Note: This bug is displayed in read-only format because
the product is no longer active in Red Hat Bugzilla.
RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.
DescriptionMohammad Rizwan
2019-01-04 11:14:00 UTC
Description of problem:
ipa-server-install fails in FIPS mode for [1/28]: configuring certificate server instance
Version-Release number of selected component (if applicable):
ipa-server-4.7.1-7.module+el8+2555+b334d87b.x86_64
ipa-server-dns-4.7.1-7.module+el8+2555+b334d87b.noarch
How reproducible:
always
Steps to Reproduce:
1. Enable fips mode and install ipa-server
Actual results:
[..]
[1/5]: Making sure custodia container exists
[2/5]: Generating ipa-custodia config file
[3/5]: Generating ipa-custodia keys
[4/5]: starting ipa-custodia
[5/5]: configuring ipa-custodia to start on boot
Done configuring ipa-custodia.
Configuring certificate server (pki-tomcatd). Estimated time: 3 minutes
[1/28]: configuring certificate server instance
Failed to configure CA instance: CalledProcessError(Command ['/usr/sbin/pkispawn', '-s', 'CA', '-f', '/tmp/tmppdbjeyia'] returned non-zero exit status 1: 'pkispawn : ERROR Server unreachable due to SSL error: [SSL: SSLV3_ALERT_HANDSHAKE_FAILURE] sslv3 alert handshake failure (_ssl.c:872)\nconfiguration : ERROR Server failed to restart\n')
See the installation logs and the following files/directories for more information:
/var/log/pki/pki-tomcat
[error] RuntimeError: CA configuration failed.
CA configuration failed.
The ipa-server-install command failed. See /var/log/ipaserver-install.log for more information
Expected results:
ipa-server-install success.
Additional info:
Similar bug is on ON_QA for different issue : https://bugzilla.redhat.com/show_bug.cgi?id=1656418
DS/CA Installation are getting failed after enabling the fips at hardware level.
Below is the detail logs
Working fine before configuring fips:-
# dscreate from-file rhel8-ds.inf
Starting installation...
Created symlink /etc/systemd/system/multi-user.target.wants/dirsrv → /usr/lib/systemd/system/dirsrv@.service.
Completed installation for master
After configuring fips on rhel8 ds installation is not working
# df /boot
Filesystem 1K-blocks Used Available Use% Mounted on
/dev/sda1 1038336 171500 866836 17% /boot
# blkid /dev/sda1
/dev/sda1: UUID="88a7f134-6f62-445e-8c6b-0a9aae0f3478" TYPE="xfs" PARTUUID="6b4463b1-01"
# grub2-mkconfig -o /boot/grub2/grub.cfg
Generating grub configuration file ...
done
# reboot
# sysctl crypto.fips_enabled
crypto.fips_enabled = 1
# /usr/sbin/getenforce
Enforcing
# dscreate from-file rhel8-ds.inf
Starting installation...
Created symlink /etc/systemd/system/multi-user.target.wants/dirsrv → /usr/lib/systemd/system/dirsrv@.service.
Error: {'desc': "Can't contact LDAP server"}
after disabling the fips :-
[root@dell-pr5820-01 hsm_setup]# sysctl crypto.fips_enabled
crypto.fips_enabled = 0
[root@dell-pr5820-01 hsm_setup]#
[root@dell-pr5820-01 hsm_setup]# dscreate from-file rhel8-ds.inf
Starting installation...
Created symlink /etc/systemd/system/multi-user.target.wants/dirsrv → /usr/lib/systemd/system/dirsrv@.service.
Completed installation for master
Attached is the config file and debug logs
(In reply to Ondrej Moriš from comment #19)
> Acceptance Criteria:
>
> * IPA server can be installed in FIPS mode.
I believe this is too broad AC.
I'd suggest AC:
* java -Djava.security.properties=../outputs/FIPS-java.txt CipherList lists the DHE_RSA and ECDHE_RSA ciphersuites (and the same for FUTURE policy)