Page MenuHomePhabricator
Create Task
Maniphest T7432

Unable to start Aphlict server with a passphrase protected SSL cert/key
Open, WishlistPublic
Actions

Description

Our Phabricator install uses HTTPS and I followed directions on https://secure.phabricator.com/book/phabricator/article/notifications/ to set up ssl-cert and ssl-key settings.
Now when I try to run ./bin/aphlict start the feedback I get is that the server has started, but then it starts to repeatedly ask me for my PEM passphrase, like this:

administrator@ubuntu:/phabricator/phabricator$ Enter PEM pass phrase:
Enter PEM pass phrase:
Enter PEM pass phrase:
Enter PEM pass phrase:

It never actually lets me enter the passphrase and everything I enter is interpreted as a bash command. If I run it like ./bin/aphlict debug it brings up the PEM pass phrase prompt, lets me enter the passphrase and then runs as expected.

Related Objects

Event Timeline

anton.vladimirov created this task.Mar 2 2015, 8:11 PM
anton.vladimirov raised the priority of this task from to Needs Triage.
anton.vladimirov updated the task description. (Show Details)
anton.vladimirov added a subscriber: anton.vladimirov.
epriestley triaged this task as Wishlist priority.Mar 3 2015, 12:35 AM
epriestley added a subscriber: epriestley.

The process has already daemonized by the time we get this far, and it's generally impractical for us to prompt for the passphrase before daemonizing without significant rearchitecture. We also haven't seen other users trying to use password-protected certificates, and believe their use to be rare in most infrastructure (for instance, ELBs in AWS do not support them either).

Generally, we're unlikely to support this. Two workarounds are:

  • Strip the password (recommended).
  • Run in debug mode and handle daemonization with a hack like using screen (discouraged, but should work if you're not comfortable stripping the password).
anton.vladimirov added a comment.Mar 3 2015, 1:16 AM

Fair enough. I got a new certificate that doesn't require a passphrase and it's working as expected now, except now I'm seeing T7435

jamchamb added a subscriber: jamchamb.Apr 26 2016, 9:21 PM
jamchamb added a comment.Apr 27 2016, 5:06 PM

Would it be possible to add something similar to Apache's SSLPassPhraseDialog exec:/path/to/program directive?

Phabricator · Built by Phacility