From 50ff2edf131b814b9935bde62dcb38a93401cb7e Mon Sep 17 00:00:00 2001 From: Thales Macedo Garitezi Date: Fri, 3 Jun 2022 11:18:52 -0300 Subject: [PATCH] feat(tls): add configs for private key password in dashboard/mgmt --- CHANGES-4.3.md | 8 ++++++++ apps/emqx_management/etc/emqx_management.conf | 1 + apps/emqx_management/priv/emqx_management.schema | 5 +++++ lib-ce/emqx_dashboard/etc/emqx_dashboard.conf | 6 ++++++ lib-ce/emqx_dashboard/priv/emqx_dashboard.schema | 5 +++++ 5 files changed, 25 insertions(+) diff --git a/CHANGES-4.3.md b/CHANGES-4.3.md index 2819f729a..00cb8cf1e 100644 --- a/CHANGES-4.3.md +++ b/CHANGES-4.3.md @@ -10,6 +10,14 @@ File format: - One list item per change topic Change log ends with a list of github PRs +## v4.3.16 + +### Enhancements + +- Add the possibility of configuring the password for + password-protected private key files used for dashboard and + management HTTPS listeners. [#8129] + ## v4.3.15 ### Enhancements diff --git a/apps/emqx_management/etc/emqx_management.conf b/apps/emqx_management/etc/emqx_management.conf index 0170059d7..f9e6a518c 100644 --- a/apps/emqx_management/etc/emqx_management.conf +++ b/apps/emqx_management/etc/emqx_management.conf @@ -43,6 +43,7 @@ management.listener.http.ipv6_v6only = false ## management.listener.https.send_timeout_close = on ## management.listener.https.certfile = etc/certs/cert.pem ## management.listener.https.keyfile = etc/certs/key.pem +## management.listener.https.key_password = yourpass ## management.listener.https.cacertfile = etc/certs/cacert.pem ## management.listener.https.verify = verify_peer ## NOTE: Do not use tlsv1.3 if emqx is running on OTP-22 or earlier diff --git a/apps/emqx_management/priv/emqx_management.schema b/apps/emqx_management/priv/emqx_management.schema index a30a20e4d..e0cc47d2f 100644 --- a/apps/emqx_management/priv/emqx_management.schema +++ b/apps/emqx_management/priv/emqx_management.schema @@ -143,6 +143,10 @@ {datatype, string} ]}. +{mapping, "management.listener.https.key_password", "emqx_management.listeners", [ + {datatype, string} +]}. + {mapping, "management.listener.https.certfile", "emqx_management.listeners", [ {datatype, string} ]}. @@ -217,6 +221,7 @@ end}. Filter([{versions, Versions}, {ciphers, SplitFun(cuttlefish:conf_get(Prefix ++ ".ciphers", Conf, undefined))}, {keyfile, cuttlefish:conf_get(Prefix ++ ".keyfile", Conf, undefined)}, + {password, cuttlefish:conf_get(Prefix ++ ".key_password", Conf, undefined)}, {certfile, cuttlefish:conf_get(Prefix ++ ".certfile", Conf, undefined)}, {cacertfile, cuttlefish:conf_get(Prefix ++ ".cacertfile", Conf, undefined)}, {verify, cuttlefish:conf_get(Prefix ++ ".verify", Conf, undefined)}, diff --git a/lib-ce/emqx_dashboard/etc/emqx_dashboard.conf b/lib-ce/emqx_dashboard/etc/emqx_dashboard.conf index 2d59264a1..f59f27a47 100644 --- a/lib-ce/emqx_dashboard/etc/emqx_dashboard.conf +++ b/lib-ce/emqx_dashboard/etc/emqx_dashboard.conf @@ -82,6 +82,12 @@ dashboard.listener.http.ipv6_v6only = false ## Value: File ## dashboard.listener.https.keyfile = etc/certs/key.pem +## String containing the private key file password. Only used if the +## private keyfile is password-protected. +## +## Value: String +## dashboard.listener.https.key_password = yourpass + ## Path to a file containing the user certificate. ## ## Value: File diff --git a/lib-ce/emqx_dashboard/priv/emqx_dashboard.schema b/lib-ce/emqx_dashboard/priv/emqx_dashboard.schema index a2985429b..43093c3ba 100644 --- a/lib-ce/emqx_dashboard/priv/emqx_dashboard.schema +++ b/lib-ce/emqx_dashboard/priv/emqx_dashboard.schema @@ -74,6 +74,10 @@ {datatype, string} ]}. +{mapping, "dashboard.listener.https.key_password", "emqx_dashboard.listeners", [ + {datatype, string} +]}. + {mapping, "dashboard.listener.https.certfile", "emqx_dashboard.listeners", [ {datatype, string} ]}. @@ -127,6 +131,7 @@ {ciphers, SplitFun(cuttlefish:conf_get(Prefix ++ ".ciphers", Conf, undefined))}, {dhfile, cuttlefish:conf_get(Prefix ++ ".dhfile", Conf, undefined)}, {keyfile, cuttlefish:conf_get(Prefix ++ ".keyfile", Conf, undefined)}, + {password, cuttlefish:conf_get(Prefix ++ ".key_password", Conf, undefined)}, {certfile, cuttlefish:conf_get(Prefix ++ ".certfile", Conf, undefined)}, {cacertfile, cuttlefish:conf_get(Prefix ++ ".cacertfile", Conf, undefined)}, {verify, cuttlefish:conf_get(Prefix ++ ".verify", Conf, undefined)},