Failures caused by logrotate on Apache 2 with passphrase protected SSL key

Question

I have an Apache 2 installation on Debian with mod_ssl installed. The server private key is protected by a passphase that needs to be entered on start-up. The error and access logs are subject to logrotate on a weekly basis. I find that Apache crashes with a passphrase-related error shortly after logrotate runs.

I understand that logrotate fires a SIGHUP to Apache after archiving logs and I suspect this is causing a reload and subsequent failure getting the passphrase for the server key.

Well, enough with my theories, here is the question:

Is there a "best practice" way in which to configure Apache to allow its SSL server keys to be protected by a passphrase (without storing that passphrase in a file somewhere) so that it won't crash when logrotate runs?

It is fine to require user input on server startup, but not restart or reload.

Answer 1

One option is to use Apache's provided log rotation tool. Its configured a bit differently than the system logrotate, but as it works with pipes, can move files around without an Apache restart.

Answer 2

You could use Cronolog, which does not require a sighup. Here's an example:

CustomLog "| /usr/sbin/cronolog /pathtologs/%Y_%m/sitename.com-%Y%m%d.log" combined

Answer 3

you can also turn off the passphrase by using the following command:

openssl rsa -in example.tld.key -out example.tld.key