Hide Forgot
Description of problem: Version-Release number of selected component (if applicable): ipa-server-4.7.1-10.module+el8+2699+a ipa-server-common-4.7.1-10.module+el8 pki-ca-10.6.9-2.module+el8+2728+a4ad6 pki-base-10.6.9-2.module+el8+2728+a4a How reproducible: always Steps to Reproduce: 1. Enable fips mode and install ipa-server Actual results: [..] Configuring ipa-custodia [1/5]: Making sure custodia container exists [2/5]: Generating ipa-custodia config file [3/5]: Generating ipa-custodia keys [4/5]: starting ipa-custodia [5/5]: configuring ipa-custodia to start on boot Done configuring ipa-custodia. Configuring certificate server (pki-tomcatd). Estimated time: 3 minutes [1/28]: configuring certificate server instance Failed to configure CA instance: CalledProcessError(Command ['/usr/sbin/pkispawn', '-s', 'CA', '-f', '/tmp/tmp62qcd027'] returned non-zero exit status 1: 'pkispawn : ERROR Server unreachable due to SSL error: [SSL: SSLV3_ALERT_HANDSHAKE_FAILURE] sslv3 alert handshake failure (_ssl.c:877)\nconfiguration : ERROR Server failed to restart\npkispawn : ERROR Exception: server failed to restart\n File "/usr/lib/python3.6/site-packages/pki/server/pkispawn.py", line 549, in main\n scriptlet.spawn(deployer)\n File "/usr/lib/python3.6/site-packages/pki/server/deployment/scriptlets/configuration.py", line 672, in spawn\n raise Exception("server failed to restart")\n\n') See the installation logs and the following files/directories for more information: /var/log/pki/pki-tomcat [error] RuntimeError: CA configuration failed. CA configuration failed. The ipa-server-install command failed. See /var/log/ipaserver-install.log for more information :: [ 04:18:22 ] :: [ FAIL ] :: Command ' /usr/sbin/ipa-server-install --setup-dns --auto-forwarders --reverse-zone=34.19.10.in-addr.arpa. --allow-zone-overlap --hostname=ipaqavmf.testrelm.test -r TESTRELM.TEST -n testrelm.test -p Secret123 -a Secret123 --ip-address=10.19.34.120 -U' (Expected 0, got 1) Expected results: ipa-server-install success Additional info: Similar bug[1] was opened, but that didn't resolved the ipa issue. [1] https://bugzilla.redhat.com/show_bug.cgi?id=1663443
Moving to pki-core since the failure happens during PKI installation. See also: https://bugzilla.redhat.com/show_bug.cgi?id=1663443#c5
Endi, I have provided qa_ack for this. We need a blocker+ for this with justification, lets get that after all acks, so provide dev_ack
*** Bug 1707009 has been marked as a duplicate of this bug. ***
Test Environment : # rpm -qa pki-* nss jss pki-server-10.7.1-2.module+el8.1.0+3386+52d02a00.noarch jss-4.6.0-2.module+el8.1.0+3370+6d076660.x86_64 nss-3.41.0-5.el8.x86_64 pki-servlet-4.0-api-9.0.7-16.module+el8.1.0+3366+6dfb954c.noarch pki-symkey-10.7.1-2.module+el8.1.0+3386+52d02a00.x86_64 pki-base-java-10.7.1-2.module+el8.1.0+3386+52d02a00.noarch pki-servlet-engine-9.0.7-16.module+el8.1.0+3366+6dfb954c.noarch pki-kra-10.7.1-2.module+el8.1.0+3386+52d02a00.noarch pki-tools-10.7.1-2.module+el8.1.0+3386+52d02a00.x86_64 pki-base-10.7.1-2.module+el8.1.0+3386+52d02a00.noarch pki-ca-10.7.1-2.module+el8.1.0+3386+52d02a00.noarch Test Steps : 1.Make sure fips is enabled. # cat /proc/sys/crypto/fips_enabled 1 # sysctl crypto.fips_enabled crypto.fips_enabled = 1 Test Cases : 1. Install CA/KRA with internal. -- Make sure CA/KRA install works. -- try to sign certificates > Result: worked 2. Install CA/KRA with HSM. -- Make sure CA/KRA install works with HSM -- try to sign certificates > Result: worked 3. Installation without FIPS is taken care in CI/CD pipelines. -- Automated Jobs -- https://gitlab.cee.redhat.com/idm/pki-pytest-ansible/-/jobs/779539
Hi Endi, I have updated the Doc Text. Please review and provide your feedback. Regards, Abhimanyu Jamaiyar
Hi, the Doc Text looks fine, but I want to make a note that there are several bugs that prevent IdM from running in FIPS mode in RHEL 8.1, and this is just one of them. I hope the title of the Doc Text would not mislead people to think that this bug fixes all FIPS issues.
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2019:3416