<div dir="ltr"><div class="gmail_default" style="font-size:small;color:rgb(51,51,153)">Aleks: Have you even read the 1st message from lakarjail?<br></div><div class="gmail_extra"><br><div class="gmail_default" style="font-size:small;color:rgb(51,51,153)">(s)he said he had a look at it. It seems (s)he only wants interactive solutions with the password being written nowhere.<br></div><div class="gmail_default" style="font-size:small;color:rgb(51,51,153)">Although the reasoning appearing strange to me (someone needs to be there in case of unexpected reload/restart, otherwise, as long as it is stored and extracted automatically, whatever storage solutions being chosen, it ends up all the same to me), (s)he seems to be knowing what (s)he wants.<br></div><div><div class="gmail_signature"><font size="1"><span style="color:rgb(102,102,102)">---<br></span><b><span style="color:rgb(102,102,102)">B. R.</span></b><span style="color:rgb(102,102,102)"></span></font></div></div>
<br><div class="gmail_quote">On Wed, Nov 18, 2015 at 11:02 PM, Aleksandar Lazic <span dir="ltr"><<a href="mailto:al-nginx@none.at" target="_blank">al-nginx@none.at</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">Hi.<br>
<br>
Am 17-11-2015 21:13, schrieb lakarjail:<br>
<br>
[snipp]<div><div class="h5"><br>
<br>
<blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">
Please note that :<br>
<br>
- nginx server starts correctly in command line (#nginx ), not using<br>
service. SSL configuration (like file locations and permissions seems<br>
therefore correct). Password is -that way- asked on terminal.<br>
- when doing the same SSL configuration with Apache2, the password is<br>
well required when starting/restarting Apache2 server with "service apache2<br>
start".<br>
<br>
== Problem and Question ==<br>
<br>
<br>
1) I am not about to remove password of a cert key, since it's usually a<br>
bad security practise (considering the server get compromised, the cert will<br>
have to be revoked, etc.).<br>
On top of that, as explained, I never had problems on Apache2 using a<br>
password protected key Cert file. When I run Apache service, password is<br>
well asked. I can not consider the solution of removing the password, when<br>
other solutions work properly.<br>
I also checked ssl_password_file proposal. Storing the password in that way<br>
would set the security system as if no password was set on the key cert<br>
file. Therefore, I can't -as well- follow that solution.<br>
<br>
2) What I fail to understand, if it is a bug, or a feature is the following<br>
: Nginx, when run as command line asks me for my cert key password and runs<br>
correctly. Why this behaviour can't be applied on a service ?<br>
The command:<br>
---<br>
# nginx<br>
---<br>
Asks for a password, runs webserver Nginx correctly. However :<br>
---<br>
# service nginx start<br>
---<br>
doesn't, password is not asked on terminal, producing the journalctl above<br>
mentionned. Why this difference of response ? Why an Apache2-like (that<br>
works in both situation) mechanism can't be introduced with Nginx ?<br>
</blockquote>
<br></div></div>
Do you know this directive?<br>
<br>
<a href="http://nginx.org/en/docs/http/ngx_http_ssl_module.html#ssl_password_file" rel="noreferrer" target="_blank">http://nginx.org/en/docs/http/ngx_http_ssl_module.html#ssl_password_file</a><br>
<br>
Br Aleks<div class=""><div class="h5"><br>
<br>
_______________________________________________<br>
nginx mailing list<br>
<a href="mailto:nginx@nginx.org" target="_blank">nginx@nginx.org</a><br>
<a href="http://mailman.nginx.org/mailman/listinfo/nginx" rel="noreferrer" target="_blank">http://mailman.nginx.org/mailman/listinfo/nginx</a><br>
</div></div></blockquote></div><br></div></div>