Merge pull request #8129 from thalesmg/key-pass-dash-mgmt-43

feat(tls): add configs for private key password in dashboard/mgmt
2022-06-07 09:14:50 -03:00 · 2022-06-07 09:14:50 -03:00 · d91c5806e0
parent b305c90b9c 50ff2edf13
commit d91c5806e0
5 changed files with 25 additions and 0 deletions
--- a/CHANGES-4.3.md
+++ b/CHANGES-4.3.md
@ -10,6 +10,14 @@ File format:
 - One list item per change topic
  Change log ends with a list of github PRs

+## v4.3.16
+
+### Enhancements
+
+- Add the possibility of configuring the password for
+  password-protected private key files used for dashboard and
+  management HTTPS listeners. [#8129]
+
 ## v4.3.15

 ### Enhancements
--- a/apps/emqx_management/etc/emqx_management.conf
+++ b/apps/emqx_management/etc/emqx_management.conf
@ -43,6 +43,7 @@ management.listener.http.ipv6_v6only = false
 ## management.listener.https.send_timeout_close = on
 ## management.listener.https.certfile = etc/certs/cert.pem
 ## management.listener.https.keyfile = etc/certs/key.pem
+## management.listener.https.key_password = yourpass
 ## management.listener.https.cacertfile = etc/certs/cacert.pem
 ## management.listener.https.verify = verify_peer
 ## NOTE: Do not use tlsv1.3 if emqx is running on OTP-22 or earlier
--- a/apps/emqx_management/priv/emqx_management.schema
+++ b/apps/emqx_management/priv/emqx_management.schema
@ -143,6 +143,10 @@
  {datatype, string}
 ]}.

+{mapping, "management.listener.https.key_password", "emqx_management.listeners", [
+  {datatype, string}
+]}.
+
 {mapping, "management.listener.https.certfile", "emqx_management.listeners", [
  {datatype, string}
 ]}.
@ -217,6 +221,7 @@ end}.
                Filter([{versions, Versions},
                        {ciphers, SplitFun(cuttlefish:conf_get(Prefix ++ ".ciphers", Conf, undefined))},
                        {keyfile,    cuttlefish:conf_get(Prefix ++ ".keyfile", Conf, undefined)},
+                        {password,   cuttlefish:conf_get(Prefix ++ ".key_password", Conf, undefined)},
                        {certfile,   cuttlefish:conf_get(Prefix ++ ".certfile", Conf, undefined)},
                        {cacertfile, cuttlefish:conf_get(Prefix ++ ".cacertfile", Conf, undefined)},
                        {verify,     cuttlefish:conf_get(Prefix ++ ".verify", Conf, undefined)},
--- a/lib-ce/emqx_dashboard/etc/emqx_dashboard.conf
+++ b/lib-ce/emqx_dashboard/etc/emqx_dashboard.conf
@ -82,6 +82,12 @@ dashboard.listener.http.ipv6_v6only = false
 ## Value: File
 ## dashboard.listener.https.keyfile = etc/certs/key.pem

+## String containing the private key file password. Only used if the
+## private keyfile is password-protected.
+##
+## Value: String
+## dashboard.listener.https.key_password = yourpass
+
 ## Path to a file containing the user certificate.
 ##
 ## Value: File
--- a/lib-ce/emqx_dashboard/priv/emqx_dashboard.schema
+++ b/lib-ce/emqx_dashboard/priv/emqx_dashboard.schema
@ -74,6 +74,10 @@
  {datatype, string}
 ]}.

+{mapping, "dashboard.listener.https.key_password", "emqx_dashboard.listeners", [
+  {datatype, string}
+]}.
+
 {mapping, "dashboard.listener.https.certfile", "emqx_dashboard.listeners", [
  {datatype, string}
 ]}.
@ -127,6 +131,7 @@
                        {ciphers, SplitFun(cuttlefish:conf_get(Prefix ++ ".ciphers", Conf, undefined))},
                        {dhfile, cuttlefish:conf_get(Prefix ++ ".dhfile", Conf, undefined)},
                        {keyfile,    cuttlefish:conf_get(Prefix ++ ".keyfile", Conf, undefined)},
+                        {password,   cuttlefish:conf_get(Prefix ++ ".key_password", Conf, undefined)},
                        {certfile,   cuttlefish:conf_get(Prefix ++ ".certfile", Conf, undefined)},
                        {cacertfile, cuttlefish:conf_get(Prefix ++ ".cacertfile", Conf, undefined)},
                        {verify,     cuttlefish:conf_get(Prefix ++ ".verify", Conf, undefined)},