Pass cert password to Nginx with https site during restart

Question

I configured nginx installation and configuration (together with setup SSL certificates for https site) via ansible. SSL certificates are under passphrases.

Answer 1

If you have the permissions restrictive enough on the private key (e.g. only letting nginx be able to read it) this would probably be good enough. Nginx will have to keep it loaded in memory anyway; this might be harder for an attacker to recover, but if they have root access to the box you should consider the key compromised regardless.

Alternatively, you can pipe the password in to the command that is restarting (e.g. echo mypass | service nginx restart). This will cause it to be shown in plain text on process lists and shouldn't be considered any more secure.

I'd recommend locking down permissions on the file and not having a password on it. I don't believe Ansible has any way to specify responses to individual prompts, other than sudo.