Pass cert password to Nginx with https site during restart

Question:

I configured nginx installation and configuration (together with setup SSL certificates for https site) via ansible. SSL certificates are under passphrases.

I want to write ansilbe task which is restarting nginx. The problem is the following.

Normally, nginx with https site inside asks for PEM pass phrase during restart. Ansible doesn’t ask for that passphrase during execution of playbook.

There is solution with storing decrypted cert and key in some private directory. But I don’t really want to leave my cert and key somewhere unencrypted.

How to pass password to nginx (or to openssl) during restart via ansible? Perfect scenario is following:

  1. Ansible is asking for SSL password (via vars_promt). Another option is to use ansible vault.
  2. Ansible is restarting nginx, and when nginx is asking for PEM pass phrase, ansible is passing password to nginx.

Is it possible?

Answer:

Nginx has ssl_password_file parameter.

Specifies a file with passphrases for secret keys where each passphrase is specified on a separate line. Passphrases are tried in turn when loading the key.

Example:

What you could do is keep that ssl_password_file in ansible-vault, copy it over, restart nginx and then if successful delete it.

I have no first-hand experience if it’ll actually work or what other side-effects this might have(for example manual service nginx restart will probably fail), but it seems like a logical approach to me.

Leave a Reply