Thread: SSL key with passphrase
Hi, There appears to be a problem with starting Postgres if the SSL key has a passphrase on it. The following happens: Enter PEM pass phrase: FATAL: could not load private key file "server.key": problems getting password Starting with "postgres -D /path/to/cluster" returns: Enter PEM pass phrase: LOG: database system was shut down at 2011-09-13 13:51:51 BST LOG: database system is ready to accept connections LOG: autovacuum launcher started So the postgres binary accepts stdin, but pg_ctl doesn't. This isn't an unusual case, so could I request a fix to allow pg_ctl to take stdin rather than /dev/null? Thanks -- Thom Brown Twitter: @darkixion IRC (freenode): dark_ixion Registered Linux user: #516935 EnterpriseDB UK: http://www.enterprisedb.com The Enterprise PostgreSQL Company
Thom Brown <thom@linux.com> writes:
> There appears to be a problem with starting Postgres if the SSL key
> has a passphrase on it.
It's documented that that's unsupported. Given the number of ways to
start a postmaster, and the fact that many of them are noninteractive,
I don't think it's very productive for us to worry about it.
regards, tom lane
On 13 September 2011 15:17, Tom Lane <tgl@sss.pgh.pa.us> wrote: > Thom Brown <thom@linux.com> writes: >> There appears to be a problem with starting Postgres if the SSL key >> has a passphrase on it. > > It's documented that that's unsupported. Given the number of ways to > start a postmaster, and the fact that many of them are noninteractive, > I don't think it's very productive for us to worry about it. For reference, could you point me to the page which states this lack of support? All I could find was a mention that in order to start the service automatically, you would need to remove the passphrase. -- Thom Brown Twitter: @darkixion IRC (freenode): dark_ixion Registered Linux user: #516935 EnterpriseDB UK: http://www.enterprisedb.com The Enterprise PostgreSQL Company
On 13 September 2011 15:17, Tom Lane <tgl@sss.pgh.pa.us> wrote: > Thom Brown <thom@linux.com> writes: >> There appears to be a problem with starting Postgres if the SSL key >> has a passphrase on it. > > It's documented that that's unsupported. Given the number of ways to > start a postmaster, and the fact that many of them are noninteractive, > I don't think it's very productive for us to worry about it. I've managed to get pg_ctl to accept the passphrase with the -w option. Works fine like that. Since that works, perhaps the page referring to SSL could mention this. -- Thom Brown Twitter: @darkixion IRC (freenode): dark_ixion Registered Linux user: #516935 EnterpriseDB UK: http://www.enterprisedb.com The Enterprise PostgreSQL Company
On Wed, Sep 14, 2011 at 02:40:15AM +0100, Thom Brown wrote: > On 13 September 2011 15:17, Tom Lane <tgl@sss.pgh.pa.us> wrote: > > Thom Brown <thom@linux.com> writes: > >> There appears to be a problem with starting Postgres if the SSL key > >> has a passphrase on it. > > > > It's documented that that's unsupported. Given the number of ways to > > start a postmaster, and the fact that many of them are noninteractive, > > I don't think it's very productive for us to worry about it. > > I've managed to get pg_ctl to accept the passphrase with the -w > option. Works fine like that. Since that works, perhaps the page > referring to SSL could mention this. I have added a documention mention as you suggested for PG 9.3 in the '-w' option section. -- Bruce Momjian <bruce@momjian.us> http://momjian.us EnterpriseDB http://enterprisedb.com + It's impossible for everything to be true. +