Nginx SSL passphrase at startup

I’m using nginx to serve all my media files and it is also a proxy to my apache server. I’ve been using SSL encryption for specific sections of the site, using nginx’s built in SSL support:

server {

listen 443;
server_name host.com;

access_log /var/log/nginx/register/host.access.log;

# SSL
ssl on;
ssl_certificate /home/jamstooks/ssl_certs/2008_cert/host.com.crt;
ssl_certificate_key /home/jamstooks/ssl_certs/2008_cert/host.com.key;

# Register
location ^~ /register/ {
proxy_pass http://127.0.0.1:8080/;
proxy_redirect off;

proxy_set_header Host register.host.com;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;

client_max_body_size 10m;
client_body_buffer_size 128k;

proxy_connect_timeout 90;
proxy_send_timeout 90;
proxy_read_timeout 90;

proxy_buffer_size 4k;
proxy_buffers 4 32k;
proxy_busy_buffers_size 64k;
proxy_temp_file_write_size 64k;
}

# Redirect everything else
location / {
rewrite ^(.*) http://www.host.com$1 permanent;
}

}

When I boot up Nginx it requests the passphrase for the encrypted certificate key. This is a huge problem though when there are unexpected shutdowns because the Nginx process won’t restart.

However, the problem is not with Nginx, but with the certificate itself. Because it is encrypted, Nginx can’t use it unless it until it has the pass-phrase. So, the easiest way to solve this is to provide Nginx with a decrypted version of the certificate key. The only issue is that you need to tie down the permissions on the file so that no one can access it at use it to impersonate you.

Apache details the process here:

# Remove the encryption from the RSA private key (while keeping a backup copy of the original file):

$ cp server.key server.key.org
$ openssl rsa -in server.key.org -out server.key

# Make sure the server.key file is only readable by root:

$ chmod 400 server.key

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s