By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post

CREATE_FAILED Custom::RFDK_X509Generator openssl: command not found

0

I've been trying to set up a render farm with aws rfdk but even the basic code copied directly from the official "Getting started" guide doesn't work. I get the following error

7:15:02 AM | CREATE_FAILED        | Custom::RFDK_X509Generator                  | RenderQueueRootCA4708D079
Received response status [FAILED] from custom resource. Message returned: Command failed: openssl req -x509 -passout env:CERT_PASSPHRASE -newkey
rsa:2048 -days 1095 -extensions v3_ca -keyout /tmp/tmp.metU8N/key -out /tmp/tmp.metU8N/crt -subj /CN=RenderQueueRootCA/O=AWS/OU=Thinkbox
/bin/sh: openssl: command not found

Error: Command failed: openssl req -x509 -passout env:CERT_PASSPHRASE -newkey rsa:2048 -days 1095 -extensions v3_ca -keyout /tmp/tmp.metU8N/key -
out /tmp/tmp.metU8N/crt -subj /CN=RenderQueueRootCA/O=AWS/OU=Thinkbox
/bin/sh: openssl: command not found

at ChildProcess.exithandler (node:child_process:402:12)
at ChildProcess.emit (node:events:513:28)
at ChildProcess.emit (node:domain:489:12)
at maybeClose (node:internal/child_process:1100:16)
at Socket.<anonymous> (node:internal/child_process:458:11)
at Socket.emit (node:events:513:28)
at Socket.emit (node:domain:489:12)
at Pipe.<anonymous> (node:net:301:12) (RequestId: 7a1fa905-f9e4-4643-9db6-9d250c8ec59c)

when running cdk deploy. Detailed information about my environment, docker image, code and library version can be found here https://github.com/aws/aws-rfdk/issues/1108

I suspect this is a bug in the library itself but in case it's something on my end that could be fixed relatively easily I'm also posting this question here on re:Post. Thank you in advance!

Topics
AWS Cloud Development Kit (CDK)Media Services
Tags
AWS Cloud Development Kit (CDK)AWS Thinkbox Deadline
Language
English
Aleksander
asked 7 months ago243 views
3 Answers
0

It appears that you have Miniconda installed on your system, and OpenSSL is available within the Miniconda environment. In this case, you need to ensure that the Miniconda environment is activated before running the AWS CDK, so that the openssl command within the Miniconda environment is accessible.

conda info --envs

conda activate <your-environment>
profile picture
EXPERT
Andrii S
answered 7 months ago
  • Aleksander
    7 months ago

    I did

    conda deactivate

    and then

    > gcm openssl

CommandType     Name                                               Version    Source
-----------     ----                                               -------    ------
Application     openssl.exe                                        1.1.1.14   C:\tools\cygwin\bin\openssl.exe

    I have openssl installed in 3 different places.

    > which -a openssl
/usr/bin/openssl
/cygdrive/c/Program Files (x86)/Subversion/bin/openssl

    Even without miniconda it's still accessible. Plus this only applies to windows. Inside docker openssl is always available.

  • Aleksander
    7 months ago

    Ok, I cloned aws-rfdk repo and debugged it. I found this code

      private static async generateSelfSigned(
    tmpDir: string,
    subject: DistinguishedName,
    passphrase: string,
    certValidFor: number,
  ): Promise<[string, string]> {
    const crtFile: string = path.join(tmpDir, 'crt');
    const keyFile: string = path.join(tmpDir, 'key');
    const cmd: string =
      'openssl req -x509 ' +
      '-passout env:CERT_PASSPHRASE ' +
      '-newkey rsa:2048 ' +
      `-days ${certValidFor} ` +
      '-extensions v3_ca ' +
      `-keyout ${keyFile} -out ${crtFile} ` +
      `-subj ${subject.toString()}`;

    console.debug(`Running: ${cmd}`);
    await exec(cmd, { env: { CERT_PASSPHRASE: passphrase, PATH: process.env.PATH } });

    const cert: string = await readAsciiFile(crtFile);
    const key: string = await readAsciiFile(keyFile);

    return [cert, key];
  }

    in ./packages/aws-rfdk/lib/lambdas/nodejs/lib/x509-certs/certificate.ts . And this is in fact running in a lambda function. So this is a bug in the library. It's not my machine. I tried with older version of aws-rdfk but I get the same bug. The question now is why do I get this bug and others don't? Is there something wrong with my code? I think the source of the problem might be in .\packages\aws-rfdk\lib\lambdas\lambdaLayerVersionArns.ts. I'm running on eu-west-1 so maybe somebody could connect to arn:aws:lambda:eu-west-1:224375009292:layer:openssl-al2:2 and make sure it has openssl

0

Hello.

The error message you're encountering indicates that the openssl command is not found in your system's PATH when you're trying to run the AWS CDK (Cloud Development Kit). OpenSSL is a cryptographic tool commonly used for generating certificates and other security-related operations. If OpenSSL is not already installed on your system, you can install it based on your operating system: For Ubuntu/Debian:

sudo apt-get install openssl

For CentOS/RHEL:

sudo yum install openssl

For macOS (using Homebrew):

brew install openssl

For Windows: You can download OpenSSL for Windows from the official website: https://slproweb.com/products/Win32OpenSSL.html. Make sure to add the installation directory to your PATH during the installation process.

Best regards, Andrii

profile picture
EXPERT
Andrii S
answered 7 months ago
profile pictureAWS
EXPERT
Didier_Durand
reviewed 7 months ago
  • Didier_Durand EXPERT
    7 months ago

    Yes, Andril and I came to same conclusion: machine executing CDK does not have openssl installed. See my own answer.

0

Hi,

from what I can understand in your error log, the issue doesn't happen in the docker image (where openssl is installed) but on the machine where you run the cdk deploy.

So, can you confirm that this machine (or container image if you run in CodePipeline) running CDK has openssl installed ?

For example, execute 'which' command from your CDK typescript like this: https://stackabuse.com/executing-shell-commands-with-node-js/

Best,

Didier

profile pictureAWS
EXPERT
Didier_Durand
answered 7 months ago
  • Aleksander
    7 months ago

    I put this snippet

    exec("which openssl", (error, stdout, stderr) => {
  if (error) {
      console.log(`error: ${error.message}`);
      return;
  }
  if (stderr) {
      console.log(`stderr: ${stderr}`);
      return;
  }
  console.log(`stdout: ${stdout}`);
});

    and then ran cdk synth and I get this on windows

    stdout: /cygdrive/c/tools/miniconda3/Library/bin/openssl

    and this in docker

    stdout: /usr/bin/openssl

    I think that the error openssl: command not found doesn't come from my machine but from some aws lambda coming from the library. I'm running things locally, not on CodePipeline or anything like that. I just run cdk deploy inside a docker container, but I observe the exact same results even when trying outside docker. I even cloned the repo https://github.com/aws/aws-cdk and tried to inspect it a bit to figure out where openssl is being called exactly and whether it uses the right environment variables (such as PATH) but I couldn't find anything there. I'm not an expert but I think the openssl call doesn't happen on my machine.

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content