Thread

  1. SSL key with passphrase

    Thom Brown <thom@linux.com> — 2011-09-13T13:54:23Z

    Hi,
    
    There appears to be a problem with starting Postgres if the SSL key
    has a passphrase on it.  The following happens:
    
    Enter PEM pass phrase:
    FATAL:  could not load private key file "server.key": problems getting password
    
    Starting with "postgres -D /path/to/cluster" returns:
    
    Enter PEM pass phrase:
    LOG:  database system was shut down at 2011-09-13 13:51:51 BST
    LOG:  database system is ready to accept connections
    LOG:  autovacuum launcher started
    
    So the postgres binary accepts stdin, but pg_ctl doesn't.  This isn't
    an unusual case, so could I request a fix to allow pg_ctl to take
    stdin rather than /dev/null?
    
    Thanks
    
    -- 
    Thom Brown
    Twitter: @darkixion
    IRC (freenode): dark_ixion
    Registered Linux user: #516935
    
    EnterpriseDB UK: http://www.enterprisedb.com
    The Enterprise PostgreSQL Company
    
    
  2. Re: SSL key with passphrase

    Tom Lane <tgl@sss.pgh.pa.us> — 2011-09-13T14:17:20Z

    Thom Brown <thom@linux.com> writes:
    > There appears to be a problem with starting Postgres if the SSL key
    > has a passphrase on it.
    
    It's documented that that's unsupported.  Given the number of ways to
    start a postmaster, and the fact that many of them are noninteractive,
    I don't think it's very productive for us to worry about it.
    
    			regards, tom lane
    
    
  3. Re: SSL key with passphrase

    Thom Brown <thom@linux.com> — 2011-09-13T14:28:25Z

    On 13 September 2011 15:17, Tom Lane <tgl@sss.pgh.pa.us> wrote:
    > Thom Brown <thom@linux.com> writes:
    >> There appears to be a problem with starting Postgres if the SSL key
    >> has a passphrase on it.
    >
    > It's documented that that's unsupported.  Given the number of ways to
    > start a postmaster, and the fact that many of them are noninteractive,
    > I don't think it's very productive for us to worry about it.
    
    For reference, could you point me to the page which states this lack
    of support?  All I could find was a mention that in order to start the
    service automatically, you would need to remove the passphrase.
    
    -- 
    Thom Brown
    Twitter: @darkixion
    IRC (freenode): dark_ixion
    Registered Linux user: #516935
    
    EnterpriseDB UK: http://www.enterprisedb.com
    The Enterprise PostgreSQL Company
    
    
  4. Re: SSL key with passphrase

    Thom Brown <thom@linux.com> — 2011-09-14T01:40:15Z

    On 13 September 2011 15:17, Tom Lane <tgl@sss.pgh.pa.us> wrote:
    > Thom Brown <thom@linux.com> writes:
    >> There appears to be a problem with starting Postgres if the SSL key
    >> has a passphrase on it.
    >
    > It's documented that that's unsupported.  Given the number of ways to
    > start a postmaster, and the fact that many of them are noninteractive,
    > I don't think it's very productive for us to worry about it.
    
    I've managed to get pg_ctl to accept the passphrase with the -w
    option.  Works fine like that.  Since that works, perhaps the page
    referring to SSL could mention this.
    
    -- 
    Thom Brown
    Twitter: @darkixion
    IRC (freenode): dark_ixion
    Registered Linux user: #516935
    
    EnterpriseDB UK: http://www.enterprisedb.com
    The Enterprise PostgreSQL Company
    
    
  5. Re: SSL key with passphrase

    Bruce Momjian <bruce@momjian.us> — 2012-08-16T00:52:45Z

    On Wed, Sep 14, 2011 at 02:40:15AM +0100, Thom Brown wrote:
    > On 13 September 2011 15:17, Tom Lane <tgl@sss.pgh.pa.us> wrote:
    > > Thom Brown <thom@linux.com> writes:
    > >> There appears to be a problem with starting Postgres if the SSL key
    > >> has a passphrase on it.
    > >
    > > It's documented that that's unsupported.  Given the number of ways to
    > > start a postmaster, and the fact that many of them are noninteractive,
    > > I don't think it's very productive for us to worry about it.
    > 
    > I've managed to get pg_ctl to accept the passphrase with the -w
    > option.  Works fine like that.  Since that works, perhaps the page
    > referring to SSL could mention this.
    
    I have added a documention mention as you suggested for PG 9.3 in the
    '-w' option section.
    
    -- 
      Bruce Momjian  <bruce@momjian.us>        http://momjian.us
      EnterpriseDB                             http://enterprisedb.com
    
      + It's impossible for everything to be true. +