Nginx failing to ask for PEM SSL key password
nginx-forum at nginx.us
Tue Nov 17 20:13:46 UTC 2015
== CONTEXT ==
nginx version: nginx/1.6.2
Linux - 2.6.32-042stab111.11 #1 SMP Tue Sep 1 18:19:12 MSK 2015 x86_64
While starting/restarting nginx with "service nginx start", no password is
asked on the terminal and nginx fails to start.
By checking journalctl, I receive the following error :
nov. 17 ... systemd: Failed to reset devices.list on
nov. 17 ... nginx: Enter PEM pass phrase:
nov. 17 ... nginx: nginx: [emerg]
SSL_CTX_use_PrivateKey_file("/etc/nginx/ssl/mykeycert") failed (SSL:
error:0906406D:PEM routines:PEM_def_callback:problems getting password
nov. 17 ... nginx: nginx: configuration file /etc/nginx/nginx.conf
nov. 17 ... systemd: nginx.service: control process exited, code=exited
nov. 17 ... systemd: Failed to start A high performance web server and a
Log files says that a PEM pass phrase has been asked, but that is not the
case, nothing can be read from the terminal.
Please note that :
- nginx server starts correctly in command line (#nginx ), not using
service. SSL configuration (like file locations and permissions seems
therefore correct). Password is -that way- asked on terminal.
- when doing the same SSL configuration with Apache2, the password is
well required when starting/restarting Apache2 server with "service apache2
== Problem and Question ==
1) I am not about to remove password of a cert key, since it's usually a
bad security practise (considering the server get compromised, the cert will
have to be revoked, etc.).
On top of that, as explained, I never had problems on Apache2 using a
password protected key Cert file. When I run Apache service, password is
well asked. I can not consider the solution of removing the password, when
other solutions work properly.
I also checked ssl_password_file proposal. Storing the password in that way
would set the security system as if no password was set on the key cert
file. Therefore, I can't -as well- follow that solution.
2) What I fail to understand, if it is a bug, or a feature is the following
: Nginx, when run as command line asks me for my cert key password and runs
correctly. Why this behaviour can't be applied on a service ?
Asks for a password, runs webserver Nginx correctly. However :
# service nginx start
doesn't, password is not asked on terminal, producing the journalctl above
mentionned. Why this difference of response ? Why an Apache2-like (that
works in both situation) mechanism can't be introduced with Nginx ?
Thank you in advance for your answer.
Posted at Nginx Forum: https://forum.nginx.org/read.php?2,262900,262900#msg-262900
More information about the nginx