Skip to content

[BUG]: TLS profile doesn't support passphrase-protected certificates #2679

Closed
Bug
#2667
Closed
[BUG]: TLS profile doesn't support passphrase-protected certificates#2679
Bug
#2667
Assignees
madhav165
Labels
MUSTP1: Non-negotiable, critical requirements without which the product is non-functional or unsafebugSomething isn't workingpythonPython / backend development (FastAPI)securityImproves security
Milestone
Release 1.0.0-RC1
@madhav165

Description

@madhav165
madhav165
opened on Feb 3, 2026

Description

When using make compose-tls with a passphrase-protected private key, nginx fails to start because it cannot read encrypted keys natively.

Steps to Reproduce

  1. Generate a passphrase-protected certificate: 
    make certs-passphrase
  2. Run the TLS profile: 
    make compose-tls
  3. nginx fails with SSL error - unable to read private key

Expected Behavior

Users should be able to use passphrase-protected certificates by providing the passphrase via environment variable.

Actual Behavior

nginx cannot start because it doesn't support passphrase-protected keys without additional configuration.

Environment

  • Docker Compose with TLS profile
  • Any passphrase-protected PEM key

Proposed Solution

Enhance cert_init service to:

  1. Detect key-encrypted.pem file
  2. Read passphrase from KEY_FILE_PASSWORD env var
  3. Decrypt key to key.pem before nginx starts

Metadata

Metadata

Assignees

Labels

MUSTP1: Non-negotiable, critical requirements without which the product is non-functional or unsafebugSomething isn't workingpythonPython / backend development (FastAPI)securityImproves security

Type

Bug

Projects

No projects

Milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions