From d81a6e82b59d3ab432b10ce4df9a72ca65d08996 Mon Sep 17 00:00:00 2001 From: kickouille <53976543+kickouille@users.noreply.github.com> Date: Sat, 4 May 2024 22:03:15 +0200 Subject: [PATCH 1/3] Update openssl.cnf dynamic_path is wrong, nginx is was not starting. --- container/nginx/openssl.cnf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/container/nginx/openssl.cnf b/container/nginx/openssl.cnf index 784dd95e..17567050 100644 --- a/container/nginx/openssl.cnf +++ b/container/nginx/openssl.cnf @@ -8,6 +8,6 @@ pkcs11 = pkcs11_section [pkcs11_section] engine_id = pkcs11 -dynamic_path = /usr/lib/x86_64-linux-gnu/engines-1.1/libpkcs11.so +dynamic_path = /usr/lib/x86_64-linux-gnu/engines-3/pkcs11.so MODULE_PATH = /usr/lib/x86_64-linux-gnu/pkcs11/libnethsm_pkcs11.so init = 0 From 35e9ae18a719eed29274fe46ecfe4234e4352e88 Mon Sep 17 00:00:00 2001 From: kickouille <53976543+kickouille@users.noreply.github.com> Date: Sat, 4 May 2024 22:05:51 +0200 Subject: [PATCH 2/3] Update httpd.conf Change SSLCertificateFile with PKCS11 source instead of certificate file. --- container/apache/httpd.conf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/container/apache/httpd.conf b/container/apache/httpd.conf index 8d9ea44d..6481b5fe 100644 --- a/container/apache/httpd.conf +++ b/container/apache/httpd.conf @@ -91,7 +91,7 @@ SSLRandomSeed connect builtin DocumentRoot /usr/local/apache2/htdocs SSLEngine on - SSLCertificateFile /certs/certificate.pem + SSLCertificateFile "pkcs11:object=webserver" SSLCertificateKeyFile "pkcs11:object=webserver" ErrorLog /tmp/a-error.log CustomLog /tmp/a-access.log combined From 43aca1b92fc90ccd522a9f5afa3634f59c290b47 Mon Sep 17 00:00:00 2001 From: kickouille <53976543+kickouille@users.noreply.github.com> Date: Sat, 4 May 2024 22:07:01 +0200 Subject: [PATCH 3/3] Update Dockerfile No need to copy the certificate anymore as it is pulled by Apache from nethsm. --- container/apache/Dockerfile | 1 - 1 file changed, 1 deletion(-) diff --git a/container/apache/Dockerfile b/container/apache/Dockerfile index c2c64f75..c9d8c3d9 100644 --- a/container/apache/Dockerfile +++ b/container/apache/Dockerfile @@ -13,7 +13,6 @@ RUN apt-get update && apt-get install -y --no-install-recommends \ && rm -rf /var/lib/apt/lists/* COPY --from=builder /rust/build/target/release/libnethsm_pkcs11.so /usr/lib/x86_64-linux-gnu/pkcs11/libnethsm_pkcs11.so -COPY _certificate.pem /certs/certificate.pem ADD container/apache/openssl.cnf /etc/ssl/openssl.cnf ADD container/apache/p11nethsm.conf /etc/nitrokey/p11nethsm.conf