NGINX fails to ask for PEM password on start


  • Ubuntu 16
  • nginx version: nginx/1.10.0 (Ubuntu)

Amongst the common commands you will find online to start Nginx are:

Using a service
sudo systemctl restart nginx

Call the binary directly (assuming it located in /etc/init.d/) with start/stop/restart
/etc/init.d/nginx start

Even if you specify the configuration file using the -c option, it always throws an error.

However, it appears (for me) that neither of these options prompt a user for their PEM password if they have configured SSL or TLS certificates.

After a lot of digging you will find that calling the script directly without (start/stop/restart) prompts the user for the PEM password.


How to install SSL/TLS certificate on Glassfish

It seems that build isn’t that important, as long as you are using a recent version of Glassfish and Ubuntu it should be fine. I will setup a guide on how to setup glassfish server soon. In the meantime, check the reference for nabisoft at the end of the article, it was my best reference for that part.

This tutorial is mainly directed to StartSSL user’s in the file naming convention but can work for anyone.

My Build

  • Ubuntu 16.04 Server (64 bits)
  • Glassfish 4.1
  • StartSSL certificate

You will have 3 public keys after correctly filing your certificate signing request (.csr) file to your certificate authority (CA). They will be named as such:

  • 1_Intermediate.crt
  • root.crt

You would have had a private key which you used when you generated your CSR file. For the sake of this tutorial we will call this .

Move to your glassfish domain’s config directory and store all your files there. I am assuming you are using the default domain, domain1.
cd /path_to_glassfish_directory/glassfish/domains/domain1/config

Step 1
Mash up our three certificated into one file using this command. Remember: don’t forget to change the values!
cat 1_Intermediate.crt root.crt > all.crt

Step 2
Now we import these certificates into our cacerts keystore. The keystore names I am going to assume are those shipped by default with glassfish 4.1 . Fill in ‘yourAlias’ with any non-conflicting name you wish but keep note of it for later.
keytool -import -trustcacerts -alias yourAlias -file all.crt -keystore cacerts.jks

Step 3
We are now going to decrypt the (.key) file and make a (.p12) file which will be installed into the server. The default password is ‘changeit’ and I shouldn’t have to mention… you should change it!
openssl pkcs12 -export -in all.crt -inkey -out -name yourAlias -CAfile 1_Intermediate.crt -caname immed
keytool -importkeystore -deststorepass changeit -destkeypass changeit -destkeystore keystore.jks -srckeystore -srcstoretype PKCS12 -srcstorepass changeit -alias yourAlias

Step 4
Ensure that all the certificates installed correctly. Check both keystores using the following two commands:
keytool -list -keystore keystore.jks
keytool -list -keystore cacerts.jks

You should see a listing of your alias in one of them in both with the text ‘trustedCaCert’ in the cacerts.jks keystore.
In the keystore.jks file you should see your private key the alias you gave it listed in one of the entries.

Step 5
In order to use these keys on the domain you will need to configure domain.xml there are two ways to do this. BACKUP domains.xml before proceeding.

Method 1: terminal / command line
Replace every instance of the default s1asin the domain.xml file with yourAlias.

Method 2: Glassfish Admin Console
(Will be added later with pictures)

Step 5
Restart the domain

asadmin restart-domain domain1

If you haven’t loaded asadmin to your environment path then
/path_to_glassfish_directory/bin/asadmin restart-domain domain