Bug 1997516

Summary: Failed to download metadata for repo 'rhui-codeready-builder-for-rhel-8-x86_64-rhui-debug-rpms' due to SSL certificate algorithm too weak
Product: Red Hat Update Infrastructure for Cloud Providers Reporter: xiyuan
Component: SecurityAssignee: RHUI Bug List <rhui-bugs>
Status: CLOSED CURRENTRELEASE QA Contact: Radek Bíba <rbiba>
Severity: high Docs Contact:
Priority: unspecified    
Version: 2.1.1CC: gtanzill, tsze
Target Milestone: ---Keywords: Triaged
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of:
: 2001464 (view as bug list) Environment:
Last Closed: 2022-02-16 15:25:16 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 2001464    

Description xiyuan 2021-08-25 12:39:55 UTC 
Description of problem:
Launch a RHEL-8 on GCP, enable FIPS, and try to install packages from the default RHUI.
It always failed due to: Failed to download metadata for repo 'rhui-codeready-builder-for-rhel-8-x86_64-rhui-debug-rpms' as SSL certificate algorithm too weak
Details could be found at: https://mastern-jenkins-csb-openshift-qe.apps.ocp4.prod.psi.redhat.com/job/ocp4-rhel-scaleup-runner/13053/console


Red Hat Update Infrastructure for Cloud Providers
Security
High

How producible:
always

Version-Release number of selected component (if applicable):
Google-rhui-client-rhel8-2.1-1.noarch

Steps to reproduce:
Launch a RHEL-8 on GCP, enable FIPS, try to install packages from the default RHUI

Actual result:
Get available cri-o RPM versions failed, Rhel8 scaleup failed


TASK [openshift_node : Get available cri-o RPM versions] ***********************
Sunday 22 August 2021  14:53:50 +0800 (0:00:00.079)       0:00:05.587 ********* 
fatal: [10.0.128.6]: FAILED! => {"changed": false, "msg": "Failed to download metadata for repo 'rhui-codeready-builder-for-rhel-8-x86_64-rhui-debug-rpms': Cannot prepare internal mirrorlist: Curl error (60): Peer certificate cannot be authenticated with given CA certificates for https://cds.rhel.updates.googlecloud.com/pulp/mirror//content/dist/rhel8/rhui/8/x86_64/codeready-builder/debug [SSL certificate problem: CA signature digest algorithm too weak]", "rc": 1, "results": []}
fatal: [10.0.128.5]: FAILED! => {"changed": false, "msg": "Failed to download metadata for repo 'rhui-codeready-builder-for-rhel-8-x86_64-rhui-debug-rpms': Cannot prepare internal mirrorlist: Curl error (60): Peer certificate cannot be


Expected result:
Get available cri-o RPM versions succeeded without error. Rhel8 scaleup succeeded

Additional info: 
No such issue when fips is disabled.
Strong crypto defaults in RHEL 8 and deprecation of weak crypto algorithms: https://access.redhat.com/articles/3642912
Comment 1 xiyuan 2021-09-02 11:38:05 UTC 
Seems it is an upstream issue. Created ticket to google https://issuetracker.google.com/issues/197769045?pli=1 instead.
Comment 3 xiyuan 2021-09-08 03:36:44 UTC 
Got feedback from google(seen from https://issuetracker.google.com/issues/197769045?pli=1):
mo...<mo...> #3Sep 7, 2021 05:20PM
Hello,

I will summarize part of the investigation that has been done until today.

Product team has reported that this is currently Work as Intended. RHUI (via Red Hat's implementation) is deployed using a self signed CA for the certificates between the clients and the distribution nodes.

Short term plan is to not change them. These are the certs that RHUI creates and I believe they were sha1 because of RHEL 6. The Red Hat software controlled how they were created.

From FIPS 140-2 Validated documentation: When your clients connect to Google infrastructure, their TLS clients must be configured to require use of secure FIPS-compliant algorithms; if the TLS client and GCP's TLS services agree on an encryption method that is incompatible with FIPS, a non-validated encryption implementation will be used.

There is still an ongoing investigation about this issue and the confirmation of not declaring FIPS compliance at this level. Take into account there is no ETA for updates but we will update it shortly.

Please feel free to add any other questions or information to speed up the resolution of this issue.
Comment 6 Gregg Tanzillo 2022-02-16 15:25:16 UTC 
This is has been fixed in RHUI 4.0, which is the current release
Comment 7 Gregg Tanzillo 2022-02-16 15:25:28 UTC 
This is has been fixed in RHUI 4.0, which is the current release
Comment 8 Red Hat Bugzilla 2023-09-15 01:14:13 UTC 
The needinfo request[s] on this closed bug have been removed as they have been unresolved for 500 days