- 환경 요약
- AWS Amazon Linux 2 - c5.xlarge (최소요구 규격)
- Service k8s - Master 1, Worker 2
- AWS route53
- AWS ACM 인증서 발급
- Tool : aws cli command
- 설치 Flow ( Installing and configuring ACM for Nitro Enclaves )
- Step 1: Create the AWS Certificate Manager certificate
- Step 2: Launch the enclaves-enabled parent instance
- Step 3: Prepare the IAM role
- Step 4: Associate the role with the ACM certificate
- Step 5: Grant the role permission to access the certificate and encryption key
- Step 6: Attach the role to the instance
- Step 7: Configure NGINX to use ACM for Nitro Enclaves
- Using multiple certificates
- 참고사항
Step3
- json 파일을 생성하여 aws cli를 이용하여 iam role 생성
- json 파일을 생성하여 aws cli를 이용하여 iam role 생성
Step 5
- IAM Role에 KMS 값이 있어야 인증서를 정상적으로 가져옴
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "s3:GetObject" ], "Resource": [ "arn:aws:s3:::aws-ec2-enclave-certificate-ap-northeast-2-prod/*" ] }, { "Sid": "VisualEditor0", "Effect": "Allow", "Action": [ "kms:Decrypt" ], "Resource": [ "arn:aws:kms:ap-northeast-2:*:key/ResourceName", "arn:aws:kms:ap-northeast-2:*:key/ResourceName2", "arn:aws:kms:ap-northeast-2:*:key/ResourceName3" ] }, { "Effect": "Allow", "Action": "iam:GetRole", "Resource": "arn:aws:iam::ACCOUNTID:role/acm-role" } ] }
인증서 갱신에 따른 동작
- nitro 엔진은 기본 10분 주기로 ACM과 통신하여 인증서의 변경 사항이 있을 경우 자동으로 업데이트 되며, 업데이트 시 nginx worker process reload가 일어남
- 실제 접속 시도하게 되면 변경 된 인증서로 자동 서비스
# journalctl -u nitro-enclaves-acm.service -f 4월 11 16:29:10 ip-10-10-10-10.ap-northeast-2.compute.internal p11ne-agent[12955]: |INFO | Syncing token nginx-acm-token 4월 11 16:29:12 ip-10-10-10-10.ap-northeast-2.compute.internal p11ne-agent[12955]: |INFO | Syncing token vpn-openbase-cert 4월 11 16:29:12 ip-10-10-10-10.ap-northeast-2.compute.internal p11ne-agent[12955]: |INFO | NGINX certificate changed. Updating token vpn-openbase-cert. <<-- 변경에 대한 자동 업데이트 4월 11 16:29:13 ip-10-10-10-10.ap-northeast-2.compute.internal p11ne-agent[12955]: |INFO | Syncing token cco-cert 4월 11 16:29:13 ip-10-10-10-10.ap-northeast-2.compute.internal p11ne-agent[12955]: |INFO | Reloading NGINX config
- 인증서가 변경 된 이후에 nitro 엔진을 재기동 하게 되면 인증서 conf 파일이 갱신 됨 (nitro 엔진 구동 중 인증서 갱신에 대해서는 파일 내용이 변경 되지 않음)
- pin-value 값 확인
[ec2-user@ip-10-10-10-10 nginx]$ sudo cat vpn-openbase-cert.conf ssl_certificate_key "engine:pkcs11:pkcs11:model=p11ne-token;manufacturer=Amazon;token=vpn-openbase-cert;생략:; ssl_certificate "/run/nitro_enclaves/acm/nginx-cert-NAME.pem"; [ec2-user@ip-10-10-10-10 nginx]$ sudo cat vpn-openbase-cert.conf ssl_certificate_key "engine:pkcs11:pkcs11:model=p11ne-token;manufacturer=Amazon;token=vpn-openbase-cert;생략"; ssl_certificate "/run/nitro_enclaves/acm/nginx-cert-NAME.pem";
- nignx 서비스 상태 - master worker pid 가 모두 변경 됨
Main PID: 15015 (nginx) CGroup: /system.slice/nginx.service ├─15015 nginx: master process /usr/sbin/nginx -c /etc/nginx/nginx.conf ├─15026 nginx: worker process └─15027 nginx: worker process Main PID: 15331 (nginx) CGroup: /system.slice/nginx.service ├─15331 nginx: master process /usr/sbin/nginx -c /etc/nginx/nginx.conf ├─15343 nginx: worker process └─15344 nginx: worker process
- nitro 및 nginx 프로세스 상태 확인
journalctl -u nitro-enclaves-acm.service journalctl -u nginx.service
- nitro 엔진 재기동 및 업데이트
sudo systemctl restart nitro-enclaves-acm.service sudo yum update aws-nitro-enclaves-acm
- nitro multi certification sample
- nitro multi certification sample
tokens: # A label for this PKCS#11 token - label: nginx-acm-token # Configure a managed token, sourced from an ACM certificate. source: Acm: # The certificate ARN # Note: this certificate must have been associated with the # IAM role assigned to the instance on which ACM for # Nitro Enclaves is run. certificate_arn: "arn:aws:acm:us-east-1:123456789:certificate/d4c3b2a1-xxxx-xxxx-xxx-EXAMPLE" target: NginxStanza: # Path to the nginx stanza to be written by the ACM service whenever # the certificate configuration changes (e.g. after a certificate renewal). # This file must be included from the main nginx config `server` section, # as it will contain the TLS nginx configuration directives. path: /etc/pki/nginx/nginx-acm.conf # Stanza file owner (i.e. the user nginx is configured to run as). user: nginx # PKCS#11 token 2 - label: token_2_name source: Acm: certificate_arn: "certificate_2_ARN" target: NginxStanza: path: /etc/pki/nginx/nginx-acm-2.conf user: nginx # PKCS#11 token 3 - label: token_3_name source: Acm: certificate_arn: "certificate_3_ARN" target: NginxStanza: path: /etc/pki/nginx/nginx-acm-3.conf user: nginx