Nginx failing to ask for PEM SSL key password

Francis Daly francis at daoine.org
Wed Nov 18 18:51:35 UTC 2015 

On Wed, Nov 18, 2015 at 03:40:51PM +0000, Francis Daly wrote:
> On Wed, Nov 18, 2015 at 09:31:36AM -0500, lakarjail wrote:
> > Francis Daly Wrote:
> > -------------------------------------------------------
> > > On Wed, Nov 18, 2015 at 04:34:20AM -0500, lakarjail wrote:

Hi there,

> > However the password requirement phase is not displayed using nginx debian
> > service, though it is displayed with Apache service and its ssl_mod thanks
> > to the method I was previously mentioning.

> > a) I was just wondering (trying to understand understand) if there was any
> > reason regarding why it does't work, and, in case was not implemented/made
> > it available on purpose, why this option was chosen not to be implemented. 

> Apache SSLPassPhraseDialog defaults to "builtin", which is the same as
> what nginx uses, I believe.

A bit more googling suggests that perhaps your apache configuration uses
SSLPassPhraseDialog configured to exec the tool systemd-ask-password,
which is the thing that you type the passphrase in to.

If so:

stock nginx does not support that.

There are three options I see that you could try.

* don't use stock nginx.

This could be "don't use nginx at all", or "use a patched version which
does let you exec() to find the passphrase".

* don't use systemd to launch nginx

Any "service" launcher is used because it brings some benefits. I
think that the main ones are: it runs as root, so you don't have to;
it auto-starts the service on boot or on demand; it auto-re-starts the
service if it exits uncleanly. There presumably are more benefits too,
which can be enumerated and considered.

Since you have to be there to type the password, numbers 2 and 3 do not
apply. And if you were happy to go this route, number 1 might be worked
around by other means such as sudo -- the details could be worked out
if you wanted this.

* write or use a wrapper script for nginx, which systemd can use

I do not know if this exists already. If it does, hurray. Basically, the
script would ask you for the password (or passwords, in sequence?) and
then feed them to nginx when requested.  I do not know if the architecture
of systemd and nginx makes this possible -- someone to whom it is
important would arrange that the testing happens.

Good luck with it,

	f
-- 
Francis Daly        francis at daoine.org

More information about the nginx mailing list