• 환경 요약
    • AWS Amazon Linux 2 - c5.xlarge (최소요구 규격)
    • Service k8s - Master 1, Worker 2
    • AWS route53
    • AWS ACM 인증서 발급
    • Tool : aws cli command


  • 참고사항
    • Step3

      • json 파일을 생성하여 aws cli를 이용하여 iam role 생성
    • Step 5

      • IAM Role에 KMS 값이 있어야 인증서를 정상적으로 가져옴
    • {
          "Version": "2012-10-17",
          "Statement": [
              {
                  "Effect": "Allow",
                  "Action": [
                      "s3:GetObject"
                  ],
                  "Resource": [
                      "arn:aws:s3:::aws-ec2-enclave-certificate-ap-northeast-2-prod/*"
                  ]
              },
              {
                  "Sid": "VisualEditor0",
                  "Effect": "Allow",
                  "Action": [
                      "kms:Decrypt"
                  ],
                  "Resource": [
                      "arn:aws:kms:ap-northeast-2:*:key/ResourceName",
                      "arn:aws:kms:ap-northeast-2:*:key/ResourceName2",
                      "arn:aws:kms:ap-northeast-2:*:key/ResourceName3"
                  ]
              },
              {
                  "Effect": "Allow",
                  "Action": "iam:GetRole",
                  "Resource": "arn:aws:iam::ACCOUNTID:role/acm-role"
              }
          ]
      }
      

  • 인증서 갱신에 따른 동작

    • nitro 엔진은 기본 10분 주기로 ACM과 통신하여 인증서의 변경 사항이 있을 경우 자동으로 업데이트 되며, 업데이트 시 nginx worker process reload가 일어남
    • 실제 접속 시도하게 되면 변경 된 인증서로 자동 서비스
  • # journalctl -u nitro-enclaves-acm.service -f
    4월 11 16:29:10 ip-10-10-10-10.ap-northeast-2.compute.internal p11ne-agent[12955]: |INFO  | Syncing token nginx-acm-token
    4월 11 16:29:12 ip-10-10-10-10.ap-northeast-2.compute.internal p11ne-agent[12955]: |INFO  | Syncing token vpn-openbase-cert
    4월 11 16:29:12 ip-10-10-10-10.ap-northeast-2.compute.internal p11ne-agent[12955]: |INFO  | NGINX certificate changed. Updating token vpn-openbase-cert.  <<-- 변경에 대한 자동 업데이트
    4월 11 16:29:13 ip-10-10-10-10.ap-northeast-2.compute.internal p11ne-agent[12955]: |INFO  | Syncing token cco-cert
    4월 11 16:29:13 ip-10-10-10-10.ap-northeast-2.compute.internal p11ne-agent[12955]: |INFO  | Reloading NGINX config
    
    • 인증서가 변경 된 이후에 nitro 엔진을 재기동 하게 되면 인증서 conf 파일이 갱신 됨 (nitro 엔진 구동 중 인증서 갱신에 대해서는 파일 내용이 변경 되지 않음)
    • pin-value 값 확인
  • [ec2-user@ip-10-10-10-10 nginx]$ sudo cat vpn-openbase-cert.conf
    ssl_certificate_key "engine:pkcs11:pkcs11:model=p11ne-token;manufacturer=Amazon;token=vpn-openbase-cert;생략:;
    ssl_certificate "/run/nitro_enclaves/acm/nginx-cert-NAME.pem";
    
    [ec2-user@ip-10-10-10-10 nginx]$ sudo cat vpn-openbase-cert.conf
    ssl_certificate_key "engine:pkcs11:pkcs11:model=p11ne-token;manufacturer=Amazon;token=vpn-openbase-cert;생략";
    ssl_certificate "/run/nitro_enclaves/acm/nginx-cert-NAME.pem";
    
    • nignx 서비스 상태 - master worker pid 가 모두 변경 됨
  • Main PID: 15015 (nginx)
      CGroup: /system.slice/nginx.service
              ├─15015 nginx: master process /usr/sbin/nginx -c /etc/nginx/nginx.conf
              ├─15026 nginx: worker process
              └─15027 nginx: worker process
    
    Main PID: 15331 (nginx)
      CGroup: /system.slice/nginx.service
              ├─15331 nginx: master process /usr/sbin/nginx -c /etc/nginx/nginx.conf
              ├─15343 nginx: worker process
              └─15344 nginx: worker process
    
    • nitro 및 nginx 프로세스 상태 확인
  • journalctl -u nitro-enclaves-acm.service
    journalctl -u nginx.service
    
    • nitro 엔진 재기동 및 업데이트
  • sudo systemctl restart nitro-enclaves-acm.service
    sudo yum update aws-nitro-enclaves-acm
    
    • nitro multi certification sample
  • tokens:
        # A label for this PKCS#11 token
      - label: nginx-acm-token
        # Configure a managed token, sourced from an ACM certificate.
        source:
          Acm:
            # The certificate ARN
            # Note: this certificate must have been associated with the
            #      IAM role assigned to the instance on which ACM for
            #      Nitro Enclaves is run.
            certificate_arn: "arn:aws:acm:us-east-1:123456789:certificate/d4c3b2a1-xxxx-xxxx-xxx-EXAMPLE"
        target:
          NginxStanza:
            # Path to the nginx stanza to be written by the ACM service whenever
            # the certificate configuration changes (e.g. after a certificate renewal).
            # This file must be included from the main nginx config `server` section,
            # as it will contain the TLS nginx configuration directives.
            path: /etc/pki/nginx/nginx-acm.conf
            # Stanza file owner (i.e. the user nginx is configured to run as).
            user: nginx
        # PKCS#11 token 2  
      - label: token_2_name
        source:
          Acm:
            certificate_arn: "certificate_2_ARN"
        target:
          NginxStanza:
            path: /etc/pki/nginx/nginx-acm-2.conf
            user: nginx
        # PKCS#11 token 3
      - label: token_3_name
        source:
          Acm:
            certificate_arn: "certificate_3_ARN"
        target:
          NginxStanza:
            path: /etc/pki/nginx/nginx-acm-3.conf
            user: nginx