[CalendarServer-users] Exception thrown when using chained certificates

Morgen Sagen sagen at apple.com
Fri Apr 5 10:33:43 PDT 2013 

Calendar server uses a couple different mechanisms to acquire a certificate's passphrase:

1) It will run the program specified in caldavd.plist "SSLCertAdmin", which defaults to /Applications/Server.app/Contents/ServerRoot/usr/sbin/certadmin on OS X Server.  It passes "--get-private-key-passphrase /path/to/private.key" to that program which returns the passphrase on stdout.

2) It will run the program specified in caldavd.plist "SSLPassPhraseDialog", which defaults to /etc/apache2/getsslpassphrase.  It determines whether the key type is DSA or RSA, and then <serverhostname>:<port> <keytype> to that program which returns the passphrase on stdout.

You could try configuring the SSLPassPhraseDialog key to an appropriate program on your system.  The problem is I don't know if this will work if the program you specify needs to interact with a tty to prompt for the passphrase because the calendar server worker processes don't have a tty as far as I know.

~morgen

On Apr 4, 2013, at 11:52 PM, Fredrik Unger <fred at tree.se> wrote:

> Hi,
> 
> 
> 
>> I also tried the certificates with Apache - it works. However, when
>> starting Apache, I was prompted for caldav-server.key's password.
>> Maybe that is causing problems for twisted? If so, how could I create
>> a passwordless key, if possible?
> 
> Yes, I think you have to strip the password from the key.
> 
> I had to do it for older versions, and if that has changed let me know.
> 
> I did some attempt to add
> http://docs.python.org/2/library/getpass.html to read the passphrase for the key, but it had some problems, probably because I was not
> sure about what the different processes did at the time, and how they
> communicated. Some day I might try again.
> 
> 
> This is how to strip it :
> 
> openssl rsa -in filename.key -out filename.key.nopass
> 
> It is not optimal, and it makes me cringe everytime an application makes me do this.. Exim does it to.
> 
> Luckilly I am not running some important calendarserver so I can live with it for now.
> 
> 
> /Fred
> _______________________________________________
> calendarserver-users mailing list
> calendarserver-users at lists.macosforge.org
> https://lists.macosforge.org/mailman/listinfo/calendarserver-users

More information about the calendarserver-users mailing list