NPM package `pem` doesn't seem to work in AWS lambda NodeJS 10.x (results in OpenSSL error)

Question

When I run the function locally on NodeJS 11.7.0 it works, when I run it in AWS Lambda NodeJS 8.10 it works, but I\'ve recently tried to run it in

Answer 1

I contacted AWS Support about this and it turns out that the openssl library is still on the Node10x image, just not the command line utility. However, it's pretty easy to just grab it off a standard AMI and use it as a Lambda layer.

Steps:

1. Launch an Amazon Linux 2 AMI as an EC2
2. SSH into the box, or use an SFTP utility to connect to the box
3. Copy the command line utility for openssl at /usr/bin/openssl somewhere you can work with it locally. In my case I downloaded it to my Mac even though it is a Linux file.
4. Verify that it's still marked as executable (chmod a+x openssl if necessary if you've downloaded it elsewhere)
5. Zip up the file
6. Optional: Upload it to an S3 bucket you can get to
7. Go to Lambda Layers in the AWS console
8. Create a new lambda layer. I named mine openssl and used the S3 pointer to the file on S3. You can also upload the zip directly if you have it on a local file system.
9. Attach the arn provided for the layer to your Lambda function. I use serverless so it was defined in the function setup per their documentation.
10. In your code, reference openssl as /opt/openssl or you can avoid pathing it in your code (or may not have an option if it's a package you don't control) by adding /opt to you path, i.e.

process.env['PATH'] = process.env['PATH'] + ':' + process.env['LAMBDA_TASK_ROOT'] + ':/opt';

The layer will have been unzipped for you and because you set it to be executable beforehand, it should just work. The underlying openssl libraries are there, so just copying the cli works just fine.

Answer 2

I tried the answer documented by @Kris White, but I was not able to get it to work. Each execution resulted in the error Could not find openssl on your system on this path: /opt/openssl. I tried several different paths and approaches, but none worked well. It's entirely possible that I simply didn't copy the OpenSSL executable correctly.

Since I needed a working solution, I used the answer provided by @Wilfred Dittmer. I modified it slightly since I wasn't using Docker. I launched an Amazon Linux 2 server, built OpenSSL on it, transferred the package to my local machine, and deployed it via Serverless.

---

Create a file named create-openssl-zip.sh with the following contents. The script will create the Lambda Layer OpenSSL package.

#!/bin/bash -x

# This file should be copied to and run inside the /tmp folder
yum update -y
yum install autoconf bison gcc gcc-c++ libcurl-devel libxml2-devel -y
curl -sL http://www.openssl.org/source/openssl-1.1.1d.tar.gz | tar -xvz
cd openssl-1.1.1d
./config --prefix=/tmp/nodejs/openssl --openssldir=/tmp/nodejs/openssl && make && make install
cd /tmp
rm -rf nodejs/openssl/share nodejs/openssl/include
zip -r lambda-layer-openssl.zip nodejs
rm -rf nodejs openssl-1.1.1d

Then, follow these steps:

1. Open a terminal session in this project's root folder.
2. Run the following command to upload the Linux bash script.
   • curl -F "file=@create-openssl-zip.sh" https://file.io
   • Note: The command above uses the popular tool File.io to copy the script to the cloud temporarily so it can be securely retrieved from the build server.
   • Note: If curl is not installed on your dev machine, you can also upload the script manually using the File.io website.
3. Copy the URL for the uploaded file from either the terminal session or the File.io website.
   • Note: The url will look similar to this example: https://file.io/a1B2c3
4. Open the AWS Console to the EC2 Instances list.
5. Launch a new instance with these attributes:
   1. AMI: Amazon Linux 2 AMI (HVM), SSD Volume Type (id: ami-0a887e401f7654935)
   2. Instance Type: t2.micro
   3. Instance Details: (use all defaults)
   4. Storage: (use all defaults)
   5. Tags: Name - 'build-lambda-layer-openssl'
   6. Security Group: 'Create new security group' (use all defaults to ensure Instance will be publicly accessible via SSH over the internet)
6. When launching the instance and selecting a key pair, be sure to choose a Key Pair from the list to which you have access.
7. Launch the instance and wait for it to be accessible.
8. Once the instance is running, use an SSH Client to connect to the instance.
   • More details on how to open an SSH connection can be found here.
9. In the SSH terminal session, navigate to the tmp directory by running cd /tmp.
10. Download the bash script uploaded earlier by running curl {FILE_IO_URL} --output create-openssl-zip.sh.
    • Note: In the script above, replace FILE_IO_URL with the URL returned from File.io and copied in step 3.
11. Execute the bash script by running sudo bash ./create-openssl-zip.sh. The script may take a while to complete. You may need to confirm one or more package install prompts.
12. When the script completes, run the following command to upload the package to File.io: curl -F "file=@lambda-layer-openssl.zip" https://file.io.
13. Copy the URL for the uploaded file from the terminal session.
14. In the terminal session on the local development machine, run the following command to download the file: curl {FILE_IO_URL} --output lambda-layer-openssl.zip.
    • Note: In the script above, replace FILE_IO_URL with the URL returned from File.io and copied in step 13.
    • Note: If curl is not installed on your dev machine, you can also download the file manually by pasting the copied URL in the address bar of your favorite browser.
15. Close the SSH session.
16. In the EC2 Instances list, terminate the build-lambda-layer-openssl EC2 instance since it is not needed any longer.
17. The OpenSSL Lambda Layer is now ready to be deployed.

For completeness, here is a portion of my serverless.yml file:

functions:
  functionName:
    # ...
    layers:
      - { Ref: OpensslLambdaLayer }

layers:
  openssl:
    name: ${self:provider.stage}-openssl
    description: Contains openssl command line utility for lambdas that need it
    package:
      artifact: 'path\to\lambda-layer-openssl.zip'
    compatibleRuntimes: 
      - nodejs10.x
      - nodejs12.x
    retain: false

...and here is how I configured PEM in the code file:

import * as pem from 'pem';
process.env.LD_LIBRARY_PATH = '/opt/nodejs/openssl/lib';
pem.config({
    pathOpenSSL: '/opt/nodejs/openssl/bin/openssl',
});
// other code...

Answer 3

PEM NPM docs says:

Setting openssl location In some systems the openssl executable might not be available by the default name or it is not included in $PATH. In this case you can define the location of the executable yourself as a one time action after you have loaded the pem module:

So I think it is not able to find OpenSSL path in system you can try configuring it programmatically :

var pem = require('pem')
pem.config({
  pathOpenSSL: '/usr/local/bin/openssl'
}) 

As you are using AWS Lambda so just try printing process.env.path you will get idea of whether OpenSSL is included in path env variable or not.

You can also check 'OpenSSL' by running below code

const exec = require('child_process').exec;
exec('which openssl',function(err,stdopt,stderr){
      console.log(err ? err : stdopt);    
})

UPDATE

As @hoangdv mentioned in his answer openssl is seems to be removed for node10.x runtime and I think he is right. Also, we have read-only access to file system so we can't do much.

@Seth McClaine, you can give try for node-forge npm module. One of the module built on top of this is 'https://github.com/jfromaniello/selfsigned' which will make your task easier

Answer 4

https://github.com/lambci/git-lambda-layer/issues/13#issue-444697784 (announcement email)

It seem openssl has been removed in nodejs10.x runtime.

I have checked again on lambci/lambda:build-nodejs10.x docker image and confirmed that. Maybe, you need to change your runtime version or find another way to createCSR.

which: no openssl in (/var/lang/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/opt/bin)

Answer 5

What you can do is to create a lambda layer with the openssl library. Using the lambdaci/lambda:build-nodejes10.x you can compile the openssl library and create a zip file from the install. The zip file you can then use as a layer for your lambda.

Create a file called create-openssl-zip.sh and make sure to chmod u+x it.

#!/bin/bash -x

# This file should be run inside the lambci/lambda:build-nodejs10.x container
yum update -y
yum install autoconf bison gcc gcc-c++ libcurl-devel libxml2-devel -y
curl -sL http://www.openssl.org/source/openssl-1.1.1d.tar.gz | tar -xvz
cd openssl-1.1.1d
./config --prefix=/var/task/nodejs/openssl --openssldir=/var/task/nodejs/openssl && make && make install
cd /var/task/
rm -rf nodejs/openssl/share
rm -rf nodejs/openssl/include
zip -r lambda-openssl-layer.zip nodejs
cp lambda-openssl-layer.zip /opt/layer/

Then run:

docker run -it -v `pwd`:/opt/layer lambci/lambda:build-nodejs10.x /opt/layer/create-openssl-zip.sh

This will run the script inside the docker container and when it is done you have a file called lambda-openssl-layer.zip in your current directory.

Upload this lambda to an s3 bucket and create a lambda layer. On your original lambda, add this layer and modify your code so that the PEM library knows where to look for the OpenSSL library as follows:

PEM.config({
  pathOpenSSL: '/opt/nodejs/openssl/bin/openssl'
})

And finally add an extra environment variable to your lambda called LD_LIBRARY_PATH with value /opt/nodejs/openssl/lib

Otherwise it will fail with: /opt/nodejs/openssl/bin/openssl: error while loading shared libraries: libssl.so.1.1: cannot open shared object file: No such file or directory