Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

nitro-enclaves-acm not working for httpd on Amazon Linux 2 #74

Open
leonblueconic opened this issue Mar 26, 2023 · 2 comments
Open

nitro-enclaves-acm not working for httpd on Amazon Linux 2 #74

leonblueconic opened this issue Mar 26, 2023 · 2 comments

Comments

@leonblueconic
Copy link

leonblueconic commented Mar 26, 2023
edited
Loading

After installing / configuring nitro-enclaves-acm for Apache httpd as described on https://docs.aws.amazon.com/enclaves/latest/user/nitro-enclave-refapp.html I noticed it wasn't working. I couldn't setup a working TLS connection to the site in question. The instances in questions is a fully patched / up to date AL2 instance

$ openssl s_client -connect host.domain.com:443 -servername host.domain.com
CONNECTED(00000003)
depth=4 C = US, O = "Starfield Technologies, Inc.", OU = Starfield Class 2 Certification Authority
verify return:1
depth=3 C = US, ST = Arizona, L = Scottsdale, O = "Starfield Technologies, Inc.", CN = Starfield Services Root Certificate Authority - G2
verify return:1
depth=2 C = US, O = Amazon, CN = Amazon Root CA 1
verify return:1
depth=1 C = US, O = Amazon, CN = Amazon RSA 2048 M02
verify return:1
depth=0 CN = host.domain.com
verify return:1
139686793054096:error:14094438:SSL routines:ssl3_read_bytes:tlsv1 alert internal error:s3_pkt.c:1493:SSL alert number 80
139686793054096:error:140790E5:SSL routines:ssl23_write:ssl handshake failure:s23_lib.c:177:
---
Certificate chain
 0 s:/CN=host.domain.com
   i:/C=US/O=Amazon/CN=Amazon RSA 2048 M02
 1 s:/C=US/O=Amazon/CN=Amazon RSA 2048 M02
   i:/C=US/O=Amazon/CN=Amazon Root CA 1
 2 s:/C=US/O=Amazon/CN=Amazon Root CA 1
   i:/C=US/ST=Arizona/L=Scottsdale/O=Starfield Technologies, Inc./CN=Starfield Services Root Certificate Authority - G2
 3 s:/C=US/ST=Arizona/L=Scottsdale/O=Starfield Technologies, Inc./CN=Starfield Services Root Certificate Authority - G2
   i:/C=US/O=Starfield Technologies, Inc./OU=Starfield Class 2 Certification Authority
---
Server certificate
-----BEGIN CERTIFICATE-----
REMOVED
-----END CERTIFICATE-----
subject=/CN=host.domain.com
issuer=/C=US/O=Amazon/CN=Amazon RSA 2048 M02
---
No client certificate CA names sent
---
SSL handshake has read 5046 bytes and written 0 bytes
---
New, (NONE), Cipher is (NONE)
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : 0000
    Session-ID: 
    Session-ID-ctx: 
    Master-Key: 
    Key-Arg   : None
    Krb5 Principal: None
    PSK identity: None
    PSK identity hint: None
    Start Time: 1679867431
    Timeout   : 300 (sec)
    Verify return code: 0 (ok)
---

I verified the setup by launching an https://aws.amazon.com/marketplace/pp/prodview-f4gcl7narsmle instance (to be referenced as test instance) which seems to work correctly. I used the same certificate and the same IAM role as on the original instance. And it worked out of the box. So I was confident the configuration on the original instance should also work. Checking around on the system I noticed my instance contains openssl-pkcs11-0.4.10-3.amzn2.0.1.x86_64 this packages doesn't seem to be present on the test instance. However on the test instance /usr/lib64/openssl/engines/pkcs11.so which is normally be provided by this package is nonetheless precent. When I copy this file from the test instance over to my original instance things suddenly start to work. And the last part of the openssl s_client command now looks like

---
No client certificate CA names sent
Peer signing digest: SHA512
Server Temp Key: ECDH, P-256, 256 bits
---
SSL handshake has read 5660 bytes and written 445 bytes
---
New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES128-GCM-SHA256
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : ECDHE-RSA-AES128-GCM-SHA256
    Session-ID: B9F53FE8D44F25898514C9D719F22BDC80C9889756D99B5E4057581E0211D1CB
    Session-ID-ctx: 
    Master-Key: 5FDD21EB7152B175A17BC5460E18231925F5A40D7065B88F3501166B9A9007F018FF89622C6857EBE0A61B03A55C97C6
    Key-Arg   : None
    Krb5 Principal: None
    PSK identity: None
    PSK identity hint: None
    TLS session ticket lifetime hint: 300 (seconds)
    TLS session ticket:
    0000 - f3 d0 2d a1 e6 3a 2c 36-3c 0f 96 e8 78 f5 c4 a5   ..-..:,6<...x...
    0010 - 7d 1f ce d6 e2 64 47 75-59 f4 6d 10 cf 01 ea 7d   }....dGuY.m....}
    0020 - aa f5 df d0 f9 22 b6 57-dc 83 f4 e1 f9 fc 4d 75   .....".W......Mu
    0030 - f0 81 1d 41 96 56 93 78-9e 56 7a 1d 31 02 1b b7   ...A.V.x.Vz.1...
    0040 - a8 c5 66 bd 3a a0 6e 1b-86 34 ef 66 f4 56 2b 15   ..f.:.n..4.f.V+.
    0050 - ee 04 d1 7b f9 bd 52 a4-70 1b 1c 31 8f 59 38 62   ...{..R.p..1.Y8b
    0060 - 02 32 e4 fa 4d d6 1d 38-ae f2 2e da d2 be fa b2   .2..M..8........
    0070 - 6c ab cf e3 85 7b e8 cf-c1 21 df eb 28 4c a0 d6   l....{...!..(L..
    0080 - 63 ae 1d 60 bf 38 35 67-b3 76 22 f0 17 72 65 b5   c..`.85g.v"..re.
    0090 - 38 c9 07 9b 84 0c 53 27-05 54 ac eb 71 95 8b 72   8.....S'.T..q..r
    00a0 - 30 0b 81 68 3f fc 14 c8-3c 30 b5 0b 1b 2f 64 4a   0..h?...<0.../dJ
    00b0 - 33 29 4f ef 47 23 e6 11-1a a8 40 db 24 61 35 1d   3)O.G#....@.$a5.
    00c0 - c8 00 1e 75 c1 ff f5 e5-bb 45 ff 85 fd c2 19 8c   ...u.....E......

    Start Time: 1679870499
    Timeout   : 300 (sec)
    Verify return code: 0 (ok)
---

Does this mean we need and updated openssl-pkcs11 to appear in the AL2 package repository that will allow nitro-enclaves-acm to work?
@leonblueconic leonblueconic changed the title nitro-enclaves-acm not working for httpd on Amazon Linix nitro-enclaves-acm not working for httpd on Amazon Linux 2 Mar 26, 2023
@alcioa
Copy link
Contributor

alcioa commented Mar 27, 2023

@leonblueconic in order for things to work you need openssl-pkcs11 on your instance, yes. This provides the libp11 glue library. This package is already fetched when you install the aws-nitro-enclaves-acm RPM.
Try sudo yum install openssl-pkcs11.

yum deplist aws-nitro-enclaves-acm
Loaded plugins: extras_suggestions, langpacks, priorities, update-motd
package: aws-nitro-enclaves-acm.x86_64 1.2.0-1.amzn2
  dependency: /bin/sh
   provider: bash.x86_64 4.2.46-34.amzn2
  dependency: aws-nitro-enclaves-cli
   provider: aws-nitro-enclaves-cli.x86_64 1.2.2-0.amzn2
  dependency: jq
   provider: jq.x86_64 1.5-1.amzn2.0.2
   provider: jq.i686 1.5-1.amzn2.0.2
  dependency: ld-linux-x86-64.so.2()(64bit)
   provider: glibc.x86_64 2.26-62.amzn2
  dependency: ld-linux-x86-64.so.2(GLIBC_2.3)(64bit)
   provider: glibc.x86_64 2.26-62.amzn2
  dependency: libc.so.6()(64bit)
   provider: glibc.x86_64 2.26-62.amzn2
  dependency: libc.so.6(GLIBC_2.14)(64bit)
   provider: glibc.x86_64 2.26-62.amzn2
  dependency: libc.so.6(GLIBC_2.15)(64bit)
   provider: glibc.x86_64 2.26-62.amzn2
  dependency: libc.so.6(GLIBC_2.18)(64bit)
   provider: glibc.x86_64 2.26-62.amzn2
  dependency: libc.so.6(GLIBC_2.2.5)(64bit)
   provider: glibc.x86_64 2.26-62.amzn2
  dependency: libc.so.6(GLIBC_2.3)(64bit)
   provider: glibc.x86_64 2.26-62.amzn2
  dependency: libc.so.6(GLIBC_2.3.4)(64bit)
   provider: glibc.x86_64 2.26-62.amzn2
  dependency: libc.so.6(GLIBC_2.9)(64bit)
   provider: glibc.x86_64 2.26-62.amzn2
  dependency: libdl.so.2()(64bit)
   provider: glibc.x86_64 2.26-62.amzn2
  dependency: libdl.so.2(GLIBC_2.2.5)(64bit)
   provider: glibc.x86_64 2.26-62.amzn2
  dependency: libgcc_s.so.1()(64bit)
   provider: libgcc.x86_64 7.3.1-15.amzn2
  dependency: libgcc_s.so.1(GCC_3.0)(64bit)
   provider: libgcc.x86_64 7.3.1-15.amzn2
  dependency: libgcc_s.so.1(GCC_3.3)(64bit)
   provider: libgcc.x86_64 7.3.1-15.amzn2
  dependency: libgcc_s.so.1(GCC_4.2.0)(64bit)
   provider: libgcc.x86_64 7.3.1-15.amzn2
  dependency: libm.so.6()(64bit)
   provider: glibc.x86_64 2.26-62.amzn2
  dependency: libpthread.so.0()(64bit)
   provider: glibc.x86_64 2.26-62.amzn2
  dependency: libpthread.so.0(GLIBC_2.2.5)(64bit)
   provider: glibc.x86_64 2.26-62.amzn2
  dependency: librt.so.1()(64bit)
   provider: glibc.x86_64 2.26-62.amzn2
  dependency: librt.so.1(GLIBC_2.2.5)(64bit)
   provider: glibc.x86_64 2.26-62.amzn2
  dependency: openssl-pkcs11
   provider: openssl-pkcs11.x86_64 0.4.10-3.amzn2.0.1
   provider: openssl-pkcs11.i686 0.4.10-3.amzn2.0.1
  dependency: p11-kit >= 0.23.22
   provider: p11-kit.x86_64 0.23.22-1.amzn2.0.1
   provider: p11-kit.i686 0.23.22-1.amzn2.0.1
  dependency: rtld(GNU_HASH)
   provider: glibc.x86_64 2.26-62.amzn2
   provider: glibc.i686 2.26-62.amzn2
  dependency: systemd
   provider: systemd.x86_64 219-78.amzn2.0.21

@leonblueconic
Copy link
Author

The package was / is installed but it wasn't working nonetheless. Not until I did overwrite that mentioned file with the file found on the test instance.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@alcioa @leonblueconic