ee key too small has occured in nginx with debian:bookworm-slim

[feuxfollets1013]

I'm trying to create a Dockerfile for nginx with debian:bookworm-slim based on oqs-demos/nginx image. However, i got an ee key too small error for server cert when I checked nginx config using nginx -c /opt/nginx/nginx-conf/nginx.conf -t. I believe my Dockerfile is wrong because it should work with other images than alpine. Here are the details.

To Reproduce

1. Download Dockerfile
2. docker build --file ./Dockerfile.debian -t oqs-nginx-debian:latest .
3. docker run --rm -it oqs-nginx-debian /bin/bash
4. ./sbin/nginx -c nginx-conf/nginx.conf -t
5. ee key too small error has occured.

[baentsch]

I believe my Dockerfile is wrong because it should work with other images than alpine.

I'm not sure I understand this statement correctly -- do you see an error with our software? Or are you asking for debug support on your own Dockerfile? Does it build correctly?

[feuxfollets1013]

sorry for my poor English.

do you see an error with our software?

No. I would like to know at least some information that might give me a clue to debugging. I tried to create a httpd Dockerfile in a similar way before, but I got the same error. So, I would like to find some clues to solve the problem.

Does it build correctly?

At least, docker build command completes and server certificate verfication using openssl succeeds. So I guess the integration between openssl and nginx is not working, but I don't know any more than that.

thank you for your reply.

[baentsch]

Thanks for the additional clarification. I also am no native English speaker, so the lack of understanding may very well be on my side.

docker build command completes and server certificate verfication using openssl succeeds.

That's good. And you did use a PQ algorithm as a cert for testing? If not,

ee key too small error has occured.

I have seen this error message before and it indeed indicated that nginx didn't activate the oqsprovider. That said, server cert verification does not require server side logic, but client-side logic, so the server cert verification doesn't really tell us whether nginx is correctly configured to use oqsprovider. My hunch is that it doesn't properly use it. A typical error cause is an incorrectly set OPENSSL_MODULES variable: Are you sure this is correctly set? And that oqsprovider is specified for use?

[feuxfollets1013]

docker build command completes and server certificate verfication using openssl succeeds. That's good. And you did use a PQ algorithm as a cert for testing? If not,

I used dilithium3.

A typical error cause is an incorrectly set OPENSSL_MODULES variable: Are you sure this is correctly set? And that oqsprovider is specified for use?

This was the cause. I set OPENSSL_MODULES variable and ran nginx -t command and it succeeded.

oqs@43d75122bbe6:/opt/nginx/sbin$ ./nginx -c /opt/nginx/nginx-conf/nginx.conf -t
2023/12/18 22:38:38 [emerg] 15#0: SSL_CTX_use_certificate("/opt/nginx/pki/server.crt") failed (SSL: error:03000072:digital envelope routines::decode error error:0A00018F:SSL routines::ee key too small)
nginx: [emerg] SSL_CTX_use_certificate("/opt/nginx/pki/server.crt") failed (SSL: error:03000072:digital envelope routines::decode error error:0A00018F:SSL routines::ee key too small)
nginx: configuration file /opt/nginx/nginx-conf/nginx.conf test failed

oqs@43d75122bbe6:/opt/nginx/sbin$ export OPENSSL_MODULES=/opt/openssl/lib64/ossl-modules/

oqs@43d75122bbe6:/opt/nginx/sbin$ ./nginx -c /opt/nginx/nginx-conf/nginx.conf -t
nginx: the configuration file /opt/nginx/nginx-conf/nginx.conf syntax is ok
nginx: configuration file /opt/nginx/nginx-conf/nginx.conf test is successful

Thank you for helping me solve the problem.

[baentsch]

Thanks for confirming that setting OPENSSL_MODULES solved the issue.