Topic: Removing a passphrase from SSL?

[Dave Owen]

Well, I'm officially an idiot. I'm away from the server location (running 5.5 right now, with public FTP and ssh off until I have time to upgrade) and needed to FTP a file, so I was talking someone else through a temporary activation of user FTP access via the SME web panel -- and on save, the http server hung.

So I sent the person in through ssh, and had them manually attempt to restart the http server (all other services are still running), but they need to enter the SSL passphrase -- and it's been so long (there's a downside to long uptime, it seems) that I forgot the passphrase.

Currently my apache server isn't running, and I can't drop in through ssh because (1) public ssh access is disabled, and (2) the person at the server can't activate ssh public access because the web panel is down.

What I'd like to do is walk them through removal of the passphrase so that they can restart apache and give me temporary ssh access, so that I can fix the other stuff. Does anyone know how to do this on e-smith 5.5?

I have non-e-smith-specific instructions, incidentally, but this person isn't being very patient, and they aren't willing/able to play around and try different things with me talking them through it over the phone.

Any help would be appreciated ... and since I'm stuck at work until at least 4 this morning, don't think a late-night suggestion would be a waste of time.

Thanks in advance.

[Ray Mitchell]

Does this help (from a previous post)
Regs
Ray


Re: help !!!!!!lost root password o SME 5.5
Author: Rob Wellesley (rob_AT_winux.co.nz)
Date:   10-09-02 18:43
http://www.e-smith.org/bboard//read.php?f=1&i=19891&t=19762


Rob Wellesley wrote:
>
A whole lot of rubbish - he should have read the next post ! Silly me!

do this -
hit CTL-X when the esmith graphic comes up at boot-time. This puts it into lilo text input mode.
Type:

esmith single

This boots e-smith into single user mode.
This logs you on without a root password but with SU powers!
Now type

passwd root

Now enter the new root password and confirm.
Then type

init 7

[Robert L. Baer]

Hi Dave,

as far as I know, there is no way to remove the passphrase, since it is part of the certificate.
You have to create or apply for a new certificate and then better write it down.
There is no immediate need anyway, since ssh access can be enabled over the command line. So let the person on the console execute the following commands. (He or she needs root access to do that)

/sbin/e-smith/db configuration setprop sshd status enabled
/sbin/e-smith/db configuration setprop sshd access public
/sbin/e-smith/db configuration setprop sshd PermitRootLogin yes
/sbin/e-smith/db configuration setprop sshd PasswordAuthentication yes
/sbin/e-smith/signal-event remoteaccess-update

After that, you should have ssh access and can fix the certificate issue. Probably by renaming the two files

/home/e-smith/ssl.key/secure.yourdomain.tld.key
/home/e-smith/ssl.crt/secure.yourdomain.tld.crt

or moving them elsewhere you will be able to restart httpd

Hope this helps

Robert

[Charlie Brady]

Robert L. Baer wrote:

> as far as I know, there is no way to remove the passphrase,
> since it is part of the certificate.

An unmodified SME server has only a self-signed certificate without a passphrase. And you can generate a new one of those by doing:

rm /home/e-smith/ssl.*/*
/sbin/e-smith/signal-event ldap-update

Charlie

[Dan Brown]

...and if he does have a passphrase set up for the SSL key, it probably means he's got a custom certificate of some sort.  I'm 99% sure there's a way to decrypt the SSL key (which is where this issue is coming from) without tossing the whole cert, but I don't know openssl well enough to say how to do it.

[Robert L. Baer]

A  search in google revealed, that it is possible to remove the passphrase by issuing

openssl rsa -in  keywithpassphrase.key -out keywithoutpassphrase.key

but you will need to enter the passphrase to do do. Which means, in Daves case it doesn't really help.

Charlies suggestion to create a new self signed certificate is at least a way to access server manager remotely, since this requires ssl.  If there is a paid for certificate, I would move it out of the way first.

Robert

[Dave Owen]

Thank you all for your help. I ended up working a 26-hour day (I kid you not, without so much as a nap), came home about an hour ago, and suddenly my sleepy, sleepy brain remembered the passphrase. Which I will now be writing down.

Thanks again!

-Dave