我正在尝试在 nginx.conf 中配置 SSL,它需要从 softhsm 而不是文件加载密钥。
这是文件
/etc/nginx/nginx.conf
user nginx;
worker_processes 1;
error_log /var/log/nginx/error.log debug;
pid /var/run/nginx.pid;
events {
worker_connections 1024;
}
ssl_engine pkcs11;
http {
include /etc/nginx/mime.types;
default_type application/octet-stream;
server {
listen 80;
listen 443 ssl;
ssl_protocols TLSv1.2 TLSv1.3;
# include snippets/ssl-params.conf;
server_name www.SEexample.com SEexample.com;
ssl_certificate /etc/ssl/certs/seexample.com.crt;
ssl_certificate_key "engine:pkcs11:pkcs11:model=SoftHSM%20v2;token=mytoken2;object=sekey;type=private?pin=1234";
root /var/www/html;
index index.html;
ssl_trusted_certificate /etc/ssl/certs/SEcombine2.crt;
}
log_format main '$remote_addr - $remote_user [$time_local] "$request" '
'$status $body_bytes_sent "$http_referer" '
'"$http_user_agent" "$http_x_forwarded_for"';
access_log /var/log/nginx/access.log main;
sendfile on;
#tcp_nopush on;
keepalive_timeout 65;
#gzip on;
include /etc/nginx/conf.d/*.conf;
}
当我跑步
sudo nginx -t
时,它说
Failed to enumerate slots
PKCS11_get_private_key returned NULL
nginx: [emerg] cannot load certificate key "engine:pkcs11:pkcs11:model=SoftHSM%20v2;token=mytoken2;object=sekey;": ENGINE_load_private_key() failed (SSL: error:26096080:engine routines:ENGINE_load_private_key:failed loading private key)
free(): invalid pointer
Aborted
请注意:
sudo openssl req -engine pkcs11 -keyform engine -key "pkcs11:model=SoftHSM%20v2;token=mytoken2;object=sekey;type=private" -new -sha512 -out csr/secert.csr -config req.cnf
在配置 Nginx 从 SoftHSM 加载 SSL 密钥之前,通过执行 openssl engine -t -c 并查找 pkcs11 作为可访问的引擎,确保 OpenSSL 支持 PKCS#11。使用softhsm2-util --show-slots确认SoftHSM配置正确,并确保Nginx配置有ssl_engine pkcs11;在 http 块中。
此外,通过将 Nginx 配置文件中的 SOFTHSM2_CONF 环境变量设置为指向 SoftHSM 配置,确保 nginx 用户具有访问 SoftHSM 令牌和配置文件的适当权限。要进一步排除故障,请在 Nginx 错误日志 (/var/log/nginx/error.log) 中查找更多描述性问题消息。