feat(tls): add configs for private key password in dashboard/mgmt

CHANGES-4.3.md

@@ -10,6 +10,14 @@ File format:
 - One list item per change topic
   Change log ends with a list of github PRs
 
+## v4.3.16
+
+### Enhancements
+
+- Add the possibility of configuring the password for
+  password-protected private key files used for dashboard and
+  management HTTPS listeners. [#8129]
+
 ## v4.3.15
 
 ### Enhancements

apps/emqx_management/etc/emqx_management.conf

@@ -43,6 +43,7 @@ management.listener.http.ipv6_v6only = false
 ## management.listener.https.send_timeout_close = on
 ## management.listener.https.certfile = etc/certs/cert.pem
 ## management.listener.https.keyfile = etc/certs/key.pem
+## management.listener.https.key_password = yourpass
 ## management.listener.https.cacertfile = etc/certs/cacert.pem
 ## management.listener.https.verify = verify_peer
 ## NOTE: Do not use tlsv1.3 if emqx is running on OTP-22 or earlier

apps/emqx_management/priv/emqx_management.schema

@@ -143,6 +143,10 @@
   {datatype, string}
 ]}.
 
+{mapping, "management.listener.https.key_password", "emqx_management.listeners", [
+  {datatype, string}
+]}.
+
 {mapping, "management.listener.https.certfile", "emqx_management.listeners", [
   {datatype, string}
 ]}.
@@ -217,6 +221,7 @@ end}.
                 Filter([{versions, Versions},
                         {ciphers, SplitFun(cuttlefish:conf_get(Prefix ++ ".ciphers", Conf, undefined))},
                         {keyfile,    cuttlefish:conf_get(Prefix ++ ".keyfile", Conf, undefined)},
+                        {password,   cuttlefish:conf_get(Prefix ++ ".key_password", Conf, undefined)},
                         {certfile,   cuttlefish:conf_get(Prefix ++ ".certfile", Conf, undefined)},
                         {cacertfile, cuttlefish:conf_get(Prefix ++ ".cacertfile", Conf, undefined)},
                         {verify,     cuttlefish:conf_get(Prefix ++ ".verify", Conf, undefined)},

lib-ce/emqx_dashboard/etc/emqx_dashboard.conf

@@ -82,6 +82,12 @@ dashboard.listener.http.ipv6_v6only = false
 ## Value: File
 ## dashboard.listener.https.keyfile = etc/certs/key.pem
 
+## String containing the private key file password. Only used if the
+## private keyfile is password-protected.
+##
+## Value: String
+## dashboard.listener.https.key_password = yourpass
+
 ## Path to a file containing the user certificate.
 ##
 ## Value: File

lib-ce/emqx_dashboard/priv/emqx_dashboard.schema

@@ -74,6 +74,10 @@
   {datatype, string}
 ]}.
 
+{mapping, "dashboard.listener.https.key_password", "emqx_dashboard.listeners", [
+  {datatype, string}
+]}.
+
 {mapping, "dashboard.listener.https.certfile", "emqx_dashboard.listeners", [
   {datatype, string}
 ]}.
@@ -127,6 +131,7 @@
                         {ciphers, SplitFun(cuttlefish:conf_get(Prefix ++ ".ciphers", Conf, undefined))},
                         {dhfile, cuttlefish:conf_get(Prefix ++ ".dhfile", Conf, undefined)},
                         {keyfile,    cuttlefish:conf_get(Prefix ++ ".keyfile", Conf, undefined)},
+                        {password,   cuttlefish:conf_get(Prefix ++ ".key_password", Conf, undefined)},
                         {certfile,   cuttlefish:conf_get(Prefix ++ ".certfile", Conf, undefined)},
                         {cacertfile, cuttlefish:conf_get(Prefix ++ ".cacertfile", Conf, undefined)},
                         {verify,     cuttlefish:conf_get(Prefix ++ ".verify", Conf, undefined)},