Open leonblueconic opened 1 year ago
@leonblueconic in order for things to work you need openssl-pkcs11
on your instance, yes. This provides the libp11
glue library. This package is already fetched when you install the aws-nitro-enclaves-acm
RPM.
Try sudo yum install openssl-pkcs11
.
yum deplist aws-nitro-enclaves-acm
Loaded plugins: extras_suggestions, langpacks, priorities, update-motd
package: aws-nitro-enclaves-acm.x86_64 1.2.0-1.amzn2
dependency: /bin/sh
provider: bash.x86_64 4.2.46-34.amzn2
dependency: aws-nitro-enclaves-cli
provider: aws-nitro-enclaves-cli.x86_64 1.2.2-0.amzn2
dependency: jq
provider: jq.x86_64 1.5-1.amzn2.0.2
provider: jq.i686 1.5-1.amzn2.0.2
dependency: ld-linux-x86-64.so.2()(64bit)
provider: glibc.x86_64 2.26-62.amzn2
dependency: ld-linux-x86-64.so.2(GLIBC_2.3)(64bit)
provider: glibc.x86_64 2.26-62.amzn2
dependency: libc.so.6()(64bit)
provider: glibc.x86_64 2.26-62.amzn2
dependency: libc.so.6(GLIBC_2.14)(64bit)
provider: glibc.x86_64 2.26-62.amzn2
dependency: libc.so.6(GLIBC_2.15)(64bit)
provider: glibc.x86_64 2.26-62.amzn2
dependency: libc.so.6(GLIBC_2.18)(64bit)
provider: glibc.x86_64 2.26-62.amzn2
dependency: libc.so.6(GLIBC_2.2.5)(64bit)
provider: glibc.x86_64 2.26-62.amzn2
dependency: libc.so.6(GLIBC_2.3)(64bit)
provider: glibc.x86_64 2.26-62.amzn2
dependency: libc.so.6(GLIBC_2.3.4)(64bit)
provider: glibc.x86_64 2.26-62.amzn2
dependency: libc.so.6(GLIBC_2.9)(64bit)
provider: glibc.x86_64 2.26-62.amzn2
dependency: libdl.so.2()(64bit)
provider: glibc.x86_64 2.26-62.amzn2
dependency: libdl.so.2(GLIBC_2.2.5)(64bit)
provider: glibc.x86_64 2.26-62.amzn2
dependency: libgcc_s.so.1()(64bit)
provider: libgcc.x86_64 7.3.1-15.amzn2
dependency: libgcc_s.so.1(GCC_3.0)(64bit)
provider: libgcc.x86_64 7.3.1-15.amzn2
dependency: libgcc_s.so.1(GCC_3.3)(64bit)
provider: libgcc.x86_64 7.3.1-15.amzn2
dependency: libgcc_s.so.1(GCC_4.2.0)(64bit)
provider: libgcc.x86_64 7.3.1-15.amzn2
dependency: libm.so.6()(64bit)
provider: glibc.x86_64 2.26-62.amzn2
dependency: libpthread.so.0()(64bit)
provider: glibc.x86_64 2.26-62.amzn2
dependency: libpthread.so.0(GLIBC_2.2.5)(64bit)
provider: glibc.x86_64 2.26-62.amzn2
dependency: librt.so.1()(64bit)
provider: glibc.x86_64 2.26-62.amzn2
dependency: librt.so.1(GLIBC_2.2.5)(64bit)
provider: glibc.x86_64 2.26-62.amzn2
dependency: openssl-pkcs11
provider: openssl-pkcs11.x86_64 0.4.10-3.amzn2.0.1
provider: openssl-pkcs11.i686 0.4.10-3.amzn2.0.1
dependency: p11-kit >= 0.23.22
provider: p11-kit.x86_64 0.23.22-1.amzn2.0.1
provider: p11-kit.i686 0.23.22-1.amzn2.0.1
dependency: rtld(GNU_HASH)
provider: glibc.x86_64 2.26-62.amzn2
provider: glibc.i686 2.26-62.amzn2
dependency: systemd
provider: systemd.x86_64 219-78.amzn2.0.21
The package was / is installed but it wasn't working nonetheless. Not until I did overwrite that mentioned file with the file found on the test instance.
After installing / configuring nitro-enclaves-acm for Apache httpd as described on https://docs.aws.amazon.com/enclaves/latest/user/nitro-enclave-refapp.html I noticed it wasn't working. I couldn't setup a working TLS connection to the site in question. The instances in questions is a fully patched / up to date AL2 instance
I verified the setup by launching an https://aws.amazon.com/marketplace/pp/prodview-f4gcl7narsmle instance (to be referenced as test instance) which seems to work correctly. I used the same certificate and the same IAM role as on the original instance. And it worked out of the box. So I was confident the configuration on the original instance should also work. Checking around on the system I noticed my instance contains
openssl-pkcs11-0.4.10-3.amzn2.0.1.x86_64
this packages doesn't seem to be present on the test instance. However on the test instance/usr/lib64/openssl/engines/pkcs11.so
which is normally be provided by this package is nonetheless precent. When I copy this file from the test instance over to my original instance things suddenly start to work. And the last part of theopenssl s_client
command now looks likeDoes this mean we need and updated
openssl-pkcs11
to appear in the AL2 package repository that will allow nitro-enclaves-acm to work?