Durch die Nutzung von AWS re:Post stimmt du den AWS re:Post Nutzungsbedingungen
AWS re:Postre:Post

Lambda Runtime Node 18 and OpenSSL issue

0

Hi all, I've working on a migration from node 16 to node 18 runtime for a few lambdas but I encountered an issue with the certificates. We create a https.Agent() to pass the config to the HTTP request, the pfx property is a buffer of a p12 certificate.

const options = {
    pfx: certificate,
    passphrase: 'test',
    rejectUnauthorized: true,
  };

  const sslConfiguredAgent = new https.Agent(options);

I found the issue is related to the OpenSSL in the core Node libraries, so to workaround it I tried the next approach:

  • Declare the node variable NODE_OPTIONS=--openssl-legacy-provider as a environment variable of the lambda
    • This gives me the error: "Unable to load Legacy Provider" in the Init Fase of the lambda
  • Create a wrapper script to set the env variable and then yield the lambda execution
    • This gives FUNCTION_ERROR_INIT_FAILURE when they try to initialize the provisioned concurrency.

Wrapper script accessed from AWS_LAMBDA_EXEC_WRAPPER: /opt/data/wrapper

#!/bin/bash

args=("$@")

export NODE_OPTIONS="--openssl-legacy-provider"

exec "${args[@]}"

Maybe the error could be related to the script, but I built it based on the information I found about it.

  1. Is there a restriction on Node 18 Runtime on lambda to not allow the OpenSSL legacy provider to be used?
  2. Do you guys see any enhancement on the wrapper script to make it work?
  3. Is there another way to workaround to send the pfx property from the https.Agent() to avoid the Error: unsupported at configSecureContext (node:internal/tls/secure-context:278:15)?
Themen
ServerlosKalkulationBehälterDevOpsMicroservices
Tags
ServerlosAWS LambdaBehälterDevOpsMicroservices
Sprache
English
Ivan
gefragt vor 2 Monaten358 Aufrufe
2 Antworten
0

It seems like you've encountered an issue with OpenSSL compatibility when migrating to Node.js 18 runtime in AWS Lambda. Here are some suggestions to address this:

  • Check Lambda Execution Environment: Ensure that the Lambda execution environment supports the --openssl-legacy-provider flag. Some Lambda execution environments may have restrictions or limitations on environment variables and command-line options.
  • Verify Wrapper Script: Double-check the wrapper script to ensure that it correctly sets the NODE_OPTIONS environment variable before executing the Lambda function. Make sure that the script has the necessary permissions to execute and access resources.
  • Consider Alternative Approaches: Instead of using a PFX certificate with https.Agent(), consider other options such as using PEM certificates or integrating with AWS Certificate Manager (ACM) for SSL/TLS support. You can also explore using libraries or modules that provide better compatibility with Node.js 18 runtime and AWS Lambda nvironment.
profile picture
EXPERTE
Giovanni Lauria
beantwortet vor 2 Monaten
0

I found my way around this block by updating the cipher on the pfx file following this git issue link. Once this was done Node 18 was able to send it through the HTTP Request without using the flag --openssl-legacy-provider

Commands used to update the cipher:

openssl pkcs12 -in currentFile.p12 -nodes -legacy -out decryptedPfxFile.tmp
openssl pkcs12 -in decryptedPfxFile.tmp -export -out newFile.p12

These commands will ask for the passphrase used on the current file.

Ivan
beantwortet vor 2 Monaten
profile picture
EXPERTE
Giovanni Lauria
überprüft vor einem Monat

Du bist nicht angemeldet. Anmelden um eine Antwort zu veröffentlichen.

Eine gute Antwort beantwortet die Frage klar, gibt konstruktives Feedback und fördert die berufliche Weiterentwicklung des Fragenstellers.

Richtlinien für die Beantwortung von Fragen

Relevanter Inhalt