Pass cert password to Nginx with https site during restart

Nginx has ssl_password_file parameter.

Specifies a file with passphrases for secret keys where each passphrase is specified on a separate line. Passphrases are tried in turn when loading the key.

Example:

http {
    ssl_password_file /etc/keys/global.pass;
    ...
    server {
        server_name www1.example.com;
        ssl_certificate_key /etc/keys/first.key;
    }
    server {
        server_name www2.example.com;
        # named pipe can also be used instead of a file
        ssl_password_file /etc/keys/fifo;
        ssl_certificate_key /etc/keys/second.key;
    }
}

What you could do is keep that ssl_password_file in ansible-vault, copy it over, restart nginx and then if successful delete it.

I have no first-hand experience if it'll actually work or what other side-effects this might have(for example manual service nginx restart will probably fail), but it seems like a logical approach to me.


If you have the permissions restrictive enough on the private key (e.g. only letting nginx be able to read it) this would probably be good enough. Nginx will have to keep it loaded in memory anyway; this might be harder for an attacker to recover, but if they have root access to the box you should consider the key compromised regardless.

Alternatively, you can pipe the password in to the command that is restarting (e.g. echo mypass | service nginx restart). This will cause it to be shown in plain text on process lists and shouldn't be considered any more secure.

I'd recommend locking down permissions on the file and not having a password on it. I don't believe Ansible has any way to specify responses to individual prompts, other than sudo.