在重启期间通过https站点将证书密码传递给Nginx

在重启期间通过https站点将证书密码传递给Nginx

关注
发信
关注(28)粉丝(399)

在重启期间通过https站点将证书密码传递给Nginx

本文介绍了在重启期间通过https站点将证书密码传递给Nginx的处理方法,对大家解决问题具有一定的参考价值,需要的朋友们下面随着小编来一起学习吧!

问题描述

我通过。 SSL证书正在使用passphrases。

I configured nginx installation and configuration (together with setup SSL certificates for https site) via ansible. SSL certificates are under passphrases.

我想写一个重启nginx的ansilbe任务。问题是如下。

I want to write ansilbe task which is restarting nginx. The problem is following.

通常情况下,内部有https网站的nginx在重启期间要求 PEM密码短语。在执行剧本期间,Ansible不会要求该密码短语。

Normally, nginx with https site inside ask for PEM pass phrase during restart. Ansible doesn't ask for that passphrase during execution of playbook.

,将解密的证书和密钥存储在某个私人目录中。但我真的不想将我的证书和密钥留在未加密的地方。

There is solution with storing decrypted cert and key in some private directory. But I don't really want to leave my cert and key somewhere unencrypted.

如何通过 ansible ?完美的场景如下:

How to pass password to nginx (or to openssl) during restart via ansible? Perfect scenario is following:


  1. Ansible要求提供SSL密码(通过 vars_promt ) 。另一个选择是使用ansible vault。

  2. Ansible正在重启nginx,当nginx要求 PEM密码短语时,ansible正在传递密码到nginx。

  1. Ansible is asking for SSL password (via vars_promt). Another option is to use ansible vault.
  2. Ansible is restarting nginx, and when nginx is asking for PEM pass phrase, ansible is passing password to nginx.

有可能吗?

推荐答案

Nginx有参数。

Nginx has ssl_password_file parameter.

示例:

http {
    ssl_password_file /etc/keys/global.pass;
    ...
    server {
        server_name www1.example.com;
        ssl_certificate_key /etc/keys/first.key;
    }
    server {
        server_name www2.example.com;
        # named pipe can also be used instead of a file
        ssl_password_file /etc/keys/fifo;
        ssl_certificate_key /etc/keys/second.key;
    }
}

你能做的就是保持 ssl_password_file 在ansible-vault中,复制它,重新启动nginx然后如果成功删除它。

What you could do is keep that ssl_password_file in ansible-vault, copy it over, restart nginx and then if successful delete it.

我没有第一手经验如果它实际上有效或者其他可能产生的副作用(例如手动服务nginx重启可能会失败),但这对我来说似乎是一种合乎逻辑的方法。

I have no first-hand experience if it'll actually work or what other side-effects this might have(for example manual service nginx restart will probably fail), but it seems like a logical approach to me.

这篇关于在重启期间通过https站点将证书密码传递给Nginx的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持!

08-15 22:58
Powered by LMLPHP ©2024 在重启期间通过https站点将证书密码传递给Nginx 0.034319