I installed varnish as a cache frontend for my apache web server few weeks ago. In this process, I changed apache's listening address from my public ip to localhost. But, I was still using apache for my https sites (webmail and few other virtual hosts). Today, I setup pound as a SSL reverse proxy for apache and completly removed mod_ssl from my apache's configuration.

Even if pound is easy to set up, there is a pain point on this type of migration: in fact, apache is able to run an external command to get the passphrase in order to unlock the ssl private key, which pound is not capabale of.

Pound won't start if the SSL key is protected by a passphrase. Thus, on the migration process, one need to remove the pass phrase from the private key before starting pound. Needless to say, the private key must be properly protected.

If you're using tinyca for managing your certificates, follow how to get rid of the passphrase:

  • Do not forget to backup tinyCA data before doing any changes!

  • Find the private key file. It should be located in ~/.tinyCA/SITE/keys directory. Filenames are encoded using base64. ls | perl -MMIME::Base64 -ne 'print decode_base64($_)' ; echo will display them in an human readable format.

  • Remove the passphrase by openssl rsa -in INPUT_FILE -o OUTPUT

  • Check the new file with openssl rsa -check -in OUTPUT

  • Replace the old file with by the newly key.
  • Start tinyca2 and reexport the certificate and the private key.