== CONTEXT ==
nginx version: nginx/1.6.2
Linux - 2.6.32-042stab111.11 #1 SMP Tue Sep 1 18:19:12 MSK 2015 x86_64 GNU/Linux
While starting/restarting nginx with "service nginx start", no password is asked on the terminal and nginx fails to start.
By checking journalctl, I receive the following error :
---
nov. 17 ... systemd[1]: Failed to reset devices.list on /system.slice/nginx.service: No
nov. 17 ... nginx[1441]: Enter PEM pass phrase:
nov. 17 ... nginx[1441]: nginx: [emerg] SSL_CTX_use_PrivateKey_file("/etc/nginx/ssl/mykeycert") failed (SSL: error:0906406D:PEM routines:PEM_def_callback:problems getting password error:0906A
nov. 17 ... nginx[1441]: nginx: configuration file /etc/nginx/nginx.conf test failed
nov. 17 ... systemd[1]: nginx.service: control process exited, code=exited status=1
nov. 17 ... systemd[1]: Failed to start A high performance web server and a revers
---
Log files says that a PEM pass phrase has been asked, but that is not the case, nothing can be read from the terminal.
Please note that :
- nginx server starts correctly in command line (#nginx ), not using service. SSL configuration (like file locations and permissions seems therefore correct). Password is -that way- asked on terminal.
- when doing the same SSL configuration with Apache2, the password is well required when starting/restarting Apache2 server with "service apache2 start".
== Problem and Question ==
1) I am not about to remove password of a cert key, since it's usually a bad security practise (considering the server get compromised, the cert will have to be revoked, etc.).
On top of that, as explained, I never had problems on Apache2 using a password protected key Cert file. When I run Apache service, password is well asked. I can not consider the solution of removing the password, when other solutions work properly.
I also checked ssl_password_file proposal. Storing the password in that way would set the security system as if no password was set on the key cert file. Therefore, I can't -as well- follow that solution.
2) What I fail to understand, if it is a bug, or a feature is the following : Nginx, when run as command line asks me for my cert key password and runs correctly. Why this behaviour can't be applied on a service ?
The command:
---
# nginx
---
Asks for a password, runs webserver Nginx correctly. However :
---
# service nginx start
---
doesn't, password is not asked on terminal, producing the journalctl above mentionned. Why this difference of response ? Why an Apache2-like (that works in both situation) mechanism can't be introduced with Nginx ?
Thank you in advance for your answer.
