在重启期间通过https站点将证书密码传递给Nginx [英] Pass cert password to Nginx with https site during restart
问题描述
我通过 https 网站的设置SSL证书) = noreferrer> ansible 。 SSL证书正在使用passphrases。
I configured nginx installation and configuration (together with setup SSL certificates for https site) via ansible. SSL certificates are under passphrases.
我想写一个重启nginx的ansilbe任务。问题是如下。
I want to write ansilbe task which is restarting nginx. The problem is following.
通常情况下,内部有https网站的nginx在重启期间要求 PEM密码短语。在执行剧本期间,Ansible不会要求该密码短语。
Normally, nginx with https site inside ask for PEM pass phrase during restart. Ansible doesn't ask for that passphrase during execution of playbook.
解决方案,将解密的证书和密钥存储在某个私人目录中。但我真的不想将我的证书和密钥留在未加密的地方。
There is solution with storing decrypted cert and key in some private directory. But I don't really want to leave my cert and key somewhere unencrypted.
如何通过
How to pass password to nginx (or to openssl) during restart via ansible? Perfect scenario is following:
- Ansible要求提供SSL密码(通过
vars_promt) 。另一个选择是使用ansible vault。 - Ansible正在重启nginx,当nginx要求
PEM密码短语时,ansible正在传递密码到nginx。
- Ansible is asking for SSL password (via
vars_promt). Another option is to use ansible vault. - Ansible is restarting nginx, and when nginx is asking for
PEM pass phrase, ansible is passing password to nginx.
有可能吗?
推荐答案
Nginx有 ssl_password_file 参数。
Nginx has ssl_password_file parameter.
指定带有密码密码的文件,其中每个密码在单独的行上指定。在加载密钥时依次尝试密码短语。
Specifies a file with passphrases for secret keys where each passphrase is specified on a separate line. Passphrases are tried in turn when loading the key.
示例:
http {
ssl_password_file /etc/keys/global.pass;
...
server {
server_name www1.example.com;
ssl_certificate_key /etc/keys/first.key;
}
server {
server_name www2.example.com;
# named pipe can also be used instead of a file
ssl_password_file /etc/keys/fifo;
ssl_certificate_key /etc/keys/second.key;
}
}
你能做的就是保持 ssl_password_file 在ansible-vault中,复制它,重新启动nginx然后如果成功删除它。
What you could do is keep that ssl_password_file in ansible-vault, copy it over, restart nginx and then if successful delete it.
我没有第一手经验如果它实际上有效或者其他可能产生的副作用(例如手动服务nginx重启可能会失败),但这对我来说似乎是一种合乎逻辑的方法。
I have no first-hand experience if it'll actually work or what other side-effects this might have(for example manual service nginx restart will probably fail), but it seems like a logical approach to me.
这篇关于在重启期间通过https站点将证书密码传递给Nginx的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
