Nginx failing to ask for PEM SSL key password

lakarjail nginx-forum at nginx.us
Tue Nov 17 20:13:46 UTC 2015 

== CONTEXT ==
nginx version: nginx/1.6.2
Linux - 2.6.32-042stab111.11 #1 SMP Tue Sep 1 18:19:12 MSK 2015 x86_64
GNU/Linux 


While starting/restarting nginx with "service nginx start", no password is
asked on the terminal and nginx fails to start.

By checking journalctl, I receive the following error :
---
nov. 17  ... systemd[1]: Failed to reset devices.list on
/system.slice/nginx.service: No 
nov. 17 ... nginx[1441]: Enter PEM pass phrase:
nov. 17  ... nginx[1441]: nginx: [emerg]
SSL_CTX_use_PrivateKey_file("/etc/nginx/ssl/mykeycert") failed (SSL:
error:0906406D:PEM routines:PEM_def_callback:problems getting password
error:0906A
nov. 17 ... nginx[1441]: nginx: configuration file /etc/nginx/nginx.conf
test failed
nov. 17 ... systemd[1]: nginx.service: control process exited, code=exited
status=1
nov. 17 ... systemd[1]: Failed to start A high performance web server and a
revers
---
Log files says that a PEM pass phrase has been asked, but that is not the
case, nothing can be read from the terminal.


Please note that :

   - nginx server starts correctly in command line (#nginx ), not using
service. SSL configuration (like file locations and permissions seems
therefore correct). Password is -that way- asked on terminal.
   - when doing the same SSL configuration with Apache2, the password is
well required when starting/restarting Apache2 server with "service apache2
start". 



== Problem and Question ==


 1) I am not about to remove password of a cert key, since it's usually a
bad security practise (considering the server get compromised, the cert will
have to be revoked, etc.).
On top of that, as explained, I never had problems on Apache2 using a
password protected key Cert file. When I run Apache service, password is
well asked. I can not consider the solution of removing the password, when
other solutions work properly.
I also checked ssl_password_file proposal. Storing the password in that way
would set the security system as if no password was set on the key cert
file. Therefore, I can't -as well- follow that solution.

2) What I fail to understand, if it is a bug, or a feature is the following
: Nginx, when run as command line asks me for my cert key password and runs
correctly. Why this behaviour can't be applied on a service ?
The command:
---
# nginx
---
Asks for a password, runs webserver Nginx correctly. However :
---
# service nginx start
---
doesn't, password is not asked on terminal, producing the journalctl above
mentionned. Why this difference of response ? Why an Apache2-like (that
works in both situation) mechanism can't be introduced with Nginx ?

Thank you in advance for your answer.

Posted at Nginx Forum: https://forum.nginx.org/read.php?2,262900,262900#msg-262900

More information about the nginx mailing list