Bug 1841925
Summary: | ipa-server: FIPS mode installation failure ("Can't contact LDAP server") | ||||||
---|---|---|---|---|---|---|---|
Product: | Red Hat Enterprise Linux 8 | Reporter: | Robbie Harwood <rharwood> | ||||
Component: | 389-ds-base | Assignee: | mreynolds | ||||
Status: | CLOSED NOTABUG | QA Contact: | RHDS QE <ds-qe-bugs> | ||||
Severity: | unspecified | Docs Contact: | |||||
Priority: | unspecified | ||||||
Version: | --- | CC: | cheimes, lkrispen, mreynolds, rcritten, spichugi, tbordaz, tscherf, vashirov | ||||
Target Milestone: | rc | ||||||
Target Release: | 8.0 | ||||||
Hardware: | Unspecified | ||||||
OS: | Unspecified | ||||||
Whiteboard: | |||||||
Fixed In Version: | Doc Type: | If docs needed, set a value | |||||
Doc Text: | Story Points: | --- | |||||
Clone Of: | Environment: | ||||||
Last Closed: | 2020-06-03 18:07:55 UTC | Type: | Bug | ||||
Regression: | --- | Mount Type: | --- | ||||
Documentation: | --- | CRM: | |||||
Verified Versions: | Category: | --- | |||||
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||
Cloudforms Team: | --- | Target Upstream Version: | |||||
Embargoed: | |||||||
Attachments: |
|
Description
Robbie Harwood
2020-05-29 20:24:16 UTC
I don't know if it would be useful to log the NSS error code in this case or not. 389 is searching for the "best" slot that provides the mechanisms CKM_SHA256_HMAC and CKM_PKCS5_PBKD2 (and this particular code hasn't changed in 3 years). According to modutil the only difference in the mechanism list between FIPS and non-FIPS is non-FIPS has ECC. The FIPS mechanisms list is: RSA:DH:RC2:RC4:DES:AES:CAMELLIA:SEED:SHA1:SHA256:SHA512:MD5:MD2:SSL:TLS This might be a duplicate ore reappearance of https://bugzilla.redhat.com/show_bug.cgi?id=1656418 Robbie, I don't see any attachments. Could you please attach ipaserver-install.log? Installation works for me in 8.3 nightly compose (RHEL-8.3.0-20200526.n.1) in 1minutetip (1minutetip --fips --flavor ci.m1.medium.rng 1MT-RHEL-8.3.0-20200526.n.1). # fips-mode-setup --check FIPS mode is enabled. # rpm -qv ipa-server 389-ds-base nss openssl ipa-server-4.8.6-1.module+el8.3.0+6429+acaee14b.x86_64 389-ds-base-1.4.3.8-2.module+el8.3.0+6591+ebfc9766.x86_64 nss-3.44.0-15.el8.x86_64 openssl-1.1.1g-3.el8.x86_64 My test installation has openssl-1.1.1g-3 instead of openssl-1.1.1g-5 and uses a fake FIPS mode (user-space behaves like FIPS mode, Kernel is in standard mode). 389-DS log: [30/May/2020:05:47:41.838601571 -0400] - ERR - PBKDF2_SHA256 - Unable to extract hash output. [30/May/2020:05:47:41.840335864 -0400] - ERR - PBKDF2_SHA256 - Could not generate pbkdf2_sha256_hash! [30/May/2020:05:47:41.953889328 -0400] - ERR - PBKDF2_SHA256 - Unable to extract hash output. [30/May/2020:05:47:41.954569758 -0400] - ERR - PBKDF2_SHA256 - Could not generate pbkdf2_sha256_hash! [30/May/2020:05:47:42.060831106 -0400] - ERR - PBKDF2_SHA256 - Unable to extract hash output. [30/May/2020:05:47:42.061525839 -0400] - ERR - PBKDF2_SHA256 - Could not generate pbkdf2_sha256_hash! [30/May/2020:05:47:42.166559085 -0400] - ERR - PBKDF2_SHA256 - Unable to extract hash output. [30/May/2020:05:47:42.167509433 -0400] - ERR - PBKDF2_SHA256 - Could not generate pbkdf2_sha256_hash! [30/May/2020:05:47:42.274974145 -0400] - ERR - PBKDF2_SHA256 - Unable to extract hash output. [30/May/2020:05:47:42.275570890 -0400] - ERR - PBKDF2_SHA256 - Could not generate pbkdf2_sha256_hash! [30/May/2020:05:47:42.389873016 -0400] - ERR - PBKDF2_SHA256 - Unable to extract hash output. [30/May/2020:05:47:42.390570641 -0400] - ERR - PBKDF2_SHA256 - Could not generate pbkdf2_sha256_hash! [30/May/2020:05:47:42.498283153 -0400] - ERR - PBKDF2_SHA256 - Unable to extract hash output. [30/May/2020:05:47:42.499016833 -0400] - ERR - PBKDF2_SHA256 - Could not generate pbkdf2_sha256_hash! [30/May/2020:05:47:42.612415059 -0400] - ERR - PBKDF2_SHA256 - Unable to extract hash output. [30/May/2020:05:47:42.613234147 -0400] - ERR - PBKDF2_SHA256 - Could not generate pbkdf2_sha256_hash! [30/May/2020:05:47:42.613727024 -0400] - INFO - PBKDF2_SHA256 - Based on CPU performance, chose 2048 rounds [30/May/2020:05:47:42.617387007 -0400] - WARN - spal_meminfo_get - cgroups v1 or v2 unable to be read - may not be on this platform ... [30/May/2020:05:47:42.619623189 -0400] - INFO - ldbm_instance_config_cachememsize_set - force a minimal value 512000 [30/May/2020:05:47:42.620430312 -0400] - WARN - spal_meminfo_get - cgroups v1 or v2 unable to be read - may not be on this platform ... [30/May/2020:05:47:42.621080825 -0400] - WARN - spal_meminfo_get - cgroups v1 or v2 unable to be read - may not be on this platform ... [30/May/2020:05:47:42.621867922 -0400] - WARN - spal_meminfo_get - cgroups v1 or v2 unable to be read - may not be on this platform ... [30/May/2020:05:47:42.623141040 -0400] - WARN - spal_meminfo_get - cgroups v1 or v2 unable to be read - may not be on this platform ... [30/May/2020:05:47:42.623884364 -0400] - WARN - spal_meminfo_get - cgroups v1 or v2 unable to be read - may not be on this platform ... [30/May/2020:05:47:42.624516341 -0400] - WARN - spal_meminfo_get - cgroups v1 or v2 unable to be read - may not be on this platform ... [30/May/2020:05:47:42.632015621 -0400] - INFO - ldbm_instance_config_cachememsize_set - force a minimal value 512000 [30/May/2020:05:47:42.632844524 -0400] - WARN - spal_meminfo_get - cgroups v1 or v2 unable to be read - may not be on this platform ... [30/May/2020:05:47:42.633480980 -0400] - WARN - spal_meminfo_get - cgroups v1 or v2 unable to be read - may not be on this platform ... [30/May/2020:05:47:42.634148978 -0400] - WARN - spal_meminfo_get - cgroups v1 or v2 unable to be read - may not be on this platform ... [30/May/2020:05:47:42.635277459 -0400] - WARN - spal_meminfo_get - cgroups v1 or v2 unable to be read - may not be on this platform ... [30/May/2020:05:47:42.635979150 -0400] - WARN - spal_meminfo_get - cgroups v1 or v2 unable to be read - may not be on this platform ... [30/May/2020:05:47:42.637117724 -0400] - WARN - spal_meminfo_get - cgroups v1 or v2 unable to be read - may not be on this platform ... [30/May/2020:05:47:42.643287501 -0400] - INFO - ldbm_instance_config_cachememsize_set - force a minimal value 512000 [30/May/2020:05:47:42.644013640 -0400] - WARN - spal_meminfo_get - cgroups v1 or v2 unable to be read - may not be on this platform ... [30/May/2020:05:47:42.644624631 -0400] - WARN - spal_meminfo_get - cgroups v1 or v2 unable to be read - may not be on this platform ... [30/May/2020:05:47:42.645384278 -0400] - WARN - spal_meminfo_get - cgroups v1 or v2 unable to be read - may not be on this platform ... [30/May/2020:05:47:42.646901962 -0400] - WARN - spal_meminfo_get - cgroups v1 or v2 unable to be read - may not be on this platform ... [30/May/2020:05:47:42.647497723 -0400] - WARN - spal_meminfo_get - cgroups v1 or v2 unable to be read - may not be on this platform ... [30/May/2020:05:47:42.648074336 -0400] - WARN - spal_meminfo_get - cgroups v1 or v2 unable to be read - may not be on this platform ... [30/May/2020:05:47:42.652656212 -0400] - WARN - spal_meminfo_get - cgroups v1 or v2 unable to be read - may not be on this platform ... [30/May/2020:05:47:42.653234829 -0400] - WARN - spal_meminfo_get - cgroups v1 or v2 unable to be read - may not be on this platform ... [30/May/2020:05:47:42.653593782 -0400] - NOTICE - ldbm_back_start - found 3827844k physical memory [30/May/2020:05:47:42.653916986 -0400] - NOTICE - ldbm_back_start - found 2087268k available [30/May/2020:05:47:42.654274811 -0400] - NOTICE - ldbm_back_start - cache autosizing: db cache: 95696k [30/May/2020:05:47:42.654627165 -0400] - NOTICE - ldbm_back_start - cache autosizing: userRoot entry cache (3 total): 131072k [30/May/2020:05:47:42.655162363 -0400] - WARN - spal_meminfo_get - cgroups v1 or v2 unable to be read - may not be on this platform ... [30/May/2020:05:47:42.655557778 -0400] - NOTICE - ldbm_back_start - cache autosizing: userRoot dn cache (3 total): 65536k [30/May/2020:05:47:42.656018406 -0400] - WARN - spal_meminfo_get - cgroups v1 or v2 unable to be read - may not be on this platform ... [30/May/2020:05:47:42.656459995 -0400] - NOTICE - ldbm_back_start - cache autosizing: ipaca entry cache (3 total): 131072k [30/May/2020:05:47:42.656997628 -0400] - WARN - spal_meminfo_get - cgroups v1 or v2 unable to be read - may not be on this platform ... [30/May/2020:05:47:42.657354563 -0400] - NOTICE - ldbm_back_start - cache autosizing: ipaca dn cache (3 total): 65536k [30/May/2020:05:47:42.657868819 -0400] - WARN - spal_meminfo_get - cgroups v1 or v2 unable to be read - may not be on this platform ... [30/May/2020:05:47:42.658232037 -0400] - NOTICE - ldbm_back_start - cache autosizing: changelog entry cache (3 total): 131072k [30/May/2020:05:47:42.658753071 -0400] - WARN - spal_meminfo_get - cgroups v1 or v2 unable to be read - may not be on this platform ... [30/May/2020:05:47:42.659146629 -0400] - NOTICE - ldbm_back_start - cache autosizing: changelog dn cache (3 total): 65536k [30/May/2020:05:47:42.659554308 -0400] - WARN - spal_meminfo_get - cgroups v1 or v2 unable to be read - may not be on this platform ... [30/May/2020:05:47:42.659904600 -0400] - NOTICE - ldbm_back_start - total cache size: 682374020 B; [30/May/2020:05:47:42.661091783 -0400] - WARN - spal_meminfo_get - cgroups v1 or v2 unable to be read - may not be on this platform ... [30/May/2020:05:47:42.664184612 -0400] - ERR - attrcrypt_unwrap_key - Failed to unwrap key for cipher AES [30/May/2020:05:47:42.664646466 -0400] - ERR - attrcrypt_cipher_init - Symmetric key failed to unwrap with the private key; Cert might have been renewed since the key is wrapped. To recover the encrypted contents, keep the wrapped symmetric key value. [30/May/2020:05:47:42.665430798 -0400] - ERR - attrcrypt_unwrap_key - Failed to unwrap key for cipher 3DES [30/May/2020:05:47:42.665945789 -0400] - ERR - attrcrypt_cipher_init - Symmetric key failed to unwrap with the private key; Cert might have been renewed since the key is wrapped. To recover the encrypted contents, keep the wrapped symmetric key value. [30/May/2020:05:47:42.666335191 -0400] - ERR - attrcrypt_init - All prepared ciphers are not available. Please disable attribute encryption. [30/May/2020:05:47:42.668655844 -0400] - ERR - attrcrypt_unwrap_key - Failed to unwrap key for cipher AES [30/May/2020:05:47:42.669093034 -0400] - ERR - attrcrypt_cipher_init - Symmetric key failed to unwrap with the private key; Cert might have been renewed since the key is wrapped. To recover the encrypted contents, keep the wrapped symmetric key value. [30/May/2020:05:47:42.669847423 -0400] - ERR - attrcrypt_unwrap_key - Failed to unwrap key for cipher 3DES [30/May/2020:05:47:42.670229657 -0400] - ERR - attrcrypt_cipher_init - Symmetric key failed to unwrap with the private key; Cert might have been renewed since the key is wrapped. To recover the encrypted contents, keep the wrapped symmetric key value. [30/May/2020:05:47:42.670588954 -0400] - ERR - attrcrypt_init - All prepared ciphers are not available. Please disable attribute encryption. Created attachment 1693700 [details]
ipaserver-install.log (8.3.0)
My bad, please find attached.
Based on where it failed in the ipa-server-install log it looks to me like it's failing in the initial 389-ds setup itself using lib389. Re-assigning to 389-ds for analysis. This is a known issue, FIPS mode and PBKDF2 do not work together yet. DS uses PBKDF2 by default, so that storage scheme needs to be changed before running in FIPS mode. So this is a duplicate of: https://bugzilla.redhat.com/show_bug.cgi?id=1779685 At Christian's suggestion, I reran the install with the hostname ipa.fips.test (instead of ipa.fips.com) and it seems to have worked. (The dirsrv errors are still present, but I guess they don't actually break anything?) The hostname ipa.fips.com resolves to an external IP address, not a local address. This caused the installation to fail. The PBKDF2 warnings are already tracked at #1779685. |