[CalendarServer-users] Exception thrown when using chained certificates
Morgen Sagen
sagen at apple.com
Fri Apr 5 10:33:43 PDT 2013
Calendar server uses a couple different mechanisms to acquire a certificate's passphrase:
1) It will run the program specified in caldavd.plist "SSLCertAdmin", which defaults to /Applications/Server.app/Contents/ServerRoot/usr/sbin/certadmin on OS X Server. It passes "--get-private-key-passphrase /path/to/private.key" to that program which returns the passphrase on stdout.
2) It will run the program specified in caldavd.plist "SSLPassPhraseDialog", which defaults to /etc/apache2/getsslpassphrase. It determines whether the key type is DSA or RSA, and then <serverhostname>:<port> <keytype> to that program which returns the passphrase on stdout.
You could try configuring the SSLPassPhraseDialog key to an appropriate program on your system. The problem is I don't know if this will work if the program you specify needs to interact with a tty to prompt for the passphrase because the calendar server worker processes don't have a tty as far as I know.
~morgen
On Apr 4, 2013, at 11:52 PM, Fredrik Unger <fred at tree.se> wrote:
> Hi,
>
>
>
>> I also tried the certificates with Apache - it works. However, when
>> starting Apache, I was prompted for caldav-server.key's password.
>> Maybe that is causing problems for twisted? If so, how could I create
>> a passwordless key, if possible?
>
> Yes, I think you have to strip the password from the key.
>
> I had to do it for older versions, and if that has changed let me know.
>
> I did some attempt to add
> http://docs.python.org/2/library/getpass.html to read the passphrase for the key, but it had some problems, probably because I was not
> sure about what the different processes did at the time, and how they
> communicated. Some day I might try again.
>
>
> This is how to strip it :
>
> openssl rsa -in filename.key -out filename.key.nopass
>
> It is not optimal, and it makes me cringe everytime an application makes me do this.. Exim does it to.
>
> Luckilly I am not running some important calendarserver so I can live with it for now.
>
>
> /Fred
> _______________________________________________
> calendarserver-users mailing list
> calendarserver-users at lists.macosforge.org
> https://lists.macosforge.org/mailman/listinfo/calendarserver-users
More information about the calendarserver-users
mailing list