search

aws / aws-nitro-enclaves-acm

AWS Certificate Manager for Nitro Enclaves allows the use of public and private SSL/TLS certificates with web applications and web servers running on Amazon EC2 instances with AWS Nitro Enclaves.
Apache License 2.0
76 stars 30 forks source link

nitro-enclaves-acm not working for httpd on Amazon Linux 2 #74

Open leonblueconic opened 1 year ago

leonblueconic commented 1 year ago

After installing / configuring nitro-enclaves-acm for Apache httpd as described on https://docs.aws.amazon.com/enclaves/latest/user/nitro-enclave-refapp.html I noticed it wasn't working. I couldn't setup a working TLS connection to the site in question. The instances in questions is a fully patched / up to date AL2 instance

$ openssl s_client -connect host.domain.com:443 -servername host.domain.com
CONNECTED(00000003)
depth=4 C = US, O = "Starfield Technologies, Inc.", OU = Starfield Class 2 Certification Authority
verify return:1
depth=3 C = US, ST = Arizona, L = Scottsdale, O = "Starfield Technologies, Inc.", CN = Starfield Services Root Certificate Authority - G2
verify return:1
depth=2 C = US, O = Amazon, CN = Amazon Root CA 1
verify return:1
depth=1 C = US, O = Amazon, CN = Amazon RSA 2048 M02
verify return:1
depth=0 CN = host.domain.com
verify return:1
139686793054096:error:14094438:SSL routines:ssl3_read_bytes:tlsv1 alert internal error:s3_pkt.c:1493:SSL alert number 80
139686793054096:error:140790E5:SSL routines:ssl23_write:ssl handshake failure:s23_lib.c:177:
---
Certificate chain
 0 s:/CN=host.domain.com
   i:/C=US/O=Amazon/CN=Amazon RSA 2048 M02
 1 s:/C=US/O=Amazon/CN=Amazon RSA 2048 M02
   i:/C=US/O=Amazon/CN=Amazon Root CA 1
 2 s:/C=US/O=Amazon/CN=Amazon Root CA 1
   i:/C=US/ST=Arizona/L=Scottsdale/O=Starfield Technologies, Inc./CN=Starfield Services Root Certificate Authority - G2
 3 s:/C=US/ST=Arizona/L=Scottsdale/O=Starfield Technologies, Inc./CN=Starfield Services Root Certificate Authority - G2
   i:/C=US/O=Starfield Technologies, Inc./OU=Starfield Class 2 Certification Authority
---
Server certificate
-----BEGIN CERTIFICATE-----
REMOVED
-----END CERTIFICATE-----
subject=/CN=host.domain.com
issuer=/C=US/O=Amazon/CN=Amazon RSA 2048 M02
---
No client certificate CA names sent
---
SSL handshake has read 5046 bytes and written 0 bytes
---
New, (NONE), Cipher is (NONE)
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : 0000
    Session-ID: 
    Session-ID-ctx: 
    Master-Key: 
    Key-Arg   : None
    Krb5 Principal: None
    PSK identity: None
    PSK identity hint: None
    Start Time: 1679867431
    Timeout   : 300 (sec)
    Verify return code: 0 (ok)
---

I verified the setup by launching an https://aws.amazon.com/marketplace/pp/prodview-f4gcl7narsmle instance (to be referenced as test instance) which seems to work correctly. I used the same certificate and the same IAM role as on the original instance. And it worked out of the box. So I was confident the configuration on the original instance should also work. Checking around on the system I noticed my instance contains openssl-pkcs11-0.4.10-3.amzn2.0.1.x86_64 this packages doesn't seem to be present on the test instance. However on the test instance /usr/lib64/openssl/engines/pkcs11.so which is normally be provided by this package is nonetheless precent. When I copy this file from the test instance over to my original instance things suddenly start to work. And the last part of the openssl s_client command now looks like 

---
No client certificate CA names sent
Peer signing digest: SHA512
Server Temp Key: ECDH, P-256, 256 bits
---
SSL handshake has read 5660 bytes and written 445 bytes
---
New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES128-GCM-SHA256
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : ECDHE-RSA-AES128-GCM-SHA256
    Session-ID: B9F53FE8D44F25898514C9D719F22BDC80C9889756D99B5E4057581E0211D1CB
    Session-ID-ctx: 
    Master-Key: 5FDD21EB7152B175A17BC5460E18231925F5A40D7065B88F3501166B9A9007F018FF89622C6857EBE0A61B03A55C97C6
    Key-Arg   : None
    Krb5 Principal: None
    PSK identity: None
    PSK identity hint: None
    TLS session ticket lifetime hint: 300 (seconds)
    TLS session ticket:
    0000 - f3 d0 2d a1 e6 3a 2c 36-3c 0f 96 e8 78 f5 c4 a5   ..-..:,6<...x...
    0010 - 7d 1f ce d6 e2 64 47 75-59 f4 6d 10 cf 01 ea 7d   }....dGuY.m....}
    0020 - aa f5 df d0 f9 22 b6 57-dc 83 f4 e1 f9 fc 4d 75   .....".W......Mu
    0030 - f0 81 1d 41 96 56 93 78-9e 56 7a 1d 31 02 1b b7   ...A.V.x.Vz.1...
    0040 - a8 c5 66 bd 3a a0 6e 1b-86 34 ef 66 f4 56 2b 15   ..f.:.n..4.f.V+.
    0050 - ee 04 d1 7b f9 bd 52 a4-70 1b 1c 31 8f 59 38 62   ...{..R.p..1.Y8b
    0060 - 02 32 e4 fa 4d d6 1d 38-ae f2 2e da d2 be fa b2   .2..M..8........
    0070 - 6c ab cf e3 85 7b e8 cf-c1 21 df eb 28 4c a0 d6   l....{...!..(L..
    0080 - 63 ae 1d 60 bf 38 35 67-b3 76 22 f0 17 72 65 b5   c..`.85g.v"..re.
    0090 - 38 c9 07 9b 84 0c 53 27-05 54 ac eb 71 95 8b 72   8.....S'.T..q..r
    00a0 - 30 0b 81 68 3f fc 14 c8-3c 30 b5 0b 1b 2f 64 4a   0..h?...<0.../dJ
    00b0 - 33 29 4f ef 47 23 e6 11-1a a8 40 db 24 61 35 1d   3)O.G#....@.$a5.
    00c0 - c8 00 1e 75 c1 ff f5 e5-bb 45 ff 85 fd c2 19 8c   ...u.....E......

    Start Time: 1679870499
    Timeout   : 300 (sec)
    Verify return code: 0 (ok)
---

Does this mean we need and updated openssl-pkcs11 to appear in the AL2 package repository that will allow nitro-enclaves-acm to work?

alcioa commented 1 year ago

@leonblueconic in order for things to work you need openssl-pkcs11 on your instance, yes. This provides the libp11 glue library. This package is already fetched when you install the aws-nitro-enclaves-acm RPM. Try sudo yum install openssl-pkcs11. 

yum deplist aws-nitro-enclaves-acm
Loaded plugins: extras_suggestions, langpacks, priorities, update-motd
package: aws-nitro-enclaves-acm.x86_64 1.2.0-1.amzn2
  dependency: /bin/sh
   provider: bash.x86_64 4.2.46-34.amzn2
  dependency: aws-nitro-enclaves-cli
   provider: aws-nitro-enclaves-cli.x86_64 1.2.2-0.amzn2
  dependency: jq
   provider: jq.x86_64 1.5-1.amzn2.0.2
   provider: jq.i686 1.5-1.amzn2.0.2
  dependency: ld-linux-x86-64.so.2()(64bit)
   provider: glibc.x86_64 2.26-62.amzn2
  dependency: ld-linux-x86-64.so.2(GLIBC_2.3)(64bit)
   provider: glibc.x86_64 2.26-62.amzn2
  dependency: libc.so.6()(64bit)
   provider: glibc.x86_64 2.26-62.amzn2
  dependency: libc.so.6(GLIBC_2.14)(64bit)
   provider: glibc.x86_64 2.26-62.amzn2
  dependency: libc.so.6(GLIBC_2.15)(64bit)
   provider: glibc.x86_64 2.26-62.amzn2
  dependency: libc.so.6(GLIBC_2.18)(64bit)
   provider: glibc.x86_64 2.26-62.amzn2
  dependency: libc.so.6(GLIBC_2.2.5)(64bit)
   provider: glibc.x86_64 2.26-62.amzn2
  dependency: libc.so.6(GLIBC_2.3)(64bit)
   provider: glibc.x86_64 2.26-62.amzn2
  dependency: libc.so.6(GLIBC_2.3.4)(64bit)
   provider: glibc.x86_64 2.26-62.amzn2
  dependency: libc.so.6(GLIBC_2.9)(64bit)
   provider: glibc.x86_64 2.26-62.amzn2
  dependency: libdl.so.2()(64bit)
   provider: glibc.x86_64 2.26-62.amzn2
  dependency: libdl.so.2(GLIBC_2.2.5)(64bit)
   provider: glibc.x86_64 2.26-62.amzn2
  dependency: libgcc_s.so.1()(64bit)
   provider: libgcc.x86_64 7.3.1-15.amzn2
  dependency: libgcc_s.so.1(GCC_3.0)(64bit)
   provider: libgcc.x86_64 7.3.1-15.amzn2
  dependency: libgcc_s.so.1(GCC_3.3)(64bit)
   provider: libgcc.x86_64 7.3.1-15.amzn2
  dependency: libgcc_s.so.1(GCC_4.2.0)(64bit)
   provider: libgcc.x86_64 7.3.1-15.amzn2
  dependency: libm.so.6()(64bit)
   provider: glibc.x86_64 2.26-62.amzn2
  dependency: libpthread.so.0()(64bit)
   provider: glibc.x86_64 2.26-62.amzn2
  dependency: libpthread.so.0(GLIBC_2.2.5)(64bit)
   provider: glibc.x86_64 2.26-62.amzn2
  dependency: librt.so.1()(64bit)
   provider: glibc.x86_64 2.26-62.amzn2
  dependency: librt.so.1(GLIBC_2.2.5)(64bit)
   provider: glibc.x86_64 2.26-62.amzn2
  dependency: openssl-pkcs11
   provider: openssl-pkcs11.x86_64 0.4.10-3.amzn2.0.1
   provider: openssl-pkcs11.i686 0.4.10-3.amzn2.0.1
  dependency: p11-kit >= 0.23.22
   provider: p11-kit.x86_64 0.23.22-1.amzn2.0.1
   provider: p11-kit.i686 0.23.22-1.amzn2.0.1
  dependency: rtld(GNU_HASH)
   provider: glibc.x86_64 2.26-62.amzn2
   provider: glibc.i686 2.26-62.amzn2
  dependency: systemd
   provider: systemd.x86_64 219-78.amzn2.0.21
leonblueconic commented 1 year ago

The package was / is installed but it wasn't working nonetheless. Not until I did overwrite that mentioned file with the file found on the test instance.