AmazonLinux 2023 & Nginx support

[bplessis-swi]

Hi, Sorry if it's not the place for this, i also have an aws case opened but i figured i tried.

I am testing acm enclave with AmazonLinux 2023 and nginx don't seem to be compatible any more ? The same configuration works on AL2 but with 2023 nginx fail to start with:

nginx: [emerg] cannot load certificate key "engine:pkcs11:pkcs11:model=p11ne-token;manufacturer=Amazon;token=main-acm-token;id=%01;object=acm-key;type=private?pin-value=xxxx": ENGINE_load_private_key() failed (SSL: error:13000075:engine routines::not initialised)

I just tried with apache/httpd and the sample setup work somehow.

I tried some diagnostics from https://github.com/aws/aws-nitro-enclaves-acm/issues/53, it seem p11tool do see the certificate:

# p11tool --list-all pkcs11:model=p11ne-token;manufacturer=Amazon;serial=EVT00;token=main-acm-token
Object 0:
    URL: pkcs11:model=p11ne-token;manufacturer=Amazon;serial=EVT00;token=main-acm-token;id=%01;object=acm-key;type=public
    Type: Public key (RSA-2048)
    Label: acm-key
    Flags: CKA_EXTRACTABLE;
    ID: 01

Object 1:
    URL: pkcs11:model=p11ne-token;manufacturer=Amazon;serial=EVT00;token=main-acm-token;id=%01;object=acm-ne-cert-0;type=cert
    Type: X.509 Certificate (RSA-2048)
    Expires: Thu Nov 28 23:59:59 2024
    Label: acm-ne-cert-0
    Flags: CKA_TRUSTED; CKA_EXTRACTABLE;
    ID: 01

Object 2:
    URL: pkcs11:model=p11ne-token;manufacturer=Amazon;serial=EVT00;token=main-acm-token;id=%02;object=acm-ne-cert-1;type=cert
    Type: X.509 Certificate (RSA-2048)
    Expires: Fri Aug 23 22:25:30 2030
    Label: acm-ne-cert-1
    Flags: CKA_CERTIFICATE_CATEGORY=CA; CKA_TRUSTED; CKA_EXTRACTABLE;
    ID: 02

Object 3:
    URL: pkcs11:model=p11ne-token;manufacturer=Amazon;serial=EVT00;token=main-acm-token;id=%03;object=acm-ne-cert-2;type=cert
    Type: X.509 Certificate (RSA-2048)
    Expires: Thu Dec 31 01:00:00 2037
    Label: acm-ne-cert-2
    Flags: CKA_CERTIFICATE_CATEGORY=CA; CKA_TRUSTED; CKA_EXTRACTABLE;
    ID: 03

Object 4:
    URL: pkcs11:model=p11ne-token;manufacturer=Amazon;serial=EVT00;token=main-acm-token;id=%04;object=acm-ne-cert-3;type=cert
    Type: X.509 Certificate (RSA-2048)
    Expires: Wed Jun 28 17:39:16 2034
    Label: acm-ne-cert-3
    Flags: CKA_CERTIFICATE_CATEGORY=CA; CKA_TRUSTED; CKA_EXTRACTABLE;
    ID: 04

Also using openssl to create a certificate request do work, using openssl req -engine pkcs11 -new -key "pkcs11:model=p11ne-token;manufacturer=Amazon;token=httpd-acm-token;id=%01;object=acm-key;type=private?pin-value=xxxxxx" -keyform engine -out /tmp/req.csr

Here is the used /etc/nitro_enclaves/acm.yaml:

enclave:
  # min is 2 on x86
  cpu_count: 2
  memory_mib: 256

options:
  nginx_force_start: true
  nginx_reload_wait_ms: 1000
  sync_interval_secs: 600
tokens:
  - label: main-acm-token
    source:
      Acm:
        certificate_arn: "arn:aws:acm:ca-central-1:0123456789:certificate/...."
    target:
      NginxStanza:
        path: /etc/pki/nginx/nginx-acm.conf
        user: nginx
    refresh_interval_secs: 43200

[kyanar]

I ran into this myself, and after talking to support was informed that it's simply not supported right yet unless you downgrade openssl-pkcs11 to v0.4.11. I achieved it without a downgrade by adding the following dirty hack to openssl.cnf:

[engine_sect]
pkcs11 = pkcs11_sect

[pkcs11_sect]
engine_id = pkcs11
dynamic_path = /usr/lib64/engines-3/pkcs11.so
default_algorithms = ALL
init = 1

And adding engines = engine_sect to openssl_init if not already present.

Otherwise, you're waiting until January 2024.

[bplessis-swi]

Interesting, i did also got the "unsupported" part but not the downgrade one

[hfuj13]

I'm also running into the same issue.

AmazonLinux2023: aws-nitro-enclaves-acm 1.2.0 1.amzn2023 nginx 1.24.0 1.amzn2023.0.2

Also, in my case, the same problem occurs with AL2. AL2: aws-nitro-enclaves-acm 1.3.0 2.amzn2 nginx1 1.22.1 1.amzn2.0.3

[hfuj13]

I could have started the nginx on the AL2 with add the folling in my nginx.conf.

ssl_engine pkcs11;

However, AL2023 was still bad.