The operating system my web server runs on is (include version):
Ubuntu Linux 16.04 LTS
My hosting provider, if applicable, is:
Amazon AWS, EC2, CloudHSM
I can login to a root shell on my machine (yes or no, or I don’t know):
Yes
We are running LetsEncrypt Boulder on an AWS EC2 instance, and it is configured to talk to an AWS CloudHSM for signing.
We followed the Amazon instructions to install and configure the CloudHSM and we can talk to is using:
/opt/cloudhsm/bin/cloudhsm_mgmt_util /opt/cloudhsm/etc/cloudhsm_mgmt_util.cfg
When we launch Boulder, we getting tanalizingly close, but we are running into an error as we try to login
to the HSM to upload our private keys.
We’ve added some debugging statements so it barfs out some details just before it fails.
We’re having trouble diagnosing exactly what is going wrong as we try to login to the HSM, but it is complaining about “CKR_ARGUMENTS_BAD”.
You can see below, there is only 1 slot, and the predefined label is “cavium”, the hardware manufacturer (I think).
In the HSM management tool, we login using a username like “admin” instead of a userid like “1”, but I am not sure if that is why it is failing. I presume the “pin” refers to the password we have assigned, and are able to test directly in the management utility.
pkcs11key: &{Module:/usr/local/lib/libpkcs11-proxy.so TokenLabel:cavium PIN:5678 PrivateKeyLabel:intermediate_key}
DEBUG: New, modulePath: /usr/local/lib/libpkcs11-proxy.so tokenLabel: cavium pin: 5678 privateKeyLabel: intermediate_key
DEBUG: initialize, modulePath: /usr/local/lib/libpkcs11-proxy.so
DEBUG: setup, privateKeyLabel: intermediate_key
DEBUG: openSession
DEBUG: ps.module.GetSlotList: len(slots) = 1
DEBUG: tokenInfo.Label = cavium
DEBUG: slot: 1
DEBUG: session created using ps.module.OpenSession
DEBUG: login failed using ps.module.Login, CKU_USER: 1 ps.pin: 5678
E231648 boulder-ca [AUDIT] Couldn't load private key: pkcs11key: problem making Key: pkcs11: 0x7: CKR_ARGUMENTS_BAD
Couldn't load private key: pkcs11key: problem making Key: pkcs11: 0x7: CKR_ARGUMENTS_BAD
If anyone in the LetsEncrypt community has some real-life hands-on experience with Amazon AWS CloudHSM, and/or any kind of knowledge about how Boulder actually runs in production (on Amazon?), we would be eternally grateful if you could provide a few pointers to help us navigate this particular obstacle.
I feel confident that once we are able to coax Boulder to login
to our CloudHSM, the rest of the code should work!
Any help or suggestions appreciated.