[BUG][CONFIG]: Support for passphrase protected SSL keys in HTTPS config #1577
Description
🐞 Bug Summary
SSL certificates with passphrase-protected private keys fail to load, causing the MCP Gateway server to crash on startup when attempting to use HTTPS with encrypted keys.
🔁 Steps to Reproduce
- Generate a passphrase-protected SSL certificate:
# 1. Generate private key protected by a passphrase
openssl genrsa -aes256 -out mysite.key 2048
# 2. Generate a self-signed certificate (will ask for key passphrase)
openssl req -new -x509 -key mysite.key -out mysite.crt -days 365- Attempt to start the server with the encrypted key:
SSL=true CERT_FILE=certs/cert.pem KEY_FILE=certs/key-encrypted.pem make serve-ssl
# or use docker-compose.yml with SSL=true- Observe the server crash with an error about being unable to load the private key
🤔 Expected Behavior
The server should support both passphrase-protected and regular (unencrypted) SSL certificates. Users should be able to provide a passphrase via environment variable (e.g., KEY_FILE_PASSWORD) to decrypt and use passphrase-protected keys for HTTPS configuration in both production (Gunicorn) and development (Uvicorn) environments.
💡 Proposed Solution
Implement SSL key manager utility that:
- Detects if a passphrase is provided via
KEY_FILE_PASSWORDenvironment variable - Decrypts the passphrase-protected key to a secure temporary file (0o600 permissions)
- Passes the decrypted key to Gunicorn/Uvicorn
- Automatically cleans up temporary files on process exit
- Maintains full backward compatibility with unencrypted keys
📓 Logs / Error Output
Paste any relevant stack traces or logs here.
🧠 Environment Info
You can retrieve most of this from the /version endpoint.
| Key | Value |
|---|---|
| Version or commit | e.g. v0.9.0 or main@a1b2c3d |
| Runtime | e.g. Python 3.11, Gunicorn |
| Platform / OS | e.g. Ubuntu 22.04, macOS |
| Container | e.g. Docker, Podman, none |
🧩 Additional Context (optional)
Add any configuration details, flags, or related issues.