Hi httpd team, I’m trying to run Apache httpd with TLS private keys in an HSM via *PKCS#11* on *OpenSSL 3.x*.
I’d like to use the *OpenSSL 3 provider model* (not legacy ENGINE). However httpd keeps failing with an error that looks like an ENGINE load problem even though the *pkcs11 provider is loaded and works with openssl CLI*. I’d appreciate guidance on whether my *mod_ssl* config is correct for providers, and what else I might be missing. *Environment* - Apache httpd: [2.4.65] (built against OpenSSL [3.5.2]) - OS: Ubuntu 20.04 - OpenSSL Providers: default, oqsprovider (PQC), and pkcs11 - HSM vendor/module *What I'm Trying to do:* - Keep private keys in the HSM and reference them via PKCS#11 URI in SSLCertificateKeyFile (provider path). - Want to avoid ENGINE *Error*[Thu Sep 25 13:24:18.461482 2025] [ssl:notice] [pid 6608:tid 6608] AH10132: Init: Failed to load engine for private key pkcs11:object=test-apache;pin-value=11111;type=private [Thu Sep 25 13:24:18.461511 2025] [ssl:notice] [pid 6608:tid 6608] SSL Library Error: error:12800067:DSO support routines::could not load the shared library (filename(/usr/local/lib64/engines-3/pkcs11.so): /usr/local/lib64/engines-3/pkcs11.so: cannot open shared object file: No such file or directory) [Thu Sep 25 13:24:18.461516 2025] [ssl:notice] [pid 6608:tid 6608] SSL Library Error: error:12800067:DSO support routines::could not load the shared library [Thu Sep 25 13:24:18.461518 2025] [ssl:notice] [pid 6608:tid 6608] SSL Library Error: error:13000084:engine routines::dso not found [Thu Sep 25 13:24:18.461521 2025] [ssl:notice] [pid 6608:tid 6608] SSL Library Error: error:13000074:engine routines::no such engine (id=pkcs11) [Thu Sep 25 13:24:18.461534 2025] [ssl:error] [pid 6608:tid 6608] AH10491: Init: OSSL_STORE_open failed for PKCS#11 URI `pkcs11:object=test-apache;pin-value=11111;type=private' [Thu Sep 25 13:24:18.461535 2025] [ssl:emerg] [pid 6608:tid 6608] AH10492: Init: OSSL_STORE_INFO_PKEY lookup failed for private key identifier `pkcs11:object=test-apache;pin-value=11111;type=private' [Thu Sep 25 13:24:18.461542 2025] [ssl:emerg] [pid 6608:tid 6608] AH02311: Fatal error initialising mod_ssl, exiting. See /opt/httpd-2.4.65/logs/error_log for more information AH00016: Configuration Failed According to the official documentation, it should be possible to use PKCS#11 URIs with either an ENGINE or a Provider in OpenSSL 3. However in my setup httpd seems to attempt loading both — first looking for a PKCS#11 engine (`pkcs11.so`) and then also failing with `OSSL_STORE_open` for the provider URI. Could you clarify whether mod_ssl on OpenSSL 3.x is expected to work with the PKCS#11 *provider* alone (without any engine), and if so what the minimal working configuration should look like? Any hints or working examples would be greatly appreciated.
