在重启期间使用 https 站点将证书密码传递给 Nginx [英] Pass cert password to Nginx with https site during restart

问题描述

我通过 ansible 配置了 nginx 安装和配置(以及为 https 站点设置 SSL 证书).SSL 证书在密码短语下.

I configured nginx installation and configuration (together with setup SSL certificates for https site) via ansible. SSL certificates are under passphrases.

我想编写正在重启 nginx 的 ansilbe 任务.问题如下.

I want to write ansilbe task which is restarting nginx. The problem is the following.

通常，带有 https 站点的 nginx 在重新启动时会要求 PEM 密码.Ansible 在执行 playbook 期间不会要求输入密码.

Normally, nginx with https site inside asks for PEM pass phrase during restart. Ansible doesn't ask for that passphrase during execution of playbook.

有解决方案 将解密的证书和密钥存储在某个私有目录中.但我真的不想将我的证书和密钥留在未加密的地方.

There is solution with storing decrypted cert and key in some private directory. But I don't really want to leave my cert and key somewhere unencrypted.

如何在重启期间通过 ansible 将密码传递给 nginx(或 openssl)?完美场景如下:

How to pass password to nginx (or to openssl) during restart via ansible? Perfect scenario is following:

1. Ansible 要求提供 SSL 密码(通过 vars_promt).另一种选择是使用 ansible Vault.
2. Ansible 正在重启 nginx，当 nginx 要求 PEM 密码 时，ansible 正在将密码传递给 nginx.

1. Ansible is asking for SSL password (via vars_promt). Another option is to use ansible vault.
2. Ansible is restarting nginx, and when nginx is asking for PEM pass phrase, ansible is passing password to nginx.

有可能吗?

推荐答案

Nginx 有 ssl_password_file 参数.

Nginx has ssl_password_file parameter.

指定带有密钥密码的文件，其中每个密码都在单独的行中指定.加载密钥时依次尝试密码短语.

Specifies a file with passphrases for secret keys where each passphrase is specified on a separate line. Passphrases are tried in turn when loading the key.

示例:

http {
    ssl_password_file /etc/keys/global.pass;
    ...
    server {
        server_name www1.example.com;
        ssl_certificate_key /etc/keys/first.key;
    }
    server {
        server_name www2.example.com;
        # named pipe can also be used instead of a file
        ssl_password_file /etc/keys/fifo;
        ssl_certificate_key /etc/keys/second.key;
    }
}

您可以做的是将 ssl_password_file 保存在 ansible-vault 中，复制它，重新启动 nginx，然后如果成功将其删除.

What you could do is keep that ssl_password_file in ansible-vault, copy it over, restart nginx and then if successful delete it.

我没有第一手经验，如果它真的可以工作，或者这可能有什么其他副作用(例如手动 service nginx restart 可能会失败)，但这似乎是合乎逻辑的接近我.

I have no first-hand experience if it'll actually work or what other side-effects this might have(for example manual service nginx restart will probably fail), but it seems like a logical approach to me.

这篇关于在重启期间使用 https 站点将证书密码传递给 Nginx的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！