Bug 2168931

Summary: RHEL9 clients with FIPS mode, failed to upload compliance report to Satellite and fails with exception(Unable to load certs)
Product: Red Hat Satellite Reporter: Satyajit Das <sadas>
Component: SCAP PluginAssignee: satellite6-bugs <satellite6-bugs>
Status: CLOSED MIGRATED QA Contact: Peter Ondrejka <pondrejk>
Severity: high Docs Contact:
Priority: high    
Version: 6.12.0CC: ahumbe, apetrova, aruzicka, bangelic, ehelms, lstejska, mhulan, mkushwah, moonguar, pcreech, rlavi, saydas
Target Milestone: UnspecifiedKeywords: MigratedToJIRA, PrioBumpGSS, Regression, Triaged
Target Release: Unused   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2024-06-06 16:07:44 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 2170105    
Bug Blocks:    

Description Satyajit Das 2023-02-10 15:52:09 UTC 
Description of problem:

RHEL9 clients with FIPS mode failed to upload compliance reports to Satellite and fails with exception(Unable to load certs)

Version-Release number of selected component (if applicable):

6.12.z

How reproducible:

100%


Steps to Reproduce:

1. RHEL9 clients with FIPS mode
2. Compliance policy is configured and push to the client host, policy is updated on the client however compliance scan fails with the below error:-

Actual results:

# /usr/bin/foreman_scap_client ds 2
DEBUG: running: oscap xccdf eval  --profile xccdf_org.ssgproject.content_profile_cis  --results-arf /tmp/d20230207-13679-39jgxn/results.xml /var/lib/openscap/content/5d420b764d7c13ef8ddb6e8f0c76094fa9df9848881be58a9361ddfb8e988824.xml
WARNING: Datastream component 'scap_org.open-scap_cref_security-data-oval-com.redhat.rhsa-RHEL9.xml.bz2' points out to the remote 'https://access.redhat.com/security/data/oval/com.redhat.rhsa-RHEL9.xml.bz2'. Use '--fetch-remote-resources' option to download it.
WARNING: Skipping 'https://access.redhat.com/security/data/oval/com.redhat.rhsa-RHEL9.xml.bz2' file which is referenced from datastream
WARNING: Skipping ./security-data-oval-com.redhat.rhsa-RHEL9.xml.bz2 file which is referenced from XCCDF content
DEBUG: running: /usr/bin/env bzip2 /tmp/d20230207-13679-39jgxn/results.xml
Uploading results to https://satellite.example.com:9090/compliance/arf/2


Unable to load certs  =========================================> Error.
Neither PUB key nor PRIV key

Expected results:

The compliance report should be uploaded without any issues.


Additional info:

~~~~~~~~~~
=> RHEL8 clients with FIPS mode are working as expected.
=> Key is also 4096-bit:
 # openssl x509 -noout -text -in /etc/rhsm/ca/katello-server-ca.pem | grep Public-Key
                Public-Key: (4096 bit)
# openssl x509 -noout -text -in /etc/pki/consumer/cert.pem | grep Public-Key
                Public-Key: (4096 bit)
# openssl x509 -noout -text -in /etc/pki/katello/certs/katello-default-ca.crt | grep Public-Key
~~~~~~~~~~~~
Comment 1 Eric Helms 2023-02-10 16:11:58 UTC 
My initial investigation points to this being a problem with Ruby support for OpenSSL 3. On RHEL 9, OpenSSL 3 is available and Ruby does not have full support for it. The support it does have appears to be good enough for RHEL 9 in non-FIPS mode but once the additional restrictions of FIPS are in place the support breaks. This means there is presently no work-around available.

We will either need to wait for the fix in Ruby and to propagate through the RHEL release cycle or to consider a re-write of the foreman_scap_client into a different language (e.g. python).



https://github.com/ruby/openssl/issues/369
Comment 2 Brad Buckingham 2023-02-13 14:20:17 UTC 
Is there a RHEL bugzilla open to track the issue that Eric has found in comment 1?
If not, can one be created?

Thanks!
Comment 3 moonguar 2023-11-08 20:02:15 UTC 
ssh-rsa algorithm is disabled in RHEL 9.  So the system reverts to Ed25519 algorithm to try to scp the report to the Satellite server but this algorithm is not allowed in FIPS mode.  I dont know why it wont use ecdsa algorithm since it is enable in the sshd_config file.
Comment 8 Eric Helms 2024-01-09 14:11:42 UTC 
This bug is blocked by a RHEL bug that has to be fixed in Ruby itself, and is being tracked by https://issues.redhat.com/browse/RHEL-5590
Comment 13 Adam Ruzicka 2024-05-14 07:52:35 UTC 
This seems to be resolved in latest ruby shipped with rhel 9.4.

# rpm -q ruby
ruby-3.0.4-161.el9.x86_64

# /usr/bin/foreman_scap_client ds 2
File /var/lib/openscap/content/9a2fa9a93d52f9b904df7e3b186ae8984c52c60b3ca2cce1eddc78173f114b40.xml is missing. Downloading it from proxy.
Download SCAP content xml from: https://satellite.fqdn:9090/compliance/policies/2/content/9a2fa9a93d52f9b904df7e3b186ae8984c52c60b3ca2cce1eddc78173f114b40
DEBUG: running: oscap xccdf eval  --local-files /root --profile xccdf_org.ssgproject.content_profile_stig  --results-arf /tmp/d20240514-17517-n6e6f5/results.xml /var/lib/openscap/content/9a2fa9a93d52f9b904df7e3b186ae8984c52c60b3ca2cce1eddc78173f114b40.xml
WARNING: Data stream component 'scap_org.open-scap_cref_security-data-oval-v2-RHEL9-rhel-9.oval.xml.bz2' points out to the remote 'https://access.redhat.com/security/data/oval/v2/RHEL9/rhel-9.oval.xml.bz2'. The option --local-files '/root' has been provided, but the file '/root/security-data-oval-v2-RHEL9-rhel-9.oval.xml.bz2' can't be used locally: No such file or directory.
WARNING: Skipping ./security-data-oval-v2-RHEL9-rhel-9.oval.xml.bz2 file which is referenced from XCCDF content
DEBUG: running: /usr/bin/env bzip2 /tmp/d20240514-17517-n6e6f5/results.xml
Uploading results to https://satellite.fqdn:9090/compliance/arf/2
Report uploaded, report id: 3
Comment 14 Adam Ruzicka 2024-05-14 10:17:53 UTC 
Moving to on_qa per previous comment.
Comment 15 Eric Helms 2024-06-06 16:07:44 UTC 
This BZ has been automatically migrated to the issues.redhat.com Red Hat Issue Tracker. All future work related to this report will be managed there.

Due to differences in account names between systems, some fields were not replicated.  Be sure to add yourself to Jira issue's "Watchers" field to continue receiving updates and add others to the "Need Info From" field to continue requesting information.

To find the migrated issue, look in the "Links" section for a direct link to the new issue location. The issue key will have an icon of 2 footprints next to it, and begin with "SAT-" followed by an integer.  You can also find this issue by visiting https://issues.redhat.com/issues/?jql= and searching the "Bugzilla Bug" field for this BZ's number, e.g. a search like:

"Bugzilla Bug" = 1234567

In the event you have trouble locating or viewing this issue, you can file an issue by sending mail to rh-issues. You can also visit https://access.redhat.com/articles/7032570 for general account information.