I am trying to configure SSL in nginx.conf, and it needs to load the key from softhsm instead of file.
Here is the file /etc/nginx/nginx.conf
user nginx;
worker_processes 1;
error_log /var/log/nginx/error.log debug;
pid /var/run/nginx.pid;
events {
worker_connections 1024;
}
ssl_engine pkcs11;
http {
include /etc/nginx/mime.types;
default_type application/octet-stream;
server {
listen 80;
listen 443 ssl;
ssl_protocols TLSv1.2 TLSv1.3;
# include snippets/ssl-params.conf;
server_name www.SEexample.com SEexample.com;
ssl_certificate /etc/ssl/certs/seexample.com.crt;
ssl_certificate_key "engine:pkcs11:pkcs11:model=SoftHSM%20v2;token=mytoken2;object=sekey;type=private?pin=1234";
root /var/www/html;
index index.html;
ssl_trusted_certificate /etc/ssl/certs/SEcombine2.crt;
}
log_format main '$remote_addr - $remote_user [$time_local] "$request" '
'$status $body_bytes_sent "$http_referer" '
'"$http_user_agent" "$http_x_forwarded_for"';
access_log /var/log/nginx/access.log main;
sendfile on;
#tcp_nopush on;
keepalive_timeout 65;
#gzip on;
include /etc/nginx/conf.d/*.conf;
}
And when I run sudo nginx -t
, it said
Failed to enumerate slots
PKCS11_get_private_key returned NULL
nginx: [emerg] cannot load certificate key "engine:pkcs11:pkcs11:model=SoftHSM%20v2;token=mytoken2;object=sekey;": ENGINE_load_private_key() failed (SSL: error:26096080:engine routines:ENGINE_load_private_key:failed loading private key)
free(): invalid pointer
Aborted
Note that:
- Without ssl_engine pkcs11; and ssl_certificate_key is loaded from file, the nginx server was successfull to connect.
- This command (as bellow) works perfectly, means that the pkcs11 URI is correct. The URI I set in nginx.conf file, I attempt with ‘pin’ or ‘pin-value’ or without ‘pin’, it didn’t help.
sudo openssl req -engine pkcs11 -keyform engine -key "pkcs11:model=SoftHSM%20v2;token=mytoken2;object=sekey;type=private" -new -sha512 -out csr/secert.csr -config req.cnf
2
Answers
Update my solution: I check the version of nginx
I doubt that version of OPENSSL will not work with that PKCS11 URI. So I decide to upgrade nginx that supports Openssl3 by following this https://medium.com/p/b7873069402a Then it overcomes that bug, now I just need to make sure the URI is correct to access the desired key.
Make sure OpenSSL supports PKCS#11 by executing openssl engine -t -c and looking for pkcs11 as an accessible engine before configuring Nginx to load the SSL key from SoftHSM. Use softhsm2-util –show-slots to confirm that SoftHSM is configured correctly, and make sure that the Nginx configuration has ssl_engine pkcs11; in the http block.
Furthermore, make sure the nginx user has the appropriate permissions to access SoftHSM tokens and configuration files by setting the SOFTHSM2_CONF environment variable in the Nginx configuration file to point to the SoftHSM configuration. To troubleshoot further, look for more descriptive problem messages in the Nginx error log (/var/log/nginx/error.log).