17Şub
Nginx Fails to Load PKCS#11 Key—But Works with strace. Why?
I'm trying to set up an Nginx proxy that uses a private key stored in SoftHSM through a SSH socket connection. The setup is as follows:
[SoftHSM Container] -----ssh -R ...... --> [Nginx Proxy Container]
The Nginx proxy is configured to use the PKCS11 engine to access the key. Here's my configuration:
ssl_certificate /etc/ssl/certs/bundle.proxy.crt;
ssl_certificate_key "engine:pkcs11:pkcs11:token=abc;object=nginxProxy;type=private?pin-value=7890";
When I start Nginx using service nginx start, I get this error:
Failed to enumerate slots
Failed to enumerate slots
PKCS11_get_private_key returned NULL
nginx: [emerg] cannot load certificate key "engine:pkcs11:pkcs11:token=mimi;object=nginxProxy;type=private?pin-value=1234": ENGINE_load_private_key() failed (SSL: error:40000065:pkcs11 engine::object not found error:13000080:engine routines::failed loading private key)
What I've tried:
- Verified the key exists in the Nginx container
- Confirmed the key matches the certificate
- Tested the key by signing and verifying using p11-kit and openssl
Interestingly, when I run Nginx with strace:
strace -f -e trace=file,network nginx
The nginx server starts successfully magically.
Question: Why does Nginx start successfully when running with strace but fails otherwise? What could be causing this behavior? Thank you.
