Nginx 添加SSL支持HTTPS后 脚本启动失败 Enter PEM pass phrase

环境：centos7
软件环境：nginx1.10.2

遇到问题

在nginx中添加SSL支持，使用的是免费的StartCom 的一年免费SSL签证。
将下载的server.crt和自己生成的server.key配置到nginx.conf中，但是发现使用脚本启动有问题。

nginx.conf

        listen      8080 ;
        listen      443 ssl;
        server_name  www.jeiao.com;

        charset utf-8;

        ssl_certificate     /usr/local/nginx/ssl/www.jeiao.com.crt;
        ssl_certificate_key  /usr/local/nginx/ssl/www.jeiao.com.key;
        ssl_protocols       TLSv1 TLSv1.1 TLSv1.2;
        ssl_ciphers         ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:ECDHE-RSA-DES-CBC3-SHA:ECDHE-ECDSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA;

检查nginx 服务状态

[root@nginx]# systemctl status nginx.service
● nginx.service - SYSV: Nginx is an HTTP(S) server, HTTP(S) reverse proxy and IMAP/POP3 proxy server
   Loaded: loaded (/etc/rc.d/init.d/nginx; bad; vendor preset: disabled)
   Active: failed (Result: exit-code) since Thu 2017-01-19 04:46:06 UTC; 19s ago
     Docs: man:systemd-sysv-generator(8)
  Process: 22025 ExecStop=/etc/rc.d/init.d/nginx stop (code=exited, status=0/SUCCESS)
  Process: 22054 ExecStart=/etc/rc.d/init.d/nginx start (code=exited, status=1/FAILURE)
 Main PID: 21789 (code=exited, status=0/SUCCESS)

Jan 19 04:46:06 systemd[1]: Starting SYSV: Nginx is an HTTP(S) server, HTTP(S) reverse proxy and IMAP/POP3 proxy server...
Jan 19 04:46:06 nginx[22054]: Starting nginx: Enter PEM pass phrase:
Jan 19 04:46:06 nginx[22054]: nginx: [emerg] SSL_CTX_use_PrivateKey_file("/usr/local/nginx/ssl/www.jeiao.com.key") failed (SSL: error:0906406D:PEM routines:PEM_def_callback:p...
Jan 19 04:46:06 nginx[22054]: [FAILED]
Jan 19 04:46:06 systemd[1]: nginx.service: control process exited, code=exited status=1
Jan 19 04:46:06 systemd[1]: Failed to start SYSV: Nginx is an HTTP(S) server, HTTP(S) reverse proxy and IMAP/POP3 proxy server.
Jan 19 04:46:06 systemd[1]: Unit nginx.service entered failed state.
Jan 19 04:46:06 systemd[1]: nginx.service failed.
Hint: Some lines were ellipsized, use -l to show in full.

使用命令行启动nginx

/usr/local/nginx/sbin/nginx -c /usr/local/nginx/conf/nginx.conf

Enter PEM pass phrase:#输入证书的密码

大致明白了是因为 ssl key中有Passphrase需要移出。

解决办法

cp www.jeiao.com.key www.jeiao.com.key.org
openssl rsa -in www.jeiao.com.key.org -out www.jeiao.com.key

替换ssl下的key，并重启nginx。

然后使用脚本启动nginx就没有问题了。

/etc/init.d/nginx start
#启动输出log
Starting nginx (via systemctl):                    [  OK  ]

参考链接：
http://www.akadia.com/services/ssh_test_certificate.html
http://webmasters.stackexchange.com/questions/1247/can-i-skip-the-pem-pass-phrase-question-when-i-restart-the-webserver