Open bplessis-swi opened 10 months ago
I ran into this myself, and after talking to support was informed that it's simply not supported right yet unless you downgrade openssl-pkcs11 to v0.4.11. I achieved it without a downgrade by adding the following dirty hack to openssl.cnf:
[engine_sect]
pkcs11 = pkcs11_sect
[pkcs11_sect]
engine_id = pkcs11
dynamic_path = /usr/lib64/engines-3/pkcs11.so
default_algorithms = ALL
init = 1
And adding engines = engine_sect
to openssl_init
if not already present.
Otherwise, you're waiting until January 2024.
Interesting, i did also got the "unsupported" part but not the downgrade one
I'm also running into the same issue.
AmazonLinux2023: aws-nitro-enclaves-acm 1.2.0 1.amzn2023 nginx 1.24.0 1.amzn2023.0.2
Also, in my case, the same problem occurs with AL2. AL2: aws-nitro-enclaves-acm 1.3.0 2.amzn2 nginx1 1.22.1 1.amzn2.0.3
I could have started the nginx on the AL2 with add the folling in my nginx.conf.
ssl_engine pkcs11;
However, AL2023 was still bad.
Hi, Sorry if it's not the place for this, i also have an aws case opened but i figured i tried.
I am testing acm enclave with AmazonLinux 2023 and nginx don't seem to be compatible any more ? The same configuration works on AL2 but with 2023 nginx fail to start with:
nginx: [emerg] cannot load certificate key "engine:pkcs11:pkcs11:model=p11ne-token;manufacturer=Amazon;token=main-acm-token;id=%01;object=acm-key;type=private?pin-value=xxxx": ENGINE_load_private_key() failed (SSL: error:13000075:engine routines::not initialised)
I just tried with apache/httpd and the sample setup work somehow.
I tried some diagnostics from https://github.com/aws/aws-nitro-enclaves-acm/issues/53, it seem p11tool do see the certificate:
Also using openssl to create a certificate request do work, using
openssl req -engine pkcs11 -new -key "pkcs11:model=p11ne-token;manufacturer=Amazon;token=httpd-acm-token;id=%01;object=acm-key;type=private?pin-value=xxxxxx" -keyform engine -out /tmp/req.csr
Here is the used
/etc/nitro_enclaves/acm.yaml
: