Opened 7 months ago

Closed 7 months ago

Last modified 7 months ago

#1896 closed defect (wontfix)

SSL certificate password - startup

Reported by: terranova42@… Owned by:
Priority: minor Milestone:
Component: other Version: 1.17.x
Keywords: Cc:
uname -a: windows 10 64 bits - Pro edition
nginx -V: NGNIX 1.17.6

Description

Hello,

I encounter what seems to be a bug on windows 10 with NGINX 1.3.9 and NGINX 1.17.6:
whan starting the server with a password - key certificate, the server stops after 5s.
when I remove the password (private key without password) - the server starts normally.
Maybe it is something i missed in the configuration file ? anyway I found no similar case on the internet.

Kind regards,

David

Change History (3)

comment:1 by Maxim Dounin, 7 months ago

Resolution: wontfix
Status: newclosed

On Windows there is no fork(), and hence nginx have to start worker processes from scratch. In particular, it has to parse configuration file again, and load certificate keys again. If keys are password protected, this means that the worker process won't be able to start, as it won't be able to obtain password, and default OpenSSL's key loading will wait trying to read it from nowhere, till killed by the master. In the error log you should see something like this:

2019/12/05 15:23:04 [alert] 5084#1016: the event "ngx_master_5084" was not signaled for 5s

If you want to use password-protected keys on Windows for some reason, try using ssl_password_file. Alternatively, consider removing password, it is as simple as openssl rsa -in <key> -out <key-without-password>.

comment:2 by terranova42@…, 7 months ago

Hello, thank you for your answer. It is ok that ssl_password file is an alternate solution for using password key certificate.
but it seems to me it is a limitation to nginx architecture and not to windows ...

what about how Apache HTTPD handles key protected files ?

Kind regards

in reply to:  2 comment:3 by Maxim Dounin, 7 months ago

Replying to terranova42@…:

Hello, thank you for your answer. It is ok that ssl_password file is an alternate solution for using password key certificate.
but it seems to me it is a limitation to nginx architecture and not to windows ...

This is an explanation why using password-protected SSL keys, which somehow works on various UNIX variants (again with limitations though, reloading configuration with password-protected SSL keys won't work even on UNIX, so you have to use ssl_password_file or remove password-protection anyway), does not work on Windows. While this can be seen as a limitation — either nginx limitation when running on Windows, or Windows limitation when being used as OS for nginx — it doesn't really matter. In either case, nginx is developed for UNIX, not for Windows, and running nginx on Windows is expected to have various limitations in all areas where Windows provide no corresponding functionality.

If you think that in nginx case it is possible to improve nginx behaviour on Windows with minimal impact on UNIX systems, submit a patch.

what about how Apache HTTPD handles key protected files ?

As for Apache, it simply refuses to start when given password-protected SSL keys:

[Thu Dec 05 22:25:16.177057 2019] [ssl:emerg] [pid 3796:tid 720] AH02577: Init: SSLPassPhraseDialog builtin is not supported on Win32 (key file Z:/httpd/Apache24/conf/ssl/server.pwd.key)
[Thu Dec 05 22:25:16.196104 2019] [ssl:emerg] [pid 3796:tid 720] AH02312: Fatal error initialising mod_ssl, exiting.

While this behaviour is somewhat more explicit, it is hardly different.

Note: See TracTickets for help on using tickets.