Cannot load key from pkcs11 engine into nginx configuration

MinhK
July 4, 2024
98 views
0 votes
2 Answers

I am trying to configure SSL in nginx.conf, and it needs to load the key from softhsm instead of file.

Here is the file /etc/nginx/nginx.conf

user  nginx;
worker_processes  1;
error_log  /var/log/nginx/error.log debug;
pid        /var/run/nginx.pid;
events {
    worker_connections  1024;
}
ssl_engine pkcs11;
http {
    include       /etc/nginx/mime.types;
    default_type  application/octet-stream;
    server {
        listen 80;
        listen 443 ssl;
        ssl_protocols    TLSv1.2 TLSv1.3;
#       include snippets/ssl-params.conf;
        server_name www.SEexample.com SEexample.com;
        ssl_certificate /etc/ssl/certs/seexample.com.crt;
        ssl_certificate_key "engine:pkcs11:pkcs11:model=SoftHSM%20v2;token=mytoken2;object=sekey;type=private?pin=1234";
        root /var/www/html;
        index index.html;
        ssl_trusted_certificate /etc/ssl/certs/SEcombine2.crt;
    }
    log_format  main  '$remote_addr - $remote_user [$time_local] "$request" '
                      '$status $body_bytes_sent "$http_referer" '
                      '"$http_user_agent" "$http_x_forwarded_for"';
    access_log  /var/log/nginx/access.log  main;
    sendfile        on;
    #tcp_nopush     on;
    keepalive_timeout  65;
    #gzip  on;
    include /etc/nginx/conf.d/*.conf;
}

And when I run sudo nginx -t, it said

Failed to enumerate slots
PKCS11_get_private_key returned NULL
nginx: [emerg] cannot load certificate key "engine:pkcs11:pkcs11:model=SoftHSM%20v2;token=mytoken2;object=sekey;": ENGINE_load_private_key() failed (SSL: error:26096080:engine routines:ENGINE_load_private_key:failed loading private key)
free(): invalid pointer
Aborted

Note that:

Without ssl_engine pkcs11; and ssl_certificate_key is loaded from file, the nginx server was successfull to connect.
This command (as bellow) works perfectly, means that the pkcs11 URI is correct. The URI I set in nginx.conf file, I attempt with ‘pin’ or ‘pin-value’ or without ‘pin’, it didn’t help.

sudo openssl req -engine pkcs11 -keyform engine -key "pkcs11:model=SoftHSM%20v2;token=mytoken2;object=sekey;type=private" -new -sha512 -out csr/secert.csr -config req.cnf

Answers

Chosen as BEST ANSWER
- MinhK
- July 4, 2024 at 10:23 am
- 0 votes
0
Update my solution: I check the version of nginx
```
$nginx -V
nginx version: nginx/1.19.6
built by gcc 6.3.0 20170516 (Debian 6.3.0-18+deb9u1)
built with OpenSSL 1.1.0l  10 Sep 2019 (running with OpenSSL 1.1.1f  31 Mar 2020)
```
I doubt that version of OPENSSL will not work with that PKCS11 URI. So I decide to upgrade nginx that supports Openssl3 by following this https://medium.com/p/b7873069402a Then it overcomes that bug, now I just need to make sure the URI is correct to access the desired key.

(Edit)

- BKM
- July 3, 2024 at 5:33 pm
- 0 votes
0
Make sure OpenSSL supports PKCS#11 by executing openssl engine -t -c and looking for pkcs11 as an accessible engine before configuring Nginx to load the SSL key from SoftHSM. Use softhsm2-util –show-slots to confirm that SoftHSM is configured correctly, and make sure that the Nginx configuration has ssl_engine pkcs11; in the http block.

Furthermore, make sure the nginx user has the appropriate permissions to access SoftHSM tokens and configuration files by setting the SOFTHSM2_CONF environment variable in the Nginx configuration file to point to the SoftHSM configuration. To troubleshoot further, look for more descriptive problem messages in the Nginx error log (/var/log/nginx/error.log).

Login or Signup to reply.

Please signup or login to give your own answer.

Click here to cancel reply.