Systemd PasswordAgent Support for SSL Passphrases (http_ssl_module)
|Reported by:||Tim Heckman||Owned by:|
|Keywords:||ssl passphrase, systemd||Cc:|
|uname -a:||Linux clu 3.9.3-x86_64-linode33 #1 SMP Mon May 20 10:22:57 EDT 2013 x86_64 GNU/Linux|
nginx version: nginx/1.4.3
TLS SNI support enabled
configure arguments: --prefix=/etc/nginx --conf-path=/etc/nginx/nginx.conf --sbin-path=/usr/bin/nginx --pid-path=/run/nginx.pid --lock-path=/run/lock/nginx.lock --user=http --group=http --http-log-path=/var/log/nginx/access.log --error-log-path=/var/log/nginx/error.log --http-client-body-temp-path=/var/lib/nginx/client-body --http-proxy-temp-path=/var/lib/nginx/proxy --http-fastcgi-temp-path=/var/lib/nginx/fastcgi --http-scgi-temp-path=/var/lib/nginx/scgi --http-uwsgi-temp-path=/var/lib/nginx/uwsgi --with-imap --with-imap_ssl_module --with-ipv6 --with-pcre-jit --with-file-aio --with-http_dav_module --with-http_gunzip_module --with-http_gzip_static_module --with-http_realip_module --with-http_spdy_module --with-http_ssl_module --with-http_stub_status_module --with-http_addition_module --with-http_degradation_module --with-http_flv_module --with-http_mp4_module --with-http_secure_link_module --with-http_sub_module
I've recently started using a distribution which uses systemd as its init system. Unlike traditional init scripts, the services you are starting do not get a tty. In this case, you need some way to get the SSL certificate passphrase to nginx without being able to enter it on screen...even if you are starting the service while over an SSH connection.
Systemd has a PasswordAgent system that allows you to prompt for passwords. However, there really isn't a good way to get the input from the PasswordAgent in to nginx for the SSL certificate passphrase.
The workaround I came around with, which I feel dirty about, is that I had to avoid using systemd for nginx and wrote my own init script. Although, I don't run it at boot and will need to invoke it manually. It does appear that someone wrote a patch previously which may resolve this issue:
I'd much rather avoid having to rely on a third-party patch that may have a security issue, or may break in a future release of nginx.
While I know there is some concern with systemd, it looks like Debian is poised to use systemd for their next release. Would there be any possibility of some solution for using systemd and SSL passphrases in nginx?
I know nginx has different goals (as a project) compared to Apache, but it is worth noting that Apache does have a solution available in the form of the "SSLPassPhraseDialog" builtin from mod_ssl.