#574 closed enhancement (wontfix)
PEM pass phrase on conftest (and restart)
Reported by: | Michael Monreal | Owned by: | |
---|---|---|---|
Priority: | minor | Milestone: | |
Component: | nginx-package | Version: | 1.5.x |
Keywords: | Cc: | ||
uname -a: | Linux server 2.6.32-431.11.2.el6.x86_64 #1 SMP Tue Mar 25 19:59:55 UTC 2014 x86_64 x86_64 x86_64 GNU/Linux | ||
nginx -V: |
nginx version: nginx/1.6.0
built by gcc 4.4.7 20120313 (Red Hat 4.4.7-3) (GCC) TLS SNI support enabled configure arguments: --prefix=/etc/nginx --sbin-path=/usr/sbin/nginx --conf-path=/etc/nginx/nginx.conf --error-log-path=/var/log/nginx/error.log --http-log-path=/var/log/nginx/access.log --pid-path=/var/run/nginx.pid --lock-path=/var/run/nginx.lock --http-client-body-temp-path=/var/cache/nginx/client_temp --http-proxy-temp-path=/var/cache/nginx/proxy_temp --http-fastcgi-temp-path=/var/cache/nginx/fastcgi_temp --http-uwsgi-temp-path=/var/cache/nginx/uwsgi_temp --http-scgi-temp-path=/var/cache/nginx/scgi_temp --user=nginx --group=nginx --with-http_ssl_module --with-http_realip_module --with-http_addition_module --with-http_sub_module --with-http_dav_module --with-http_flv_module --with-http_mp4_module --with-http_gunzip_module --with-http_gzip_static_module --with-http_random_index_module --with-http_secure_link_module --with-http_stub_status_module --with-http_auth_request_module --with-mail --with-mail_ssl_module --with-file-aio --with-ipv6 --with-http_spdy_module --with-cc-opt='-O2 -g -pipe -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector --param=ssp-buffer-size=4 -m64 -mtune=generic' |
Description
Running 'service nginx conftest' asks for the PEM pass phrase. This has some value I guess, but after having it check the certs once (and you did not change anything regarding certs) having to enter the pass phrase over and over is just very tedious.
This also affects the "restart" action, which runs "configtest -q; stop; start". In my case, I have to enter the pass phrase _6_ times (three virtual servers, each asking for the pass on configtest and again on start).
I propose not to check the cert on conftest by default and use this for "restart". The "restart" should always be "stop; start" and if you run these manually there is no configtest as well. Maybe define something like "conftest -c" to get the old behavior for people who would like the cert to be checked as well.
Change History (2)
comment:1 by , 11 years ago
Resolution: | → wontfix |
---|---|
Status: | new → closed |
comment:2 by , 11 years ago
Well, this is not useful advice. There is a reason why people store encrypted keys.
If you aren't happy with passwords being asked, consider removing them using
openssl rsa -in key.pem -out keyout.pem
.