What does "SSL_CTX_use_PrivateKey_file" "problems getting password error" indicate in Nginx error log?

Question

I'm trying to set up SSL on Nginx. It doesn't work, and I am getting the following error in the error log, which is getting passed up from the OpenSSL library which nginx was compiled with. I don't know what that library is, but it's version 0.8.54 of nginx, and I installed it using apt-get on Ubuntu Linux.

2012/02/21 07:06:33 [emerg] 4071#0: 
SSL_CTX_use_PrivateKey_file("/exequias/certs/exequias.com.key") failed (SSL: 
error:0906406D:PEM routines:PEM_def_callback:problems getting password error:
0906A068:PEM routines:PEM_do_header:bad password read error:140B0009:SSL routines:
SSL_CTX_use_PrivateKey_file:PEM lib)

I have ensured that the file permissions on the private key file are not stopping nginx from reading it. It is an RSA private key, generated with openssl rsa.

Any ideas what might be causing this?

score 64 · Answer 1 · answered Aug 23 '13 at 03:20

64

Remove the key pass phrase:

openssl rsa -in key.pem -out newkey.pem

If they certificate and key are together:

openssl rsa -in mycert.pem -out newcert.pem
openssl x509 -in mycert.pem >>newcert.pem

Source: http://www.madboa.com/geek/openssl/#key-removepass

answered Aug 23 '13 at 03:20

Ravindranath Akila

1,428
3
32
44

2

Thanks a lot! I was in R'lyeh. You saved my sanity. – divs1210 May 19 '15 at 12:26
2

You're welcome :-) I hear you. It's two years since I wrote this answer and now I don't remember a thing about this :D #insanityrealized – Ravindranath Akila May 20 '15 at 04:13

score 26 · Accepted Answer · answered Feb 21 '12 at 15:44

26

I got it... the private key file used with nginx must not have a passphrase. I removed the passphrase and it worked.

answered Feb 21 '12 at 15:44

Alex D

29,003
5
77
124

I don't remember -- I may just have generated a new private key with `openssl`, and left off the passphrase. – Alex D Jul 02 '13 at 11:52
Thanks, i remember the passhprase. – Crossle Song Jul 03 '13 at 06:49
1

@CrossleSong `ssh-keygen -t rsa` and don't enter a passphrase to generate a key without passphrase. – Martin Thoma Mar 09 '15 at 21:27

score 19 · Answer 3 · edited Jan 31 '17 at 07:25

19

Because you generate the .crt file with a passphrase, so you need to specify the same passphrase for your .key and .crt file in Nginx conf like this

server {
    ssl_password_file /path-to-your-passphrase/ssl.pass;
}

See Nginx Doc

Or if you don't need the passphrase for your cert file, just use ssh-keygen tool to generate the file as following:

ssh-keygen -t rsa

edited Jan 31 '17 at 07:25

Victor Polevoy

13,984
11
78
145

answered Jul 28 '16 at 09:23

sudoz

2,779
1
19
16

@JosephCoco Yep, you are right. I need to edit my answer. – sudoz Aug 10 '16 at 03:34
Perfect :thumbsup: – Will Jan 26 '18 at 19:11

score 2 · Answer 4 · answered Jan 03 '16 at 23:32

The question is a bit old now, and nginx actually supports passphrase asking at startup since at least version 1.2. But the issue is still relevant because this capability has been removed from debian in the latest release, version 8 with nginx 1.6. The reason is that passphrase input hasn't been implemented in the systemd script for nginx, while it has been for apache. Launching nginx manually simply works, and it's not too a problem since manual intervention is required anyway, there's no use of systemd here.

Reference: https://forum.nginx.org/read.php?2,262900,262931#msg-262931

What does "SSL_CTX_use_PrivateKey_file" "problems getting password error" indicate in Nginx error log?

4 Answers4

Linked