Nginx failing to ask for PEM SSL key password

Francis Daly francis at daoine.org
Wed Nov 18 15:40:51 UTC 2015 

On Wed, Nov 18, 2015 at 09:31:36AM -0500, lakarjail wrote:
> Francis Daly Wrote:
> -------------------------------------------------------
> > On Wed, Nov 18, 2015 at 04:34:20AM -0500, lakarjail wrote:

Hi there,

I think I fail at reading comprehension :-(

> > I don't see how your system security is enhanced, if you do anything
> > other than manually type in the password each time it is needed.
> 
> That is exactly what I am looking for, I am not looking for another
> solution. I wish I could launch Nginx as a service and "manually" type in
> the password.
> 
> However the password requirement phase is not displayed using nginx debian
> service, though it is displayed with Apache service and its ssl_mod thanks
> to the method I was previously mentioning.

I had missed that:

* when you type "service apache2 start", you are challenged to enter
your passphrase.

Combining that with:

* when you type "service nginx start", you are not challenged to enter
your passphrase

then probably the useful thing to investigate is: what does "service
apache2" do different from "service nginx"?

Check the files that your "service" command runs in each case.

If you copy the apache ones and change the names to nginx-test, do things
work any better?

> a) I was just wondering (trying to understand understand) if there was any
> reason regarding why it does't work, and, in case was not implemented/made
> it available on purpose, why this option was chosen not to be implemented. 

Right now, it is not clear to me what option is missing.

Apache SSLPassPhraseDialog defaults to "builtin", which is the same as
what nginx uses, I believe.

If you can show the service or configuration difference that allows
apache work while nginx fails, then it will be a good starting point.

> b) I.e., in what way using the same kind of Apache SSLPassPhraseDialog (that
> force you to enter passphrase by hand, not storing any password on the local
> machine) would set the global certificate security level at same level than
> storing it in a file on the local machine (whatever permissions are set on
> this file).

If you are entering your apache passphrase by hand, then you avoid
storing it on the local machine.

"SSLPassPhraseDialog" is, as I understand it, more usually used when
you are *not* entering the passphrase by hand.

My mistake.

	f
-- 
Francis Daly        francis at daoine.org

More information about the nginx mailing list