Pass cert password to Nginx with https site during restart

Question

I configured nginx installation and configuration (together with setup SSL certificates for https site) via ansible. SSL certificates are under passphrases.

I want to write ansilbe task which is restarting nginx. The problem is the following.

Normally, nginx with https site inside asks for PEM pass phrase during restart. Ansible doesn't ask for that passphrase during execution of playbook.

There is solution with storing decrypted cert and key in some private directory. But I don't really want to leave my cert and key somewhere unencrypted.

How to pass password to nginx (or to openssl) during restart via ansible? Perfect scenario is following:

1. Ansible is asking for SSL password (via vars_promt). Another option is to use ansible vault.
2. Ansible is restarting nginx, and when nginx is asking for PEM pass phrase, ansible is passing password to nginx.

Is it possible?

Answer 1

Nginx has ssl_password_file parameter.

Specifies a file with passphrases for secret keys where each passphrase is specified on a separate line. Passphrases are tried in turn when loading the key.

Example:

http {
    ssl_password_file /etc/keys/global.pass;
    ...
    server {
        server_name www1.example.com;
        ssl_certificate_key /etc/keys/first.key;
    }
    server {
        server_name www2.example.com;
        # named pipe can also be used instead of a file
        ssl_password_file /etc/keys/fifo;
        ssl_certificate_key /etc/keys/second.key;
    }
}

What you could do is keep that ssl_password_file in ansible-vault, copy it over, restart nginx and then if successful delete it.

I have no first-hand experience if it'll actually work or what other side-effects this might have(for example manual service nginx restart will probably fail), but it seems like a logical approach to me.

Answer 2

If you have the permissions restrictive enough on the private key (e.g. only letting nginx be able to read it) this would probably be good enough. Nginx will have to keep it loaded in memory anyway; this might be harder for an attacker to recover, but if they have root access to the box you should consider the key compromised regardless.

Alternatively, you can pipe the password in to the command that is restarting (e.g. echo mypass | service nginx restart). This will cause it to be shown in plain text on process lists and shouldn't be considered any more secure.

I'd recommend locking down permissions on the file and not having a password on it. I don't believe Ansible has any way to specify responses to individual prompts, other than sudo.