Never having done a an SSL update for a Linux based Apache web server I approached this with some trepidation. It’s quite different from an IIS 6 update of which I’ve done many.
Complicating matters, Linux setups can vary from flavor to flavor. I was blessed with what seems to be a version that has the least amount usage in the wild, Gentoo.
The position that I’ve taken is in an office where the previous IT personnel had a huge disdain for any GUI management system that might make this process easier for someone coming in after them.
The biggest fear factor was that the SSL might have a passphrase that would be needed after restarting Apache. This might not only effect the site I was updating but any number of other sites with SSLs that might have the
Since this was a GoDaddy SSL I started out with the basics from the GoDaddy website
The gist of this was that I needed to swap out three files that were in /etc/apache2/ssl with the new files. That being the CRT, KEY and Intermediate CRT. I also wanted to copy the old files to another directory should I encounter any problems, I would have a fall back plan.
I checked the /etc/apache2/vhosts.d directory where the configuration files for the web site resided to verify that path and the file names that it would be expecting. I had to rename the intermediary file to match the one in the config.
About the passphrase. I found this article that explained the procedure to remove a passphrase from a SSL key file. As I found out later the other passphrase on the key files on this server had also been removed because when I restarted the Apache I did not get any prompts for them. Not having knowledge ahead of time if they did or didn’t have a passphrase set and if they did only being able to guess at what it might be this was a great relief. I used a number of websites to research using the openssl tool to remove the passphrase. I followed this one.
Specifically I used there model as shown only changing the name of the paths and files as needed.
Stripping the passphrase in a key to a new file.
openssl rsa -in /etc/httpd/conf/ssh.key/www.domain.com.key.2009 -out /etc/httpd/conf/ssh.key/www.domain.com.key.2009.no_password
Moving the original key file to a backup location
mv /etc/httpd/conf/ssh.key/www.domain.com.key.2009 /etc/httpd/conf/ssh.key/www.domain.com.key.2009.needs_password
Renaming the passphrase stripped key file
mv /etc/httpd/conf/ssh.key/www.domain.com.key.2009.no_password /etc/httpd/conf/ssh.key/www.domain.com.key.2009
I did this all in a staging area and not the actual path.
I also used the key and CRT check commands to verify that my file group was matched.
openssl rsa -noout -modulus -in /etc/httpd/conf/ssl.key/www.example.com.key.2009 | openssl md5
openssl x509 -noout -modulus -in /etc/httpd/conf/ssl.crt/www.example.com.crt.2009 | openssl md5
With all my files in order in my staging directory and the previous SSL files copied into a backup directory I copied my new ones into the working SSL directory.
I used the advise of this site that suggested running a configtest ahead of doing the restart.
# test the configuration first!!
root# /etc/init.d/apache2 configtest
It checked out ok so I then ran the restart.
if the configuration is ok then restart apache
root# /etc/init.d/apache2 restart
Everything worked!!! No passphrase prompts on restart!!!