Bug 2053956

Summary: Installing Satellite 7.0 on FIPS enabled RHEL 8.5 fails on "katello-ssl-tool --gen-ca" step with error "ERROR: Certificate Authority private SSL key generation failed"
Product: Red Hat Satellite Reporter: Sayan Das <saydas>
Component: InstallationAssignee: Eric Helms <ehelms>
Status: CLOSED ERRATA QA Contact: Peter Ondrejka <pondrejk>
Severity: high Docs Contact:
Priority: high    
Version: 6.11.0CC: ahumbe, ehelms, gtalreja
Target Milestone: 6.11.0Keywords: Triaged
Target Release: Unused   
Hardware: x86_64   
OS: Linux   
Whiteboard:
Fixed In Version: foreman-installer-3.1.2.1 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2022-07-05 14:33:17 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Attachments:
Description Flags
installer log file [ just in case it is needed ] none

Description Sayan Das 2022-02-13 15:45:54 UTC 
Description of problem:

Installing Satellite 7.0 on FIPS enabled RHEL 8.5 fails on "katello-ssl-tool --gen-ca" step with error "ERROR: Certificate Authority private SSL key generation failed"


Version-Release number of selected component (if applicable):

Satellite 7.0 (latest snap)

RHEL 8.5 + FIPS

How reproducible:

Always

Steps to Reproduce:
1. Install RHEL 8.5 with FIPS enabled
2. Setup repos for SAtellite 7.0 installation on RHEL 8, enable necessary modules, and apply the workarounds before proceeding with package installation.

subscription-manager repo-override --repo=Sat6-CI_Satellite_Capsule_7_0_Composes_Satellite_Capsule_7_0_RHEL8 --add=module_hotfixes:1
dnf -y module enable ruby:2.7
dnf -y module enable pki-core

3. yum install satellite
4. Run "satellite-installer -S satellite"


Actual results:

2022-02-13 10:16:36 [NOTICE] [root] Loading installer configuration. This will take some time.
2022-02-13 10:16:40 [NOTICE] [root] Running installer with log based terminal output at level NOTICE.
2022-02-13 10:16:40 [NOTICE] [root] Use -l to set the terminal output log level to ERROR, WARN, NOTICE, INFO, or DEBUG. See --full-help for definitions.
2022-02-13 10:23:05 [NOTICE] [configure] Starting system configuration.
2022-02-13 10:29:09 [NOTICE] [configure] 250 configuration steps out of 1742 steps complete.
2022-02-13 10:31:12 [ERROR ] [configure] Execution of '/bin/katello-ssl-tool --gen-ca --dir /root/ssl-build -p file:/etc/pki/katello/private/katello-default-ca.pwd --force --ca-cert-dir /etc/pki/katello-certs-tools/certs --set-common-name satellite70.test.lan8 --ca-cert katello-default-ca.crt --ca-key katello-default-ca.key --ca-cert-rpm katello-default-ca --set-country US --set-state North Carolina --set-city Raleigh --set-org Katello --set-org-unit SomeOrgUnit --set-email  --cert-expiration 36500' returned 10: ERROR: Certificate Authority private SSL key generation failed:
2022-02-13 10:31:12 [ERROR ] [configure] 
2022-02-13 10:31:12 [ERROR ] [configure] Generating RSA private key, 4096 bit long modulus (2 primes)
2022-02-13 10:31:12 [ERROR ] [configure] *********************************************************************************************************************************************************************************************************++++
2022-02-13 10:31:12 [ERROR ] [configure] **********************************************************************************************************************++++
2022-02-13 10:31:12 [ERROR ] [configure] e is 65537 (0x010001)
2022-02-13 10:31:12 [ERROR ] [configure] 140170411415360:error:060800C8:digital envelope routines:EVP_DigestInit_ex:disabled for FIPS:crypto/evp/digest.c:135:
2022-02-13 10:31:12 [ERROR ] [configure] 
2022-02-13 10:31:12 [ERROR ] [configure] Generating private CA key: /root/ssl-build/katello-default-ca.key
2022-02-13 10:31:12 [ERROR ] [configure] /Stage[main]/Certs::Ca/Ca[katello-default-ca]/ensure: change from 'absent' to 'present' failed: Execution of '/bin/katello-ssl-tool --gen-ca --dir /root/ssl-build -p file:/etc/pki/katello/private/katello-default-ca.pwd --force --ca-cert-dir /etc/pki/katello-certs-tools/certs --set-common-name satellite70.test.lan8 --ca-cert katello-default-ca.crt --ca-key katello-default-ca.key --ca-cert-rpm katello-default-ca --set-country US --set-state North Carolina --set-city Raleigh --set-org Katello --set-org-unit SomeOrgUnit --set-email  --cert-expiration 36500' returned 10: ERROR: Certificate Authority private SSL key generation failed:
2022-02-13 10:31:12 [ERROR ] [configure] 
2022-02-13 10:31:12 [ERROR ] [configure] Generating RSA private key, 4096 bit long modulus (2 primes)
2022-02-13 10:31:12 [ERROR ] [configure] *********************************************************************************************************************************************************************************************************++++
2022-02-13 10:31:12 [ERROR ] [configure] **********************************************************************************************************************++++
2022-02-13 10:31:12 [ERROR ] [configure] e is 65537 (0x010001)
2022-02-13 10:31:12 [ERROR ] [configure] 140170411415360:error:060800C8:digital envelope routines:EVP_DigestInit_ex:disabled for FIPS:crypto/evp/digest.c:135:
2022-02-13 10:31:12 [ERROR ] [configure] 
2022-02-13 10:31:12 [ERROR ] [configure] Generating private CA key: /root/ssl-build/katello-default-ca.key
2022-02-13 10:31:12 [ERROR ] [configure] Could not set 'present' on ensure: No such file or directory @ rb_sysopen - /root/ssl-build/katello-default-ca.crt (file: /usr/share/foreman-installer/modules/certs/manifests/ca.pp, line: 61)
2022-02-13 10:31:12 [ERROR ] [configure] Could not set 'present' on ensure: No such file or directory @ rb_sysopen - /root/ssl-build/katello-default-ca.crt (file: /usr/share/foreman-installer/modules/certs/manifests/ca.pp, line: 61)
2022-02-13 10:31:12 [ERROR ] [configure] Wrapped exception:
2022-02-13 10:31:12 [ERROR ] [configure] No such file or directory @ rb_sysopen - /root/ssl-build/katello-default-ca.crt
2022-02-13 10:31:12 [ERROR ] [configure] /Stage[main]/Certs::Ca/Ca[katello-server-ca]/ensure: change from 'absent' to 'present' failed: Could not set 'present' on ensure: No such file or directory @ rb_sysopen - /root/ssl-build/katello-default-ca.crt (file: /usr/share/foreman-installer/modules/certs/manifests/ca.pp, line: 61)
2022-02-13 10:31:12 [ERROR ] [configure] /Stage[main]/Certs::Ca/File[/etc/pki/katello/certs/katello-default-ca.crt]: Could not evaluate: Could not retrieve information from environment production source(s) file:///root/ssl-build/katello-default-ca.crt
2022-02-13 10:31:12 [ERROR ] [configure] /Stage[main]/Certs::Ca/File[/etc/pki/katello/certs/katello-server-ca.crt]: Could not evaluate: Could not retrieve information from environment production source(s) file:///root/ssl-build/katello-server-ca.crt
2022-02-13 10:31:14 [ERROR ] [configure] Failed to generate new keystore with temporary entry: Execution of '/bin/keytool -genkey -storetype pkcs12 -keystore /etc/candlepin/certs/keystore -storepass:file /etc/pki/katello/keystore_password-file -alias temporary-entry -dname CN=temporary-entry' returned 1: keytool error: java.security.KeyStoreException: Key protection  algorithm not found: java.lang.NullPointerException
2022-02-13 10:31:14 [ERROR ] [configure] Failed to generate new truststore with temporary entry: Execution of '/bin/keytool -genkey -storetype pkcs12 -keystore /etc/candlepin/certs/truststore -storepass:file /etc/pki/katello/truststore_password-file -alias temporary-entry -dname CN=temporary-entry' returned 1: keytool error: java.security.KeyStoreException: Key protection  algorithm not found: java.lang.NullPointerException
2022-02-13 10:35:03 [NOTICE] [configure] 500 configuration steps out of 2591 steps complete.
2022-02-13 10:35:04 [NOTICE] [configure] 750 configuration steps out of 2591 steps complete.
2022-02-13 10:35:05 [NOTICE] [configure] 1000 configuration steps out of 2591 steps complete.


Expected results:

Installation should be completed without errors on RHEL 8 (as I am assuming we will support FIPS-enabled setup on RHEL 8 as well).


Additional info:

NA
Comment 1 Sayan Das 2022-02-13 16:05:43 UTC 
Created attachment 1860881 [details]
installer log file [  just in case it is needed ]
Comment 6 Peter Ondrejka 2022-04-14 10:21:46 UTC 
Verified on Satellite 6.11 snap 16, installation on fips-enabled rhel8 completes successfully
Comment 9 errata-xmlrpc 2022-07-05 14:33:17 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (Moderate: Satellite 6.11 Release), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2022:5498