Invalid engine "zymkey_ssl"


I had to start with a fresh copy of the OS (latest Raspbian) on my Raspberry Pi 3, and I followed the getting started guide (following the raspi-config tutorial to enable i2c, etc). It was flashing once every 3 seconds like it should, so I proceeded with the steps for AWS IoT Just In Time Registration and when I got to here I got stuck:

When I attempt to run the command, I get the following errors:

I’ve noticed now that the blue LED does not flash anymore except when I reboot the Raspberry Pi. Any idea what’s going on here?

Edit: I followed procedure to enable I2C again and now it’s flashing once every 3 seconds again. However, the issue invalid engine “zymkey_ssl” persists.

After about 10 minutes the blue LED stops flashing completely. When I reboot, it starts working again. Also, I am getting this message as well…

Thanks for bringing this issue to our attention. The problem is that the newest version of Raspbian (Stretch) uses OpenSSL 1.1, which our engine needs to be updated for. For now the solution is to uninstall OpenSSL, and reinstall version 1.0.1t which is the last version of Raspbian (Jessie) uses. Here’s how to do this.

First let’s make sure you there was no issue when you were installing Zymkey. If the lights are flashing periodically, it should be good, but lets try a simpe test.

On the command line open up Python, with the command python. Then try the following code:

import zymkey

zymkey.client.sign('hello world!')

This should return a bytearray that the Zymkey has signed. If this works we can move onto OpenSSL.

  1. First, let’s uninstall your current version.

    sudo apt-get remove openssl
  2. Now we will switch to the Jessie repository to install OpenSSL 1.0.1t. Open up the repo file with this command.

    sudo nano /etc/apt/sources.list

    Change the word stretch to jessie. The link should look like this
    deb jessie main contrib non-free rpi
    Press ctrl-O then ctrl-M to save.

  3. Now update your repo info.

    sudo apt-get update
  4. At this point you can reinstall OpenSSL.

    sudo apt-get install openssl
  5. If everything was done correctly, your OpenSSL version should be 1.0.1t. You can check it with this command:

    openssl version
  6. Next we will change you back to the Raspbian Stretch repos. Change /etc/apt/sources.list back to stretch.

  7. Finally we will tell OpenSSL to not update past this version, re-update your repo info and then reboot.

    sudo apt-mark hold openssl
    sudo apt-get update
    sudo reboot

If you have any other issues, feel free to let us know!

That got me to the next stage. but now I think I’m having the same issue with Curl?

Also, I am still having the issue that after about 30 minutes, the Zymkey will suddenly go from flashing once every 3 seconds to I think 4 rapid flashes, then it quits flashing until I reboot. Any ideas on troubleshooting that?

We have seen similar erratic problems when their is insufficient power to the Pi (known issue on the Pi , nothing to do with Zymkey). To isolate this as a potential cause, can you confirm the Amp rating on the 5V supply you are using ? It needs to be 2A or more to ensure reliable operation of the Pi.

Hey Phil,

The power supply is powering the Pi via the GPIO header, so the Zymkey is being powered from the same supply. It is capable of supplying 2.5 amps on the 5v ‘rail’.

Hey Inov.

Sounds like the power supply arrangement is fine. One more HW question - do you have anything else on the I2C bus?

(Jacky will respond on possible software options under seperate post).

There is a RTC on the I2C bus that is not currently used, but is showing up as /dev/rtc0

Thanks Inov,

That might cause some issues if not set up correctly.

I will disconnect the other hardware and report back.


Has this issue been resolved? I’m still receiving the original issue (invalid engine “zymkey_ssl”). I have tried both downgrading openssl to 1.0.1t and with openssl 1.1.0 with no successful results. I have followed all the instructions above and have had no luck getting the zymkey_ssl engine to work with openssl. I’ll be the first to say, it could vary well be a configuration issue on my end but have run out of ideas on how to troubleshoot further. Please advise. Really enjoying the product otherwise!

You should be able to use native Stretch OpenSSL 1.1 support now if you update and upgrade the zymbit packages:
sudo apt-get update
sudo apt-get upgrade

Hi, I am going through the same problem described above, I am using Raspberry pi3+, with ‘stretch’ and original 5V,2.5A raspberry pi power supply. I will briefly describe what I have tried:

  1. I tried to downgrade the OpenSSL to 1.0.1, but it throw same error
  2. sudo apt-get update .sudo apt-get upgrade with Stretch OpenSSL 1.1, but same error as before.
    What other things should I look into?


Just to remove confusion,
I am getting ‘Invalid engine Zymkey-ssl’ error when I am trying to run the code for [AWS IoT - Signed Temperature Sensor Data using Zymkey 4i ]. I have reached the step where we create CA key and certificate, but then when I run the code ‘’, It asks me for the location of certificate and key, but after that, it just simply throw [Invalid engine “zymkey_ssl”] error.
Zymkey is working fine, no binding issue as such.
Thank you for your help.

I think your problem is with the version of curl that is provided in the Raspbian Stretch repository. For some reason, the Raspbian team decided to statically link OpenSSL v1.0.2 instead of dynamically linking to the version that is provided as part of Stretch. OpenSSL did some significant refactoring from v1.0.2 to v1.1.0 in the area of Eliptical Curve accelerator plugin libraries. We chose to eventually support v1.1 in the end.

This means that you have two choices here:

  1. You could build curl yourself and uninstall the standard curl package in the Stretch repo.
  2. You could upgrade to Buster, where I believe curl will just work out of the box.

Thank you for the quick reply, I am going to choose the 2nd option. will do it tomorrow and will let you know the update.