Symptoms

After a new SSL certificate is installed, the nginx service fails to start and produces error messages similar to those shown below: Feb 08 06:45:07 hostname systemd[1]: Starting LSB: nginx... Feb 08 06:45:07 hostname nginx[6873]: Starting nginx Enter PEM pass phrase: Feb 08 06:45:07 hostname nginx[6873]: nginx: [emerg] cannot load certificate key "/usr/local/search/etc/cert/server.key": PEM_read_bio_PrivateKey() failed (SSL: error:0906406D:PEM routines:PEM_def_callback:problems getting password error:0907B068:PEM routines:PEM_READ_BIO_PRIVATEKEY:bad password read) Feb 08 06:45:07 hostname startproc[6879]: startproc: exit status of parent of /usr/local/nginx/sbin/nginx: 1 Feb 08 06:45:07 hostname nginx[6873]: ..failed Feb 08 06:45:07 hostname systemd[1]: nginx.service: Control process exited, code=exited status=7 Feb 08 06:45:07 hostname systemd[1]: Failed to start LSB: nginx. Feb 08 06:45:07 hostname systemd[1]: nginx.service: Unit entered failed state. Feb 08 06:45:07 hostname systemd[1]: nginx.service: Failed with result 'exit-code'.

Cause

The private key has a passphrase requirement but nginx is not configured to use a passphrase.

Resolution

The following steps create a private key file without the passphrase requirement: Rename the existing server.key filename to server_pass.key. mv server.key server_pass.key Create a new key without a passphrase requirement. It is assumed that the RSA key is in use, otherwise adjust the command accordingly. When prompted, type the passphrase and press enter. openssl rsa -in server_pass.key -out server.key Stop, start nginx service and check that no error messages are displayed. service nginx stop service nginx start service nginx status Go to the search home page. Check that the correct SSL certificate information is displayed.

Support Cases