How do I use the NGINX 1.29.0 OpenSSL Provider Functionality

ben-cristwell · August 11, 2025, 5:39pm

My issue:

Like many, I’m very interested in the new provider capability in nginx 1.29.0. However I’m getting “No store loader found” errors while trying to use it.

How I encountered the problem:

I have added my provider to the primary openssl.cnf file, and it is now visible with “openssl list -providers”. Why is it failing to load my store? What is the correct syntax and pkcs11 uri?

Solutions I’ve tried:

Variations on pkcs11 URI

Version of NGINX or NGINX adjacent software (e.g. NGINX Gateway Fabric):

1.29.0

Deployment environment:

Ubuntu 25.04

Minimal NGINX config to reproduce your issue (preferably running on https://tech-playground.com/playgrounds/nginx for ease of debugging, and if not as a code block): (Tip → Run nginx -T to print your entire NGINX config to your terminal.)

server {
        listen 443 ssl;
        server_name webserver;

        add_header X-Robots-Tag "noindex nofollow nosnippet noarchive";

        resolver 127.0.0.11 valid=30s;

        access_log /var/log/nginx/access_test.log;
        error_log /var/log/nginx/access_error.log;

        ssl_certificate /home/user/test_fullchain.pem;
        ssl_certificate_key store:pkcs11:object=test_privkey;type=private;

        ssl_protocols TLSv1.2 TLSv1.3;


        root /var/www/html;
        index index.nginx-debian.html;

        location / {
                # First attempt to serve request as file, then
                # as directory, then fall back to displaying a 404.
                try_files $uri $uri/ =404;
        }
}

NGINX access/error log: (Tip → You can usually find the logs in the /var/log/nginx directory.)

2025/08/08 19:25:30 [emerg] 160008#160008: cannot load certificate key “store:pkcs11:token=YubiHSM;object=test_privkey”: OSSL_STORE_open() failed (SSL: error:80000002:system library::No such file or directory:calling stat(pkcs11:token=YubiHSM;object=test_privkey) error:1608010C:STORE routines::unsupported:No store loader found. For standard store loaders you need at least one of the default or base providers available. Did you forget to load them? Info: Global default library context, Scheme (pkcs11 : 0), Properties ())

ben-cristwell · August 11, 2025, 8:07pm

Part of this appears to be Nginx and SystemD fuckery. Any invocation of just nginx, such as “nginx -t” fails, but “OPENSSL_CONF=/path/to/conf nginx -t” works just fine. However I can’t seem to find any configuration that makes the systemd invocation of the Nginx background service function. I created an override with “Environment=”OPENSSL_CONF=/path/to/conf”" but that fails, as does overriding the invocation with “ExecStart=/bin/sh -c ‘OPENSSL_CONF=/path/to/conf nginx -c ${CONFIG}’”. This almost feels like an OpenSSL error more than an nginx error at this point, even if the default OpenSSL config INCLUDES MY PROVIDER! It only loads the provider if the config is directly specified at the time of calling the binary.

alessandro · August 11, 2025, 9:02pm

Hi @ben-cristwell! If you reset NGINX to a basic config, does nginx -t work? If it doesn’t, there definitely is something wonky going on with your system. In any case, your error log seems to indicate this is indeed an issue with OpenSSL. For some reason, when NGINX invokes OpenSSL, OpenSSL is unable to find your provider.

ben-cristwell · August 12, 2025, 12:35pm

So that was what really confused me yesterday afternoon. nginx -t worked in my testing directory, but not in my home directory. I went down the wrong rabbit hole thinking it was a path issue with systemd or my invocation, but it was a bit deeper than that. The only directory nginx -t successfully ran from ALSO included my pkcs11_provider.conf AND my yubihsm_pkcs11.conf for the YubiKey PKCS11 driver. Since I had never actually set the environment variable, the PKCS11 driver failed to find the connector and config files UNLESS I was already in the correct test directory. See PKCS#11 with YubiHSM 2 — YubiHSM 2 User Guide documentation. A quick copy of the config to my home directory and a manual nginx -t worked there as well. Ended up being a RTFM issue with the HSM itself, and not nginx or systemd.

Ultimately my nginx systemd unit override will contain the environment variables for both OPENSSL_CONF and YUBIHSM_PKCS11_CONF. This should get nginx to startup properly as a service.

system · August 19, 2025, 12:35pm

This topic was automatically closed 7 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Cannot disable TLS 1.0 and TLS 1.1 NGINX openssl , tls , networking	9	199	August 1, 2025
Client SSL certificate verify error: (3:unable to get certificate CRL) while reading client request headers NGINX ssl , openssl	4	730	July 16, 2025
Nginx-build now supports custom SSL libraries (e.g. OQS-Provider, BoringSSL) via `-customssl` option Community Showcase code , module , tips	1	407	July 28, 2025
Enabling ECH (Encrypted Client Hello) with nginx 1.29.4 using nginx-build Community Showcase security , openssl	1	140	February 25, 2026
Error loading self signed certificate NGINX ssl , web-server , pterodactyl , self-signed-cert	4	185	August 14, 2025

How do I use the NGINX 1.29.0 OpenSSL Provider Functionality

Related topics