Opened 10 years ago

Closed 10 years ago

Last modified 10 years ago

#574 closed enhancement (wontfix)

PEM pass phrase on conftest (and restart)

Reported by: Michael Monreal Owned by:
Priority: minor Milestone:
Component: nginx-package Version: 1.5.x
Keywords: Cc:
uname -a: Linux server 2.6.32-431.11.2.el6.x86_64 #1 SMP Tue Mar 25 19:59:55 UTC 2014 x86_64 x86_64 x86_64 GNU/Linux
nginx -V: nginx version: nginx/1.6.0
built by gcc 4.4.7 20120313 (Red Hat 4.4.7-3) (GCC)
TLS SNI support enabled
configure arguments: --prefix=/etc/nginx --sbin-path=/usr/sbin/nginx --conf-path=/etc/nginx/nginx.conf --error-log-path=/var/log/nginx/error.log --http-log-path=/var/log/nginx/access.log --pid-path=/var/run/ --lock-path=/var/run/nginx.lock --http-client-body-temp-path=/var/cache/nginx/client_temp --http-proxy-temp-path=/var/cache/nginx/proxy_temp --http-fastcgi-temp-path=/var/cache/nginx/fastcgi_temp --http-uwsgi-temp-path=/var/cache/nginx/uwsgi_temp --http-scgi-temp-path=/var/cache/nginx/scgi_temp --user=nginx --group=nginx --with-http_ssl_module --with-http_realip_module --with-http_addition_module --with-http_sub_module --with-http_dav_module --with-http_flv_module --with-http_mp4_module --with-http_gunzip_module --with-http_gzip_static_module --with-http_random_index_module --with-http_secure_link_module --with-http_stub_status_module --with-http_auth_request_module --with-mail --with-mail_ssl_module --with-file-aio --with-ipv6 --with-http_spdy_module --with-cc-opt='-O2 -g -pipe -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector --param=ssp-buffer-size=4 -m64 -mtune=generic'


Running 'service nginx conftest' asks for the PEM pass phrase. This has some value I guess, but after having it check the certs once (and you did not change anything regarding certs) having to enter the pass phrase over and over is just very tedious.

This also affects the "restart" action, which runs "configtest -q; stop; start". In my case, I have to enter the pass phrase _6_ times (three virtual servers, each asking for the pass on configtest and again on start).

I propose not to check the cert on conftest by default and use this for "restart". The "restart" should always be "stop; start" and if you run these manually there is no configtest as well. Maybe define something like "conftest -c" to get the old behavior for people who would like the cert to be checked as well.

Change History (2)

comment:1 by Maxim Dounin, 10 years ago

Resolution: wontfix
Status: newclosed

If you aren't happy with passwords being asked, consider removing them using openssl rsa -in key.pem -out keyout.pem.

comment:2 by Michael Monreal, 10 years ago

Well, this is not useful advice. There is a reason why people store encrypted keys.

Note: See TracTickets for help on using tickets.