Re: SSL key with passphrase

Hi,

There appears to be a problem with starting Postgres if the SSL key
has a passphrase on it. The following happens:

Enter PEM pass phrase:
FATAL: could not load private key file "server.key": problems getting password

Starting with "postgres -D /path/to/cluster" returns:

Enter PEM pass phrase:
LOG: database system was shut down at 2011-09-13 13:51:51 BST
LOG: database system is ready to accept connections
LOG: autovacuum launcher started

So the postgres binary accepts stdin, but pg_ctl doesn't. This isn't
an unusual case, so could I request a fix to allow pg_ctl to take
stdin rather than /dev/null?

Thanks

--
Thom Brown
Twitter: @darkixion
IRC (freenode): dark_ixion
Registered Linux user: #516935

EnterpriseDB UK: http://www.enterprisedb.com
The Enterprise PostgreSQL Company

Thom Brown <thom(at)linux(dot)com> writes:
> There appears to be a problem with starting Postgres if the SSL key
> has a passphrase on it.

It's documented that that's unsupported. Given the number of ways to
start a postmaster, and the fact that many of them are noninteractive,
I don't think it's very productive for us to worry about it.

regards, tom lane

On 13 September 2011 15:17, Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us> wrote:
> Thom Brown <thom(at)linux(dot)com> writes:
>> There appears to be a problem with starting Postgres if the SSL key
>> has a passphrase on it.
>
> It's documented that that's unsupported.  Given the number of ways to
> start a postmaster, and the fact that many of them are noninteractive,
> I don't think it's very productive for us to worry about it.

For reference, could you point me to the page which states this lack
of support? All I could find was a mention that in order to start the
service automatically, you would need to remove the passphrase.

--
Thom Brown
Twitter: @darkixion
IRC (freenode): dark_ixion
Registered Linux user: #516935

EnterpriseDB UK: http://www.enterprisedb.com
The Enterprise PostgreSQL Company

On 13 September 2011 15:17, Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us> wrote:
> Thom Brown <thom(at)linux(dot)com> writes:
>> There appears to be a problem with starting Postgres if the SSL key
>> has a passphrase on it.
>
> It's documented that that's unsupported.  Given the number of ways to
> start a postmaster, and the fact that many of them are noninteractive,
> I don't think it's very productive for us to worry about it.

I've managed to get pg_ctl to accept the passphrase with the -w
option. Works fine like that. Since that works, perhaps the page
referring to SSL could mention this.

--
Thom Brown
Twitter: @darkixion
IRC (freenode): dark_ixion
Registered Linux user: #516935

EnterpriseDB UK: http://www.enterprisedb.com
The Enterprise PostgreSQL Company

On Wed, Sep 14, 2011 at 02:40:15AM +0100, Thom Brown wrote:
> On 13 September 2011 15:17, Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us> wrote:
> > Thom Brown <thom(at)linux(dot)com> writes:
> >> There appears to be a problem with starting Postgres if the SSL key
> >> has a passphrase on it.
> >
> > It's documented that that's unsupported.  Given the number of ways to
> > start a postmaster, and the fact that many of them are noninteractive,
> > I don't think it's very productive for us to worry about it.
>
> I've managed to get pg_ctl to accept the passphrase with the -w
> option. Works fine like that. Since that works, perhaps the page
> referring to SSL could mention this.

I have added a documention mention as you suggested for PG 9.3 in the
'-w' option section.

--
Bruce Momjian <bruce(at)momjian(dot)us> http://momjian.us
EnterpriseDB http://enterprisedb.com

+ It's impossible for everything to be true. +