Bug 1490390

Summary: Unable to create puppet certificate request from RHEL5 with fips enabled
Product: Red Hat Satellite Reporter: Kenny Tordeurs <ktordeur>
Component: PuppetAssignee: satellite6-bugs <satellite6-bugs>
Status: CLOSED WONTFIX QA Contact: Peter Ondrejka <pondrejk>
Severity: medium Docs Contact:
Priority: medium    
Version: 6.2.11CC: ddolguik, dmitri, mhulan, oprazak
Target Milestone: UnspecifiedKeywords: Triaged
Target Release: Unused   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2019-05-02 18:52:46 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Attachments:
Description Flags
strace puppet agent run none

Description Kenny Tordeurs 2017-09-11 12:55:35 UTC 
Description of problem:
Unable to create certificate request for puppet with RHEL5 client that has FIPS enabled.

Version-Release number of selected component (if applicable):
Satellite 6.2.11
RHEL 5.11

How reproducible:
100%

Steps to Reproduce:
1. Make RHEL5 FIPS compliant per => https://access.redhat.com/articles/38655
2. Register RHEL5 client to Satellite 6.2.11 and install puppet
3. Add  digest_algorithm = sha256 for puppet.conf for client and satellite
4. /usr/bin/puppet agent --test

Actual results:
info: Creating a new SSL certificate request for ktordeur-rhel5-puppet-interval.sysmgmt.lan
digest.c(151): OpenSSL internal error, assertion failed: Digest update previous FIPS forbidden algorithm error ignored
Aborted


Expected results:
For the certificate request to work

Additional info:

[root@ktordeur-rhel5-puppet-interval ssl]

# cat /etc/redhat-release 
~~~
Red Hat Enterprise Linux Server release 5.11 (Tikanga)
~~~

# grep fips /etc/pki/tls/openssl.cnf
~~~
# Algorithm configuration options. Currently just fips_mode
fips_mode = yes
~~~

# cat /proc/sys/crypto/fips_enabled
~~~
1
~~~

SSL certs generated are correct sha256 algorithm:

# openssl x509 -text -in /var/lib/puppet/ssl/certs/ca.pem | grep -i sha256
~~~
        Signature Algorithm: sha256WithRSAEncryption
    Signature Algorithm: sha256WithRSAEncryption
~~~


# /usr/bin/puppet agent --test --noop --tags no_such_tag --waitforcert 10 --digest=sha256
~~~
info: Creating a new SSL certificate request for ktordeur-rhel5-puppet-interval.sysmgmt.lan
digest.c(151): OpenSSL internal error, assertion failed: Digest update previous FIPS forbidden algorithm error ignored
Aborted
~~~


+++++++++++++++++++++++++++++++++++++++++++

Following errata should have sha256 included for RHEL5 https://access.redhat.com/errata/RHBA-2014:1280
https://bugzilla.redhat.com/show_bug.cgi?id=1136542

Seems also according to the code it should allow sha256:

# vim +71 /usr/lib/ruby/site_ruby/1.8/puppet/ssl/certificate_request.rb

~~~
...
    csr.sign(key, OpenSSL::Digest::SHA256.new)
...
~~~
Comment 1 Kenny Tordeurs 2017-09-11 12:57:29 UTC 
Created attachment 1324460 [details]
strace puppet agent run

strace for execve("/usr/bin/puppet", ["puppet", "agent", "--digest=sha256", "-t", "-v"]
Comment 4 Marek Hulan 2017-11-20 21:13:38 UTC 
Dmitri, is there already some tracker for FIPS related tasks? Do you have some suggestion for this BZ? Thanks
Comment 5 Dmitri Dolguikh 2017-11-28 19:27:28 UTC 
The tracker is at http://projects.theforeman.org/issues/3511. 

There isn't enough details about the certificate that's being generated; my guess would be that puppet is configured to use RSA with key length of 1024 bits or less, which isn't compatible with FIPS (2048 bits is the minimum length). Updating puppet.conf should fix the issue.
Comment 6 Ondřej Pražák 2018-11-13 15:38:18 UTC 
Created redmine issue http://projects.theforeman.org/issues/25447 from this bug
Comment 7 Bryan Kearney 2019-04-01 12:13:09 UTC 
The Satellite Team is attempting to provide an accurate backlog of bugzilla requests which we feel will be resolved in the next few releases. We do not believe this bugzilla will meet that criteria, and have plans to close it out in 1 month. This is not a reflection on the validity of the request, but a reflection of the many priorities for the product. If you have any concerns about this, feel free to contact Red Hat Technical Support or your account team. If we do not hear from you, we will close this bug out. Thank you.
Comment 8 Bryan Kearney 2019-05-02 18:52:46 UTC 
Thank you for your interest in Satellite 6. We have evaluated this request, and while we recognize that it is a valid request, we do not expect this to be implemented in the product in the foreseeable future. This is due to other priorities for the product, and not a reflection on the request itself. We are therefore closing this out as WONTFIX. If you have any concerns about this, please do not reopen. Instead, feel free to contact Red Hat Technical Support. Thank you.