1462112 – ipaserver installation fails in FIPS mode: OpenSSL internal error, assertion failed: Digest MD4 forbidden in FIPS mode!

RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 1462112 - ipaserver installation fails in FIPS mode: OpenSSL internal error, assertion failed: Digest MD4 forbidden in FIPS mode!

Summary: ipaserver installation fails in FIPS mode: OpenSSL internal error, assertion ...

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat Enterprise Linux 7
Classification:	Red Hat
Component:	ipa
Sub Component:
Version:	7.4
Hardware:	Unspecified
OS:	Unspecified
Priority:	urgent
Severity:	urgent
Target Milestone:	rc
Target Release:	---
Assignee:	IPA Maintainers
QA Contact:	Sudhir Menon
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2017-06-16 08:30 UTC by Sudhir Menon
Modified:	2017-08-01 09:51 UTC (History)
CC List:	10 users (show)
Fixed In Version:	ipa-4.5.0-19.el7
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:	2017-08-01 09:51:24 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)
pki-ca-spawn (141.37 KB, text/plain) 2017-06-16 09:12 UTC, Sudhir Menon	no flags	Details
ipa-server-install log (3.85 MB, text/plain) 2017-06-16 12:16 UTC, Sudhir Menon	no flags	Details
ipa-client-install log (6.35 KB, text/plain) 2017-06-16 12:17 UTC, Sudhir Menon	no flags	Details
dirsrv journalctl logs (107.29 KB, text/x-vhdl) 2017-06-16 12:18 UTC, Sudhir Menon	no flags	Details
pki-ca logs (156.73 KB, text/plain) 2017-06-16 12:19 UTC, Sudhir Menon	no flags	Details
dirsrv error logs (76.23 KB, text/plain) 2017-06-16 12:20 UTC, Sudhir Menon	no flags	Details
Install Log (11.54 KB, text/plain) 2017-06-22 10:53 UTC, Sudhir Menon	no flags	Details
View All

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHBA-2017:2304	0	normal	SHIPPED_LIVE	ipa bug fix and enhancement update	2017-08-01 12:41:35 UTC

Description Sudhir Menon 2017-06-16 08:30:32 UTC

Description of problem: With FIPS mode enabled ipa-server install command failed with RuntimeError: CA configuration failed

Version-Release number of selected component (if applicable):
ipa-server-4.5.0-18.el7.x86_64
sssd-1.15.2-47.el7.x86_64
389-ds-base-1.3.6.1-16.el7.x86_64
pki-server-10.4.1-9.el7.noarch
pki-ca-10.4.1-9.el7.noarch
selinux-policy-3.13.1-162.el7.noarch
samba-4.6.2-6.el7.x86_64
custodia-0.3.1-3.el7.noarch

How reproducible: Always


Steps to Reproduce:
1. Setup FIPS on RHEL7.4 using the below steps

# cat /etc/sysconfig/prelink | grep PRELINKING  i.e PRELINKING=no
# prelink -u -a
# yum install -y dracut-fips
# dracut -f
# df /boot
Filesystem     1K-blocks   Used Available Use% Mounted on
/dev/sda1        1038336 194432    843904  19% /boot

# blkid /dev/sda1
/dev/sda1: UUID="a7c8839b-ee02-4a56-a667-c271bcf3c15e" TYPE="xfs" 
# vi /etc/default/grub

GRUB_CMDLINE_LINUX="fips=1 boot=UUID=a7c8839b-ee02-4a56-a667-c271bcf3c15e crashkernel=auto rd.lvm.lv=rhel_auto-hv-02-guest02/root rd.lvm.lv=rhel_auto-hv-02-guest02/swap console=ttyS0,115200"

#. grub2-mkconfig -o /boot/grub2/grub.cfg
#. reboot
#.  sysctl -a | grep fips_enabled
crypto.fips_enabled = 1
sysctl: reading key "net.ipv6.conf.all.stable_secret"
sysctl: reading key "net.ipv6.conf.default.stable_secret"
sysctl: reading key "net.ipv6.conf.ens3.stable_secret"
sysctl: reading key "net.ipv6.conf.lo.stable_secret"

2. IPA server is installed with multiple --ip-address, --no-pkinit, --setup-adtrust options

#ipa-server-install -p **** -a ***** --ip-address=<ip-address1> --ip-address=<ip-address2> -n TEST.QE -r TEST.QE --hostname=authohv02.testqe.test --setup-dns --setup-adtrust --no-pkinit --no-reverse --forwarder=<ip-address> --no-dnssec-validation --netbios-name=TEST -v  -U

Actual results: IPA server install fails with the below error

Installation failed: server failed to restart
2017-06-16T06:43:27Z DEBUG stderr=pkispawn    : ERROR    ....... server failed to restart
2017-06-16T06:43:27Z CRITICAL Failed to configure CA instance: Command '/usr/sbin/pkispawn -s CA -f /tmp/tmpIBBIdH' returned non-zero exit status 1
2017-06-16T06:43:27Z CRITICAL See the installation logs and the following files/directories for more information:
2017-06-16T06:43:27Z CRITICAL   /var/log/pki/pki-tomcat
2017-06-16T06:43:27Z DEBUG Traceback (most recent call last):
File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", line 504, in start_creation run_step(full_msg, method)
File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", line 494, in run_step   method()
File "/usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py", line 615, in __spawn_instance self.tmp_agent_pwd)
File "/usr/lib/python2.7/site-packages/ipaserver/install/dogtaginstance.py", line 148, in spawn_instance self.handle_setup_error(e)
File "/usr/lib/python2.7/site-packages/ipaserver/install/dogtaginstance.py", line 398, in handle_setup_error
raise RuntimeError("%s configuration failed." % self.subsystem)
RuntimeError: CA configuration failed.

2017-06-16T06:43:27Z DEBUG   [error] RuntimeError: CA configuration failed.
2017-06-16T06:43:27Z DEBUG   File "/usr/lib/python2.7/site-packages/ipapython/admintool.py", line 172, in execute return_value = self.run()
File "/usr/lib/python2.7/site-packages/ipapython/install/cli.py", line 333, in run cfgr.run()
File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 368, in run self.execute()
File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 392, in execute  for _nothing in self._executor():
File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 434, in __runner  exc_handler(exc_info)
File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 463, in _handle_execute_exception self._handle_exception(exc_info)
File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 453, in _handle_exception  six.reraise(*exc_info)
File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 424, in __runner     step()
File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 421, in <lambda>
step = lambda: next(self.__gen)
File "/usr/lib/python2.7/site-packages/ipapython/install/util.py", line 81, in run_generator_with_yield_from six.reraise(*exc_info)
File "/usr/lib/python2.7/site-packages/ipapython/install/util.py", line 59, in run_generator_with_yield_from value = gen.send(prev_value)
File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 658, in _configure
next(executor)
File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 434, in __runner
 exc_handler(exc_info)
File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 463, in _handle_execute_exception
self._handle_exception(exc_info)
File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 521, in _handle_exception
self.__parent._handle_exception(exc_info)
File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 453, in _handle_exception
six.reraise(*exc_info)
File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 518, in _handle_exception
super(ComponentBase, self)._handle_exception(exc_info)
File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 453, in _handle_exception
six.reraise(*exc_info)
File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 424, in __runner
step()
File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 421, in <lambda>
step = lambda: next(self.__gen)
File "/usr/lib/python2.7/site-packages/ipapython/install/util.py", line 81, in run_generator_with_yield_from
six.reraise(*exc_info)
File "/usr/lib/python2.7/site-packages/ipapython/install/util.py", line 59, in run_generator_with_yield_from
value = gen.send(prev_value)
File "/usr/lib/python2.7/site-packages/ipapython/install/common.py", line 63, in _install
for _nothing in self._installer(self.parent):
File "/usr/lib/python2.7/site-packages/ipaserver/install/server/__init__.py", line 578, in main
master_install(self)
File "/usr/lib/python2.7/site-packages/ipaserver/install/server/install.py", line 250, in decorated
func(installer)
File "/usr/lib/python2.7/site-packages/ipaserver/install/server/install.py", line 802, in install
ca.install_step_0(False, None, options)
File "/usr/lib/python2.7/site-packages/ipaserver/install/ca.py", line 284, in install_step_0
use_ldaps=standalone)
File "/usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py", line 447, in configure_instance
self.start_creation(runtime=runtime)
File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", line 504, in start_creation run_step(full_msg, method)
File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", line 494, in run_step
method() File "/usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py", line 615, in __spawn_instance
self.tmp_agent_pwd) 
File "/usr/lib/python2.7/site-packages/ipaserver/install/dogtaginstance.py", line 148, in spawn_instance
self.handle_setup_error(e)
File "/usr/lib/python2.7/site-packages/ipaserver/install/dogtaginstance.py", line 398, in handle_setup_error
raise RuntimeError("%s configuration failed." % self.subsystem)
2017-06-16T06:43:27Z DEBUG The ipa-server-install command failed, exception: RuntimeError: CA configuration failed.
2017-06-16T06:43:27Z ERROR CA configuration failed.

Expected results: IPA server install should work without any error.

Additional info: Attaching console logs.

Comment 3 Sudhir Menon 2017-06-16 09:12:31 UTC

Created attachment 1288286 [details]
pki-ca-spawn

Comment 4 Standa Laznicka 2017-06-16 09:28:40 UTC

Please provide journal log for pki-tomcatd. This seems more like a pki-base bug, btw.

Comment 6 Sudhir Menon 2017-06-16 12:16:20 UTC

Created attachment 1288349 [details]
ipa-server-install log

Comment 7 Sudhir Menon 2017-06-16 12:17:28 UTC

Created attachment 1288352 [details]
ipa-client-install log

Comment 8 Sudhir Menon 2017-06-16 12:18:19 UTC

Created attachment 1288353 [details]
dirsrv journalctl logs

Comment 9 Sudhir Menon 2017-06-16 12:19:32 UTC

Created attachment 1288354 [details]
pki-ca logs

Comment 10 Sudhir Menon 2017-06-16 12:20:51 UTC

Created attachment 1288355 [details]
dirsrv error logs

Comment 11 Standa Laznicka 2017-06-16 13:31:57 UTC

Since the original bug was not reproducible and the nature of it is actually different, I am moving this back to IPA.

The cause of this bug is the use of MD4 in some C code which handles trusts.

Comment 13 thierry bordaz 2017-06-19 12:59:10 UTC

Looking at https://bugzilla.redhat.com/attachment.cgi?id=1288353, it is looking like ns-slapd aborts.
Do you know if a core was dumped ?

Comment 14 Petr Vobornik 2017-06-20 08:22:19 UTC

Upstream ticket:
https://pagure.io/freeipa/issue/7026

Comment 18 Pavel Vomacka 2017-06-21 08:19:50 UTC

Fixed upstream
master:
https://pagure.io/freeipa/c/f169481b558bd7ec9102e02e40eb38df7867a694
https://pagure.io/freeipa/c/1f0ca6aafd966e086692007a0df76e3c3276915f
ipa-4-5:
https://pagure.io/freeipa/c/b63b6790efc82c87398c39ba4f55330756b7b3cf
https://pagure.io/freeipa/c/79a5f3bf321f15e4c120d16b8988ed0cdb0ae64

Comment 20 Sudhir Menon 2017-06-22 10:41:46 UTC

Fix is seen. Verified on RHEL7.4 using 

ipa-server-4.5.0-19.el7.x86_64
389-ds-base-1.3.6.1-16.el7.x86_64
pki-server-10.4.1-10.el7.noarch
pki-ca-10.4.1-10.el7.noarch
selinux-policy-3.13.1-162.el7.noarch
custodia-0.3.1-4.el7.noarch


Attaching the install log for reference.

Comment 21 Sudhir Menon 2017-06-22 10:53:34 UTC

Created attachment 1290647 [details]
Install Log

Comment 22 errata-xmlrpc 2017-08-01 09:51:24 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2017:2304

Note You need to log in before you can comment on or make changes to this bug.