aws-nitro-enclaves-acm icon indicating copy to clipboard operation
aws-nitro-enclaves-acm copied to clipboard

Published 20 hours ago verified publisher icon aws

AmazonLinux 2023 & Nginx support

Open bplessis-swi opened this issue 8 months ago • 4 comments

Hi, Sorry if it's not the place for this, i also have an aws case opened but i figured i tried.

I am testing acm enclave with AmazonLinux 2023 and nginx don't seem to be compatible any more ? The same configuration works on AL2 but with 2023 nginx fail to start with:

nginx: [emerg] cannot load certificate key "engine:pkcs11:pkcs11:model=p11ne-token;manufacturer=Amazon;token=main-acm-token;id=%01;object=acm-key;type=private?pin-value=xxxx": ENGINE_load_private_key() failed (SSL: error:13000075:engine routines::not initialised)

I just tried with apache/httpd and the sample setup work somehow.

I tried some diagnostics from https://github.com/aws/aws-nitro-enclaves-acm/issues/53, it seem p11tool do see the certificate:

# p11tool --list-all pkcs11:model=p11ne-token;manufacturer=Amazon;serial=EVT00;token=main-acm-token
Object 0:
	URL: pkcs11:model=p11ne-token;manufacturer=Amazon;serial=EVT00;token=main-acm-token;id=%01;object=acm-key;type=public
	Type: Public key (RSA-2048)
	Label: acm-key
	Flags: CKA_EXTRACTABLE;
	ID: 01

Object 1:
	URL: pkcs11:model=p11ne-token;manufacturer=Amazon;serial=EVT00;token=main-acm-token;id=%01;object=acm-ne-cert-0;type=cert
	Type: X.509 Certificate (RSA-2048)
	Expires: Thu Nov 28 23:59:59 2024
	Label: acm-ne-cert-0
	Flags: CKA_TRUSTED; CKA_EXTRACTABLE;
	ID: 01

Object 2:
	URL: pkcs11:model=p11ne-token;manufacturer=Amazon;serial=EVT00;token=main-acm-token;id=%02;object=acm-ne-cert-1;type=cert
	Type: X.509 Certificate (RSA-2048)
	Expires: Fri Aug 23 22:25:30 2030
	Label: acm-ne-cert-1
	Flags: CKA_CERTIFICATE_CATEGORY=CA; CKA_TRUSTED; CKA_EXTRACTABLE;
	ID: 02

Object 3:
	URL: pkcs11:model=p11ne-token;manufacturer=Amazon;serial=EVT00;token=main-acm-token;id=%03;object=acm-ne-cert-2;type=cert
	Type: X.509 Certificate (RSA-2048)
	Expires: Thu Dec 31 01:00:00 2037
	Label: acm-ne-cert-2
	Flags: CKA_CERTIFICATE_CATEGORY=CA; CKA_TRUSTED; CKA_EXTRACTABLE;
	ID: 03

Object 4:
	URL: pkcs11:model=p11ne-token;manufacturer=Amazon;serial=EVT00;token=main-acm-token;id=%04;object=acm-ne-cert-3;type=cert
	Type: X.509 Certificate (RSA-2048)
	Expires: Wed Jun 28 17:39:16 2034
	Label: acm-ne-cert-3
	Flags: CKA_CERTIFICATE_CATEGORY=CA; CKA_TRUSTED; CKA_EXTRACTABLE;
	ID: 04

Also using openssl to create a certificate request do work, using openssl req -engine pkcs11 -new -key "pkcs11:model=p11ne-token;manufacturer=Amazon;token=httpd-acm-token;id=%01;object=acm-key;type=private?pin-value=xxxxxx" -keyform engine -out /tmp/req.csr

Here is the used /etc/nitro_enclaves/acm.yaml:

enclave:
  # min is 2 on x86
  cpu_count: 2
  memory_mib: 256

options:
  nginx_force_start: true
  nginx_reload_wait_ms: 1000
  sync_interval_secs: 600
tokens:
  - label: main-acm-token
    source:
      Acm:
        certificate_arn: "arn:aws:acm:ca-central-1:0123456789:certificate/...."
    target:
      NginxStanza:
        path: /etc/pki/nginx/nginx-acm.conf
        user: nginx
    refresh_interval_secs: 43200

bplessis-swi avatar Nov 03 '23 14:11 bplessis-swi