We recently updated our SSL certificate for futurestud.io. We decided to use AES256 for the new SSL certificate which requires a password for the
.key file. At this point, we didn’t think of any problems with nginx. The nerve-racking part was waiting in secret!
nginx Series Overview
- How To Install the Newest Version of Nginx on Ubuntu
- How to Run GitLab with Self-Signed SSL Certificate
- How to Fix Reponse Status 0 (Worker Process Exited on Signal 11)
- Redirect Only Root URL Path
- Remove an App/Domain from Sites-Enabled
- How to Serve a Static HTML Page
- Is Running but Not Serving Sites
- How to Fix Unknown "connection_upgrade" Variable
- How to Configure Nginx SSL Certifcate Chain
- How to Fix Nginx SSL PEM_read_bio:bad end line
- How to Remove PEM Password From SSL Certificate
- How to Fix “ssl” Directive Is Deprecated, Use “listen … ssl”
Problem: Nginx Asking for Password on Restart/Reload
We submitted the
.csr for signing and got the certificate file (
.crt) in return. Concatenated with the intermediate certicate, we defined the new SSL certificate and key in our nginx configuration.
ssl_certificate /etc/nginx/ssl/futurestudio.pem; ssl_certificate_key /etc/nginx/ssl/private/futurestudio.key;
Afterwards, we wanted to reload the nginx configuration and it was asking for the PEM phrase.
$ sudo service nginx reload Reloading nginx configuration: Enter PEM pass phrase:
The annoying part: nginx was asking for the PEM phrase on every reload or restart. When defining an additional certificate, you have to provide a second password. A third certificate requires another password, and so on. You’ll literally freak out when just reloading nginx for a minor config change.
How to Remove PEM Password
You can use the
openssl rsa command to remove the passphrase. As arguments, we pass in the SSL
.key and get a
.key file as output.
$ openssl rsa -in futurestudio_with_pass.key -out futurestudio.key
This command will ask you one last time for your PEM passphrase. Type the password, confirm with enter key and you’re done. Finally!
Nginx won’t ask for the PEM passphrase anymore and you’re free to reload and restart nginx as much as you want.