Init: SSLPassPhraseDialog builtin is not supported on Win32

windows下生成自签名SSL证书
SSL (Secure Socket Layer) is used for encryption and decryption, processing of S/MIME signed or encrypted mails, generation of certificates and more. To use it on Windows (32 and 64 bit versions), download the OpenSSL tools from code.google.com/p/openssl-for-windows/downloads/list(apache win安装包也有带openssl版本的).
Uncompress it anywhere you like and start it by double-clicking the openssl.exe executable in the \bin folder.

If you create files with OpenSSL, they will appear in the \bin directory by default.
To create a self-signed SSL certificate, you first need a key. Create it like this:
openssl genrsa -des3 -out server.key 4096
Type in your desired key (password) and confirm it. Next, you need a certificate request. Create it as follows and give the path to the config file in the -config option (it should be in the directory where you unpacked the files to):
openssl req -config C:\path\to\openssl.cnf -new -key server.key -out server.csr
Next, sign the certificate request:
openssl x509 -req -days 365 -in server.csr -signkey server.key -out server.crt
The -days option specifies how long the certificate will be valid – mine will be for one year. Now you have a signed certificate.

Problem:

Upon Apache startup with SSL, the log shows the following error:

[error] Init: SSLPassPhraseDialog builtin is not supported on Win32.

The SSLPassPhraseDialog is a directive within the Apache httpd.conf or ssl.conf that is not supported by Windows

Resolution:

Remove the encryption from the RSA private key (while preserving the original file)
Remark out – SSLPassPhraseDialog in the appropriate apache conf file with a # in front of the directive

1. Make a copy of the private key and call it “server.key.org”
2. Use the OpenSSL command to remove the passphrase such as;
openssl rsa -in server.key.org -out server.key
server.key will be your new private key with the passphrase removed.

3. Move this new key to the same path as where your original was kept. Verify that the directive called “SSLCertificateKeyFile” in your apache config file points to the new private key.
4. Find the directive “SSLPassPhraseDialog” and put a # in front to comment out the line.

具体步骤:
D:\Apache\bin>openssl genrsa -des3 -out server.key 4096
Loading 'screen' into random state - done
Generating RSA private key, 4096 bit long modulus
..........................++
................................................................................
......++
e is 65537 (0x10001)
Enter pass phrase for server.key:
Verifying - Enter pass phrase for server.key:

D:\Apache\bin>openssl req -config D:\Apache\conf\openssl.cnf -new -key server.ke
y -out server.csr
Enter pass phrase for server.key:
Loading 'screen' into random state - done
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:CN
State or Province Name (full name) [Some-State]:FJ
Locality Name (eg, city) []:XM
Organization Name (eg, company) [Internet Widgits Pty Ltd]:2mysite.net
Organizational Unit Name (eg, section) []:DevOps
Common Name (e.g. server FQDN or YOUR name) []:shane
Email Address []:admin@2mysite.net

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:123456
An optional company name []:517sou

D:\Apache\bin>openssl x509 -req -days 365 -in server.csr -signkey server.key -ou
t server.crt
Loading 'screen' into random state - done
Signature ok
subject=/C=CN/ST=FJ/L=XM/O=2mysite.net/OU=DevOps/CN=shane/emailAddress=admin@2mysite.net

Getting Private key
Enter pass phrase for server.key:

D:\Apache\bin>httpd.exe -t
Syntax error on line 56 of D:/Apache/conf/extra/httpd-ssl.conf:
Invalid command 'SSLPassPhraseDialog', perhaps misspelled or defined by a module
not included in the server configuration

D:\Apache\bin>httpd.exe -k restart
Syntax error on line 56 of D:/Apache/conf/extra/httpd-ssl.conf:
Invalid command 'SSLPassPhraseDialog', perhaps misspelled or defined by a module
not included in the server configuration

D:\Apache\bin>openssl rsa -in server.key -out server1.key
Enter pass phrase for server.key:
writing RSA key

D:\Apache\bin>httpd.exe -t
httpd.exe: Could not reliably determine the server's fully qualified domain name
, using 192.168.133.250 for ServerName
Syntax OK

配置注意事项:
在httpd.conf中取消前面的注释符号(#)
LoadModule ssl_module modules/mod_ssl.so#(否则可能出现Q&A中1的错误提示)
Include conf/extra/httpd-ssl.conf
以上在httpd-2.2.22/25 with openssl中测试通过。

Q&A
1、Invalid command ‘SSLPassPhraseDialog’, perhaps misspelled or defined by a module not included in the server configuration
That’s because mod_ssl has not been loaded. To flat the error message, add this line in httpd.conf:
LoadModule ssl_module modules/mod_ssl.so

发表评论