By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post

Lambda Runtime Node 18 and OpenSSL issue

0

Hi all, I've working on a migration from node 16 to node 18 runtime for a few lambdas but I encountered an issue with the certificates. We create a https.Agent() to pass the config to the HTTP request, the pfx property is a buffer of a p12 certificate.

const options = {
    pfx: certificate,
    passphrase: 'test',
    rejectUnauthorized: true,
  };

  const sslConfiguredAgent = new https.Agent(options);

I found the issue is related to the OpenSSL in the core Node libraries, so to workaround it I tried the next approach:

  • Declare the node variable NODE_OPTIONS=--openssl-legacy-provider as a environment variable of the lambda
    • This gives me the error: "Unable to load Legacy Provider" in the Init Fase of the lambda
  • Create a wrapper script to set the env variable and then yield the lambda execution
    • This gives FUNCTION_ERROR_INIT_FAILURE when they try to initialize the provisioned concurrency.

Wrapper script accessed from AWS_LAMBDA_EXEC_WRAPPER: /opt/data/wrapper

#!/bin/bash

args=("$@")

export NODE_OPTIONS="--openssl-legacy-provider"

exec "${args[@]}"

Maybe the error could be related to the script, but I built it based on the information I found about it.

  1. Is there a restriction on Node 18 Runtime on lambda to not allow the OpenSSL legacy provider to be used?
  2. Do you guys see any enhancement on the wrapper script to make it work?
  3. Is there another way to workaround to send the pfx property from the https.Agent() to avoid the Error: unsupported at configSecureContext (node:internal/tls/secure-context:278:15)?
Topics
ServerlessComputeContainersDevOpsMicroservices
Tags
ServerlessAWS LambdaContainersDevOpsMicroservices
Language
English
Ivan
asked 2 months ago305 views
2 Answers
0

It seems like you've encountered an issue with OpenSSL compatibility when migrating to Node.js 18 runtime in AWS Lambda. Here are some suggestions to address this:

  • Check Lambda Execution Environment: Ensure that the Lambda execution environment supports the --openssl-legacy-provider flag. Some Lambda execution environments may have restrictions or limitations on environment variables and command-line options.
  • Verify Wrapper Script: Double-check the wrapper script to ensure that it correctly sets the NODE_OPTIONS environment variable before executing the Lambda function. Make sure that the script has the necessary permissions to execute and access resources.
  • Consider Alternative Approaches: Instead of using a PFX certificate with https.Agent(), consider other options such as using PEM certificates or integrating with AWS Certificate Manager (ACM) for SSL/TLS support. You can also explore using libraries or modules that provide better compatibility with Node.js 18 runtime and AWS Lambda nvironment.
profile picture
EXPERT
Giovanni Lauria
answered 2 months ago
0

I found my way around this block by updating the cipher on the pfx file following this git issue link. Once this was done Node 18 was able to send it through the HTTP Request without using the flag --openssl-legacy-provider

Commands used to update the cipher:

openssl pkcs12 -in currentFile.p12 -nodes -legacy -out decryptedPfxFile.tmp
openssl pkcs12 -in decryptedPfxFile.tmp -export -out newFile.p12

These commands will ask for the passphrase used on the current file.

Ivan
answered 2 months ago
profile picture
EXPERT
Giovanni Lauria
reviewed a month ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content