Opened 11 years ago

Closed 10 years ago

#433 closed enhancement (fixed)

Systemd PasswordAgent Support for SSL Passphrases (http_ssl_module)

Reported by: Tim Heckman Owned by:
Priority: minor Milestone:
Component: nginx-module Version: 1.3.x
Keywords: ssl passphrase, systemd Cc:
uname -a: Linux clu 3.9.3-x86_64-linode33 #1 SMP Mon May 20 10:22:57 EDT 2013 x86_64 GNU/Linux
nginx -V: nginx version: nginx/1.4.3
TLS SNI support enabled
configure arguments: --prefix=/etc/nginx --conf-path=/etc/nginx/nginx.conf --sbin-path=/usr/bin/nginx --pid-path=/run/ --lock-path=/run/lock/nginx.lock --user=http --group=http --http-log-path=/var/log/nginx/access.log --error-log-path=/var/log/nginx/error.log --http-client-body-temp-path=/var/lib/nginx/client-body --http-proxy-temp-path=/var/lib/nginx/proxy --http-fastcgi-temp-path=/var/lib/nginx/fastcgi --http-scgi-temp-path=/var/lib/nginx/scgi --http-uwsgi-temp-path=/var/lib/nginx/uwsgi --with-imap --with-imap_ssl_module --with-ipv6 --with-pcre-jit --with-file-aio --with-http_dav_module --with-http_gunzip_module --with-http_gzip_static_module --with-http_realip_module --with-http_spdy_module --with-http_ssl_module --with-http_stub_status_module --with-http_addition_module --with-http_degradation_module --with-http_flv_module --with-http_mp4_module --with-http_secure_link_module --with-http_sub_module



I've recently started using a distribution which uses systemd as its init system. Unlike traditional init scripts, the services you are starting do not get a tty. In this case, you need some way to get the SSL certificate passphrase to nginx without being able to enter it on screen...even if you are starting the service while over an SSH connection.

Systemd has a PasswordAgent system that allows you to prompt for passwords. However, there really isn't a good way to get the input from the PasswordAgent in to nginx for the SSL certificate passphrase.

The workaround I came around with, which I feel dirty about, is that I had to avoid using systemd for nginx and wrote my own init script. Although, I don't run it at boot and will need to invoke it manually. It does appear that someone wrote a patch previously which may resolve this issue:

I'd much rather avoid having to rely on a third-party patch that may have a security issue, or may break in a future release of nginx.

While I know there is some concern with systemd, it looks like Debian is poised to use systemd for their next release. Would there be any possibility of some solution for using systemd and SSL passphrases in nginx?

I know nginx has different goals (as a project) compared to Apache, but it is worth noting that Apache does have a solution available in the form of the "SSLPassPhraseDialog" builtin from mod_ssl.


Change History (1)

comment:1 by Maxim Dounin, 10 years ago

Resolution: fixed
Status: newclosed

The 42114bf12da0 changeset, as available in recently released nginx 1.7.3, introduces the ssl_password_file directive, which can be used to provide certificate key passwords to nginx.

Note: See TracTickets for help on using tickets.