aws-nitro-enclaves-acm
aws-nitro-enclaves-acm copied to clipboard
AmazonLinux 2023 & Nginx support
Hi, Sorry if it's not the place for this, i also have an aws case opened but i figured i tried.
I am testing acm enclave with AmazonLinux 2023 and nginx don't seem to be compatible any more ? The same configuration works on AL2 but with 2023 nginx fail to start with:
nginx: [emerg] cannot load certificate key "engine:pkcs11:pkcs11:model=p11ne-token;manufacturer=Amazon;token=main-acm-token;id=%01;object=acm-key;type=private?pin-value=xxxx": ENGINE_load_private_key() failed (SSL: error:13000075:engine routines::not initialised)
I just tried with apache/httpd and the sample setup work somehow.
I tried some diagnostics from https://github.com/aws/aws-nitro-enclaves-acm/issues/53, it seem p11tool do see the certificate:
# p11tool --list-all pkcs11:model=p11ne-token;manufacturer=Amazon;serial=EVT00;token=main-acm-token
Object 0:
URL: pkcs11:model=p11ne-token;manufacturer=Amazon;serial=EVT00;token=main-acm-token;id=%01;object=acm-key;type=public
Type: Public key (RSA-2048)
Label: acm-key
Flags: CKA_EXTRACTABLE;
ID: 01
Object 1:
URL: pkcs11:model=p11ne-token;manufacturer=Amazon;serial=EVT00;token=main-acm-token;id=%01;object=acm-ne-cert-0;type=cert
Type: X.509 Certificate (RSA-2048)
Expires: Thu Nov 28 23:59:59 2024
Label: acm-ne-cert-0
Flags: CKA_TRUSTED; CKA_EXTRACTABLE;
ID: 01
Object 2:
URL: pkcs11:model=p11ne-token;manufacturer=Amazon;serial=EVT00;token=main-acm-token;id=%02;object=acm-ne-cert-1;type=cert
Type: X.509 Certificate (RSA-2048)
Expires: Fri Aug 23 22:25:30 2030
Label: acm-ne-cert-1
Flags: CKA_CERTIFICATE_CATEGORY=CA; CKA_TRUSTED; CKA_EXTRACTABLE;
ID: 02
Object 3:
URL: pkcs11:model=p11ne-token;manufacturer=Amazon;serial=EVT00;token=main-acm-token;id=%03;object=acm-ne-cert-2;type=cert
Type: X.509 Certificate (RSA-2048)
Expires: Thu Dec 31 01:00:00 2037
Label: acm-ne-cert-2
Flags: CKA_CERTIFICATE_CATEGORY=CA; CKA_TRUSTED; CKA_EXTRACTABLE;
ID: 03
Object 4:
URL: pkcs11:model=p11ne-token;manufacturer=Amazon;serial=EVT00;token=main-acm-token;id=%04;object=acm-ne-cert-3;type=cert
Type: X.509 Certificate (RSA-2048)
Expires: Wed Jun 28 17:39:16 2034
Label: acm-ne-cert-3
Flags: CKA_CERTIFICATE_CATEGORY=CA; CKA_TRUSTED; CKA_EXTRACTABLE;
ID: 04
Also using openssl to create a certificate request do work, using openssl req -engine pkcs11 -new -key "pkcs11:model=p11ne-token;manufacturer=Amazon;token=httpd-acm-token;id=%01;object=acm-key;type=private?pin-value=xxxxxx" -keyform engine -out /tmp/req.csr
Here is the used /etc/nitro_enclaves/acm.yaml
:
enclave:
# min is 2 on x86
cpu_count: 2
memory_mib: 256
options:
nginx_force_start: true
nginx_reload_wait_ms: 1000
sync_interval_secs: 600
tokens:
- label: main-acm-token
source:
Acm:
certificate_arn: "arn:aws:acm:ca-central-1:0123456789:certificate/...."
target:
NginxStanza:
path: /etc/pki/nginx/nginx-acm.conf
user: nginx
refresh_interval_secs: 43200