compiled into it. You can check this with:

/usr/lib/sendmail -d0.11 < /dev/null

Version 8.12.8+Sun
Compiled with: DNSMAP LDAPMAP LOG MAP_REGEX MATCHGECOS MILTER MIME7TO8

When you see LDAPMAP, you know that it will work. Solaris 7-9 should all
work. Patches are available for those that don’t.

The Microsoft Active Directory is a different ldap server than your typical
ldap server, so you will want to browse the directory and learn more about
how it’s designed. You will need to find or create a user that can browse
the Active Directory.

For the sake of simplicity, this example will use the Administrator userid
and his password to bind to the Active Directory server and find view its
contents.

For Solaris 8-9, if you have the SUNWlldap package installed, you can use
the ldapsearch command located /usr/bin. Run something like:

/usr/bin/ldapsearch -L -D “cn=Administrator, cn=Users, dc=domain, dc=com” \
-h domaincontroller.domain.com -b “dc=domain,dc=com” objectclass=* \
> /tmp/active_directory.ldif

It will ask you for a password. You want to input the Windows
Administrator’s password there. You can open the /tmp/active_directory.ldif
file and read it and you can find a lot of the information in the directory
server.

If you do not have the ldapsearch command, while logged in as Administrator
on the Exchange server, you can achieve a similar result in Windows with

ldifde -f c:\temp\export.ldif -v

Upon knowing what’s in the Active Directory, you can proceed to plug this
data into your sendmail configuration.

Because the Active Directory is a little different from your standard ldap
server, some hacks are required to make sendmail work.

You want to go into your /usr/lib/mail/hack directory. You can create it if
the directory isn’t there. (The files are attached.) In there, you want to create a file called
AD_ldap_routing.m4 and inside of it have:

divert(-1)
#
# Copyright (c) 1999-2001 Sendmail, Inc. and its suppliers.
# All rights reserved.
#
# By using this file, you agree to the terms and conditions set
# forth in the LICENSE file which can be found at the top level of
# the sendmail distribution.
#
#

divert(0)
VERSIONID(`$Id: ldap_routing.m4,v 8.8 2001/06/27 21:46:31 gshapiro Exp $')
divert(-1)

# Check first two arguments. If they aren't set, may need to warn in proto.m4
ifelse(len(X`'_ARG1_), `1', `define(`_LDAP_ROUTING_WARN_', `yes')')
ifelse(len(X`'_ARG2_), `1', `define(`_LDAP_ROUTING_WARN_', `yes')')

# Check for third argument to indicate how to deal with non-existant
# LDAP records
ifelse(len(X`'_ARG3_), `1', `define(`_LDAP_ROUTING_', `_PASS_THROUGH_')',
 _ARG3_, `passthru', `define(`_LDAP_ROUTING_', `_PASS_THROUGH_')',
 `define(`_LDAP_ROUTING_', `_MUST_EXIST_')')

# Check for fouth argument to indicate how to deal with +detail info
ifelse(len(X`'_ARG4_), `1', `',
 _ARG4_, `strip', `define(`_LDAP_ROUTE_DETAIL_', `_STRIP_')',
 _ARG4_, `preserve', `define(`_LDAP_ROUTE_DETAIL_', `_PRESERVE_')')

LOCAL_CONFIG
# LDAP routing maps
Kldapmh ifelse(len(X`'_ARG1_), `1',
 `ldap -1 -v msExchHomeServerName,msExchExpansionServerName -k (|(mail=%0)(proxyaddresses=smtp:%0))',
 `_ARG1_')

Kldapmra ifelse(len(X`'_ARG2_), `1',
 `ldap -1 -v targetAddress -k (|(mail=%0)(proxyaddresses=smtp:%0))',
 `_ARG2_')

The next step is to make the modifications to your .mc file.

The first feature we should add is a mailertable to tell sendmail where to
send mail with different ldapsearch results.

So we add the line:
FEATURE(`mailertable’)

To add the ldap features into sendmail. Add the lines (of course, you put
in your domains):
HACK(`AD_ldap_routing')
LDAPROUTE_DOMAIN(`domain.com')dnl # what domain to do ldap lookups for.
LDAPROUTE_DOMAIN(`secondarydomain.com')dnl # alternate domain to do ldap lookups for.

You then need to specify your Active Directory settings (this all fits on
one line). You will also need to create the file /etc/mail/ldap.passwd. (We
will do this later)

define(`confLDAP_DEFAULT_SPEC',`-h domaincontroller.domain.com -M simple -d "cn=Administrator, cn=Users, dc=domain, dc=com" -P /etc/mail/ldap.passwd -p 389 -b "dc=domain, dc=com"')

We will now have to add some custom rulesets. There’s also one line you need to change here:

R<> </ o=CSG Systems , Inc . / ou=CSG / cn=Configuration / cn=Servers / $+> <$+> <$+> <$*> $>LDAPMailertable <$1> $2

Make it match your organzation. You can find this by looking at your
active_directory.ldif file and seeing
the msExchHomeServerName attribute. Every user entry should have something
like:

msExchHomeServerName: /o=Domain/ou=First Administrative Group/cn=Configuration/cn=Servers/cn=domaincontroller

With that, you just strip off the last cn= and make spaces in between.

LOCAL_NET_CONFIG
R$* < @ $=m . > $* $#esmtp $@ $2 $: $1 < @ $2 . > $3 internal addr delivered to host
R$* < @ $+ . $=m . > $* $#esmtp $@ $2 . $3 $: $1 < @ $2 .$3 . > $4 internal w/host

# Begin custom LDAP rule set.
# the following lines are essentually copied from the proto.m4 file. They are entered here to maintain the proper,
# original flow control but process the Active Directory response properly.
# pass names that still have a host to a smarthost (if defined)
R$* < @ $* > $* $: $>MailerToTriple < $S > $1 < @ $2 > $3 glue on smarthost name

# deal with other remote names
R$* < @$* > $* $#esmtp $@ $2 $: $1 < @ $2 > $3 [email protected]

# handle locally delivered names
R$=L $#local $: @ $1 special local names
R$+ $#local $: $1 regular local names

SLDAPExpand
#do the LDAP lookup for the Exchange Mail Host
R<$+><$+><$*> $: <$(ldapmra $2 $: $)> <$(ldapmh $2 $: $)> <$1> <$2> <$3>

# if mailRoutingAddress (targetAddress) and local or non-existant mailHost,
# return the new mailRoutingAddress
R<$+> <$=w> <$+> <$+> <$*> $@ $>Parse0 $>canonify $1
R<$+> <> <$+> <$+> <$*> $@ $>Parse0 $>canonify $1

# fix hostname in Mailertable, relay from there
R<$+> <$+> <$+> <$+> <$*> $>LDAPMailertable <$2> $>canonify $1

# if no mailRoutingAddress and local mailHost,
# return original address
R<> <$=w> <$+> <$+> <$*> $@ $2

# if no mailRoutingAddress and non-local mailHost,
# relay to mailHost (Exchange Server) with original address
# "de-AD" response at same time
# You'll need to do the query manually the find the proper stuff to pull out
R<> </ o=CSG Systems , Inc . / ou=CSG / cn=Configuration / cn=Servers / $+> <$+> <$+> <$*> $>LDAPMailertable <$1> $2

# if still no mailRoutingAddress and no mailHost,
# try @domain
R<> <> <$+> <$+ @ $+> <$*> $@ $>LDAPExpand <$1> <@ $3> <$4>

# if no mailRoutingAddress and no mailHost and this was a domain attempt,
# return the original address
R<> <> <$+> <@ $+> <$*> $@ $1
# End of custom LDAPExpand rule set

You now want to create your cf file.

/usr/ccs/bin/m4 ../m4/cf.m4 file.mc > file.cf

Now that we’re done with the cf file, we need to supply the other files to
the configuration.
Create the ldap.passwd file:
echo “activedirectorypassword” > /etc/mail/ldap.passwd

Create the mailertable to tell sendmail where to send the mail. When we
stripped the last cn= off of the msExchHomeServerName, we will take that
and put it here. So my /etc/mail/mailertable will look like:
cn=domaincontroller esmtp:exchangeserver.domain.com

After you create this file, you will need to put it in the database for
sendmail to read it. Do this by running the command:
makemap -v hash /etc/mail/mailertable < /etc/mail/mailertable

You will also need to tell sendmail that you take mail for the domain as
well, so you want to put your domain in /etc/mail/local-host-names.
echo “domain.com” > /etc/mail/local-host-names

Now we will need to restart sendmail and test it. Run a command like this
for a user in the Active Directory:
/usr/lib/sendmail -bv [email protected]

You should see: [email protected]… deliverable: mailer esmtp, host
domaincontroller.domain.com, user [email protected]

If you run the same command on a user that’s not in the Active Directory,
you should get:
/usr/lib/sendmail -bv [email protected]
[email protected]… User unknown

Once you’ve got this, you’re all set!

————————————————————————————————————-
Some ideas on troubleshooting:

If you see
/usr/sbin/sendmail -bv [email protected]
[email protected]… deliverable: mailer relay, host cn=exchangeserver, user
[email protected]

You probably forgot the mailertable. The mailertable translates the cn=host
to the actual host and tells it which protocol to use to send the mail. In
our case, we use esmtp.

If you see something like this:
/usr/sbin/sendmail -bv [email protected]
[email protected]… deliverable: mailer esmtp, host domain.com., user
>/o=domain/ou=First.Administrative.Group/cn=Configuration/cn=Servers/[email protected]@domain.com<

You have the wrong data in the area where it says:
# relay to mailHost (Exchange Server) with original address
# “de-AD” response at same time
in the sendmail.mc file.

 

Because it’s hard to read the .mc file stuff in the text, you can download the files here: AD_Routing.tar

Blocking incoming mail by subject in sendmail

LOCAL_RULESETS HSubject: $>Check_Subject
D{MPat}ILOVEYOU
D{MMsg}This message may contain the LoveLetter virus. SCheck_Subject
R${MPat} $*$#error $: 550 ${MMsg}
RRe: ${MPat} $*$#error $: 550 ${MMsg}

In this case, we are blocking the ILOVEYOU virus.
“D{MPat}ILOVEYOU” is what’s in the subject line when the message comes in.“D{MMsg}This message may contain the LoveLetter virus.” is the message that sendmail will give to the sender. You are free to be creative with this message and you could also create a universal error message for all of the mails with the subject line you want to block.

If you have a huge list of subject lines you want to block, you could do it this way:
LOCAL_RULESETS HSubject: $>Check_Subject
D{MPat}ILOVEYOU
D{MPat2}Mother’s Day Order Confirmation
D{MPat3}Important ! Read carefully !!
D{MMsg}Your mail has been rejected because it may have a virus. SCheck_Subject
R${MPat} $*$#error $: 550 ${MMsg}
RRe: ${MPat} $*$#error $: 550 ${MMsg}
R${MPat2} $*$#error $: 550 ${MMsg}
RRe: ${MPat2} $*$#error $: 550 ${MMsg}
R${MPat3} $*$#error $: 550 ${MMsg}
RRe: ${MPat3} $*$#error $: 550 ${MMsg}

 

Hopefully, you get the idea here. After all this, you have to recompile the sendmail.cf file and restart sendmail for this to take effect. To recompile the sendmail.cf file:
1 – backup your original /etc/mail/sendmail.cf
2 – in the /usr/lib/mail/cf directory, run:
/usr/ccs/bin/m4 ../m4/cf.m4 main.v7sun.mc > /etc/mail/sendmail.cf To restart sendmail:
/etc/init.d/sendmail stop
/etc/init.d/sendmail start Have fun!]]>

Apache 2.0.x reverse proxy using and have it rewrite urls

How to set up a reverse proxy using Apache 2.0.x and have it rewrite urls.

This is particularly useful if you’re using an Identity server internally and want to be able to access the server externally. You can set up an Apache reverse proxy server in your DMZ and allow it to do so. If you use Identity Server 6.3 or higher, you will not need to do this.

The sole purpose for this article is because we needed a workaround for a customer due to a problem with the older version of Identity server where for the logout button uses an absolute url rather than a relative url and it causes the link to be inaccessible.

Because the customer was doing this on Linux, the instructions here will be for Linux and will differ from what you would do in Solaris. If you wanted to do this in Solaris, you would need either more sources or you could install the binaries from http://www.blastwave.org or http://www.sunfreeware.org.

To start with, you will need Apache 2.0.x installed. You can verify this with:

rpm -qav | grep httpd

or

rpm -qav | grep apache (depending on which Linux distribution you have)

My output shows I have httpd-2.0.52-3.1 installed.

You will want to check to see that your Apache installation also includes the mod_proxy modules. You can check this with:

rpm -qil httpd

My output shows:

/usr/lib/httpd/modules/mod_proxy.so

/usr/lib/httpd/modules/mod_proxy_connect.so

/usr/lib/httpd/modules/mod_proxy_ftp.so

/usr/lib/httpd/modules/mod_proxy_http.so

Redhat Linux and Trustix Secure Linux both have these by default. I obviously can’t speak for all the other Linux distributions out there. If you don’t have these, you don’t want to continue. You will probably want to either find an rpm that has these or go and download the source and compile Apache with them.

Now, here comes the fun stuff. You will need to compile a new module – mod_proxy_html. You can download the module from: http://apache.webthing.com/mod_proxy_html/

You may want to follow this as a guide: http://www.apacheweek.com/features/reverseproxies

There are a few dependencies you will need to compile this module. For instance, you will definitely need a compiler and some libraries. Here’s a small list that I have installed on my box. You may need more.

gcc

httpd-devel-2.0.52-3.1

libxml2-2.6.16-3.i386.rpm

libxml2-devel-2.6.16-3.i386.rpm

zlib-devel-1.2.1.2-1.i386.rpm

To compile the module, run:

apxs -c -I/usr/include/libxml2 -i mod_proxy_html.c

After doing this, you should find the module located where your apache modules are stored like:

ls -l /usr/lib/httpd/modules/mod_proxy_html.so

-rwxr-xr-x 1 root root 59627 Apr 8 18:02 /usr/lib/httpd/modules/mod_proxy_html.so

Congratulations! You now have the module installed. You now have to configure it.

In my case, the apache configuration file is located in /etc/httpd/conf/httpd.conf

Here, I add where the modules are:

———————————————————————————————–

LoadFile /usr/lib/libxml2.so.2

LoadModule proxy_html_module modules/mod_proxy_html.so

———————————————————————————————–

Then, later in the file:

———————————————————————————————–

ProxyHTMLLogVerbose On

LogLevel Debug

ProxyRequests off

ProxyPass /amserver http://sapphire.atac.ebay.sun.com/amserver

ProxyPassReverse /amserver http://sapphire.atac.ebay.sun.com/amserver

ProxyPass /amconsole http://sapphire.atac.ebay.sun.com/amserver

ProxyPassReverse /amconsole http://sapphire.atac.ebay.sun.com/amserver

SetOutputFilter proxy-html

ProxyHTMLURLMap http://sapphire.atac.ebay.sun.com http://megatron.atac.ebay.sun.com i

———————————————————————————————–

What I’m doing here is rewrite the url for any requests that go into amconsole or amserver to go and grab the data from the sapphire machine. Any urls that are within the pages that point to sapphire will be rewritten as megatron.

All you have to do now is restart apache.

/usr/sbin/apachectl restart

That’s it! You now should be able to access http://megatron.atac.ebay.sun.com/amserver or

http://megatron.atac.ebay.sun.com/amconsole and get the same login screen and be able to navigate the entire Identity Server or whatever else you put behind the proxy.

For issues, be sure to look at your Apache access and error logs and you can visit the following links:

http://apache.webthing.com/mod_proxy_html/

http://www.apacheweek.com/features/reverseproxies

RPM commands

How to compile rpm from src.rpm

1) download src.rpm

2) rpm -ivh file.src.rpm

3) cd /usr/src//spec

4) rpmbuild -bb file.spec

new rpm should be in /usr/src/distro/rpms/…

other RPM commands:

rpm -ivh file.rpm (install)

rpm -Uvh file.rpm (upgrade)

rpm -qav (list rpms installed)

rpm -qil (list files in an installed rpm)

rpm -qilp file.rpm (list files that are included in the rpm)

rpm -qf /path/to/somefile (find rpm that installed the file)

rpm -qav | grep name (look to see if some rpm is installed)

Apache SSL Self-Signed Certificates Without Passphrase

taken from: http://www.rpatrick.com/tech/makecert/

Following is a quick listing of the commands you need to use when setting up an SSL key for Apache that doesn’t require a passphrase to be entered during normal operations, and includes a self-signed certificate so you needn’t bother with cert requests and CAs. The sequence of events is to create a 3DES key, remove the passphrase, and then generate a self-signed certificate.

The following commands are to be entered via the command line, with each openssl statement requiring interactive input. Performed on Red Hat Linux, these instructions ought to also work on other flavors of Unix with OpenSSL and Apache installed.

openssl genrsa -des3 -out pass.key 1024
openssl rsa -in pass.key -out server.key
openssl req -new -key server.key -x509 -out server.crt -days 999

cp server.key /etc/httpd/conf/ssl.key/
cp server.crt /etc/httpd/conf/ssl.crt/

apachectl restart

Verifying that Apache has the correct SSL directives and is using the correct key and certificate created above is left as an exercise for the webmaster.

If your system has a Makefile or symlink in the Apache conf directory, you can opt to pursue an earlier method to this madness using the below steps (provided here only for completeness):

cd /etc/httpd/conf
/usr/bin/openssl genrsa 1024 > /etc/httpd/conf/ssl.key/server.key
chmod go-rwx /etc/httpd/conf/ssl.key/server.key
make testcert

Optionally, if you need a server.pem file for a given application, such as courier-imapd, use the following to create the .pem file from the previously created certificate and key:

cat server.key server.crt >server.pem

Using the above method you can enjoy the encryption protection provided by SSL without having to pay a commercial vendor to sign your server keys. If you don’t like the popup presented by some applications (e.g. web browsers) about an untrusted certificate, simply follow the process provided by your application to import or install the certificate, at which point you will no longer have to deal with future dialog boxes regarding an untrusted site.