Environment
Situation
If support of TLS version 1.2 is a requirement for secure HTTP connections, then mod_nss can be installed, enabled and configured with Apache2 to meet the security requirement.
The documentation at https://www.suse.com/documentation/sles11/book_sle_admin/data/sec_apache2_nss.html and the file /usr/share/doc/packages/apache2-mod_nss/README-SUSE.txt describe that te perl script /usr/sbin/mod_nss_migrate.pl can be used for conversion of SSL certificates to mod_nss certificate storage.
The documentation at https://www.suse.com/documentation/sles11/book_sle_admin/data/sec_apache2_modules.html clearly describes how to install and enable Apache2 modules like mod_nss. Please make sure you follow this documentation to install and enable mod_nss before you proceed with the conversion.
The purpose of this document is to explain how you can use the script mod_nss_migrate.pl to convert your Apache2 mod_ssl configuration to mod_nss configuration.
Resolution
When you run /usr/sbin/mod_nss_migrate.pl without arguments, it returns the following details about the usage:
"
Usage: mod_nss_migrate.pl [-c] -r <mod_ssl input file> -w <mod_nss output file>
-c converts the certificates
This conversion script is not aware of apache's configuration blocks
and nestable conditional directives. Please check the output of the
conversion and adjust manually if necessary!
"
The <mod_ssl input file> is your Apache2 configuration file, where you have configured the SSL directives for secure HTTP per mod_ssl. Usually this configuration file exists in /etc/apache2/vhosts.d and often it is called /etc/apache2/vhosts.d/vhost-ssl.conf, which usually is a customized copy of /etc/apache2/vhosts.d/vhost-ssl.template.
If you are not sure which Apache2 configuration file contains the mod_ssl directives, you can create a shell script with a contents like the following:
#! /bin/bash
OLDIFS=$IFS
IFS=$'\n'
if test -e /tmp/httpd-parse-list; then
/bin/rm -rf /tmp/httpd-parse-list
fi
STARTFILE="/etc/apache2/httpd.conf"
DIRECTIVE="SSLCertificateFile"
/bin/cat "$STARTFILE" | /usr/bin/sed 's/\t/ /g' | /usr/bin/tr -s [:blank:] | /usr/bin/sed 's/^ //' | /usr/bin/grep '^Include' > /tmp/httpd-parse-list
/bin/cat "$STARTFILE" | /usr/bin/sed 's/\t/ /g' | /usr/bin/tr -s [:blank:] | /usr/bin/sed 's/^ //' | /usr/bin/grep "$DIRECTIVE" > /dev/null 2>&1
if test $? -eq 0; then
/bin/echo $STARTFILE
fi
while read i; do
NEXTFILE="`/bin/echo $i | /usr/bin/cut -d " " -f 2-`"
if test "`/bin/echo "$NEXTFILE" | /usr/bin/grep -o '\*'`" = "*"; then
NEXTFILE=`/bin/echo "$NEXTFILE" | /usr/bin/sed 's/ /\\ /g'`
/bin/ls -1 $NEXTFILE > /dev/null 2>&1
if test $? -eq 0; then
for LSFILE in `/bin/ls -1 $NEXTFILE`; do
/bin/cat "$LSFILE" | /usr/bin/sed 's/\t/ /g' | /usr/bin/tr -s [:blank:] | /usr/bin/sed 's/^ //' | /usr/bin/grep '^Include\ ' >> /tmp/httpd-parse-list
/bin/cat "$LSFILE" | /usr/bin/sed 's/\t/ /g' | /usr/bin/tr -s [:blank:] | /usr/bin/sed 's/^ //' | /usr/bin/grep "$DIRECTIVE" > /dev/null 2>&1
if test $? -eq 0; then
/bin/echo $LSFILE
fi
done
fi
else
if test -f "$NEXTFILE"; then
/bin/cat "$NEXTFILE" | /usr/bin/sed 's/\t/ /g' | /usr/bin/tr -s [:blank:] | /usr/bin/sed 's/^ //' | /usr/bin/grep '^Include\ ' >> /tmp/httpd-parse-list
/bin/cat "$NEXTFILE" | /usr/bin/sed 's/\t/ /g' | /usr/bin/tr -s [:blank:] | /usr/bin/sed 's/^ //' | /usr/bin/grep "$DIRECTIVE" > /dev/null 2>&1
if test $? -eq 0; then
/bin/echo $NEXTFILE
fi
else
if test -d "$NEXTFILE"; then
for ENTRYFILE in `/usr/bin/find "$NEXTFILE" -type f`; do
/bin/cat "$ENTRYFILE" | /usr/bin/sed 's/\t/ /g' | /usr/bin/tr -s [:blank:] | /usr/bin/sed 's/^ //' | /usr/bin/grep '^Include\ ' >> /tmp/httpd-parse-list
/bin/cat "$ENTRYFILE" | /usr/bin/sed 's/\t/ /g' | /usr/bin/tr -s [:blank:] | /usr/bin/sed 's/^ //' | /usr/bin/grep "$DIRECTIVE" > /dev/null 2>&1
if test $? -eq 0; then
/bin/echo $NEXTFILE
fi
done
fi
fi
fi
done < /tmp/httpd-parse-list
IFS=$OLDIFS
Please make sure that the "STARTFILE" variable in the header of the shell script references the same file as the configuration file referenced by the -f option that you see when you enter the following command at the shell of your Apache2 server as user root:
# ps -C httpd2-prefork h -o cmd | uniq
You also must make sure the shell script is executable before you run it, for example, if you created a script called /tmp/parse-apache2-config.sh, you can make it executable per:
# chmod 755 /tmp/parse-apache2-config.sh
When you run the script as user root, it should list the Apache2 configuration file(s) that contain(s) the directive "SSLCertificateFile" on the screen.
You can use the listed configuration file as <mod_ssl input file>. If the script finds more than one Apache2 configuration file, then please inspect the configuration files before you choose one that you want to convert to a mod_nss configuration file.
The <mod_nss output file> must not exist yet and recommended is to put it in the same subdirectory as the Apache2 configuration file that you use as <mod_ssl input file>.
For example, the following command converts /etc/apache2/vhosts.d/vhost-ssl.conf to /etc/apache2/vhosts.d/vhost-nss-from-ssl.disabled and stores the certificate and private key that are referenced by the SSLCertificateFile and SSLCertificateKeyFile directives in the NSS certificate database:
# /usr/sbin/mod_nss_migrate.pl -c -r /etc/apache2/vhosts.d/vhost-ssl.conf -w /etc/apache2/vhosts.d/vhost-nss-from-ssl.disabled
The following prompt will be displayed:
"
Creating NSS certificate database.
Enter Password or Pin for "NSS Certificate DB":
"
If you don't type a password and just hit the [ENTER]-key on this question, then it will prompt for a new password of the NSS certificate database. Please use password "foo" (without quotes) during the conversion. You can change the password later.
/usr/sbin/mod_nss_migrate.pl should complete without further prompts from here.
Once /usr/sbin/mod_nss_migrate.pl has completed, it has created a new NSS certificate database in /etc/apache2/mod_nss.d and the <mod_nss output file>.
If you want to change the password of the NSS certificate database, you can enter the following command:
# certutil -W -d /etc/apache2/mod_nss.d
It will first prompt you for the current password ("foo"), then you can enter and re-enter the new password.
Once you have set the new password, you have the following options for how to start Apache2:
1) 'Manual' startup: Apache2 will not start successfully during the boot sequence per /etc/init.d/apache2 startup script and you cannot use "/etc/init.d/apache2 start" or "rcapache2 start" to start it. Default command and arguments for starting Apache2 is:
# /usr/sbin/httpd2-prefork -f /etc/apache2/httpd.conf -DSSL
You can enter the NSS certificate database password when it prompts you for it.
2) 'Automatic' startup: Apache2 will start successfully during the boot sequence per /etc/init.d/apache2 startup script and you can use "/etc/init.d/apsche2 start" or "rcapache2 start" to start it.
For 'automatic' startup you will need to configure the "NSSPassPhraseDialog" directive in the <nss_mod output file> that has been generated by /usr/sbin/mod_nss_migrate.pl.
First create a password cache file (clear-text) for token "internal". For example, if the NSS certificate database password is "secret", then you can create a password cache file called "nsspwd" the following way:
# echo "internal:secret" > etc/apache2/vhosts.d/nsspwd
And then append the "NSSPassPhraseDialog" directive to the <mod_nss output file>, for example:
# echo "NSSPassPhraseDialog file:/etc/apache2/vhosts.d/nsspwd" >> /etc/apache2/vhosts.d/vhost-nss-from-ssl.disabled
Now you are ready to test your nss_mod configuration.
If the <mod_ssl input file> was explicitly included by another Apache2 configuration file, then you will need to change the "Include" directive to reference the new <mod_nss output file> instead of the old <mod_ssl input file>.
If the <mod_ssl input file> was in a subdirectory included by another Apache2 configuration file, then you will need to rename it or move it to another subdirectory that is not included by another Apache configuration file.
The shell script of which you can find the contents above creates a file called /tmp/httpd-parse-list, which contains all "Include" directives from all Apache2 configuration files. The contents of /tmp/httpd-parse-list can help you find out if the <mod_ssl input file> is explicitly included or resides in an included subdirectory.
In case you have a default configuration and followed the instructions of this document by the example, you would enter:
# mv /etc/apache2/vhosts.d/vhost-ssl.conf /etc/apache2/vhosts.d/vhost-ssl.disabled
# mv /etc/apache2/vhosts.d/vhost-nss-from-ssl.disabled /etc/apache2/vhosts.d/vhost-nss-from-ssl.conf
Restart apache2 to take the changes into effect.
Manual:
# rcapache2 stop
# for i in `pidofproc httpd2-prefork`; do kill -15 $i; done; sleep 10; for i in `pidofproc httpd2-prefork`; do kill -9 $i; done
# /usr/sbin/httpd2-prefork -f /etc/apache2/httpd.conf -DSSL
Automatic:
# rcapache2 restart