1787745 – Meteringconfig failed during ansible setup to gernate RSA private key with Openshift having FIPS enabled.

Bug 1787745 - Meteringconfig failed during ansible setup to gernate RSA private key with Openshift having FIPS enabled.

Summary: Meteringconfig failed during ansible setup to gernate RSA private key with Op...

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	OpenShift Container Platform
Classification:	Red Hat
Component:	Metering Operator
Sub Component:
Version:	4.3.0
Hardware:	Unspecified
OS:	Unspecified
Priority:	unspecified
Severity:	unspecified
Target Milestone:	---
Target Release:	4.4.0
Assignee:	tflannag
QA Contact:	Peter Ruan
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:	1788208
TreeView+	depends on / blocked

Reported:	2020-01-04 22:50 UTC by Peter Ruan
Modified:	2020-05-04 11:22 UTC (History)
CC List:	3 users (show)
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:	When attempting to run Metering on a FIPS-enabled cluster, we fail role execution while generating user TLS certificates calling the 'openssl_privatekey' module. This module utilizes the module_utils/crypto.py helper library. This library iterates over a list of hashlib "FIPS-compliant" algorithms but the 'md5' algorithm was present in that list. We "vendored" this python helper library in the metering-ansible-operator's role module_utils directory, removing the 'md5' algorithm from the list of available algorithms. This allowed role execution to progress past the TLS-related tasks.
Clone Of:
Clones:	1788208 (view as bug list)
Environment:
Last Closed:	2020-05-04 11:22:02 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Github	operator-framework operator-metering pull 1088	0	None	closed	Bug 1787745: Remove the RSA's md5 algorithm from the Ansible openssl modules.	2020-11-17 19:36:21 UTC
Red Hat Product Errata	RHBA-2020:0581	0	None	None	None	2020-05-04 11:22:40 UTC

Description Peter Ruan 2020-01-04 22:50:19 UTC

Description of problem:
Meteringconfig failed during ansible setup with Openshift having FIPS enabled.  This is related to https://bugzilla.redhat.com/show_bug.cgi?id=1782104

Version-Release number of selected component (if applicable):
4.3.x

How reproducible:

always

Steps to Reproduce:
1. install openshift on Openstack with FIPS enabled
2. run ./hack/openshift-install.sh
3.

Actual results:
TASK [meteringconfig : Generate a RSA private key for the CA] ******************
task path: /opt/ansible/roles/meteringconfig/tasks/configure_root_ca.yml:45
Saturday 04 January 2020  22:45:22 +0000 (0:00:00.367)       0:00:18.541 ******
An exception occurred during task execution. To see the full traceback, use -vvv. The error was: ValueError: error:060800A3:digital envelope routines:EVP_DigestInit_ex:disabled for fips
fatal: [localhost]: FAILED! => {"changed": false, "module_stderr": "Traceback (most recent call last):\n  File \"/tmp/.ansible-/tmp/ansible-tmp-1578177923.0-157257680349580/AnsiballZ_openssl_privatekey.py\", line 114, in <module>\n    _ansiballz_main()\n  File \"/tmp/.ansible-/tmp/ansible-tmp-1578177923.0-157257680349580/AnsiballZ_openssl_privatekey.py\", line 106, in _ansiballz_main\n    invoke_module(zipped_mod, temp_path, ANSIBALLZ_PARAMS)\n  File \"/tmp/.ansible-/tmp/ansible-tmp-1578177923.0-157257680349580/AnsiballZ_openssl_privatekey.py\", line 49, in invoke_module\n    imp.load_module('__main__', mod, module, MOD_DESC)\n  File \"/tmp/ansible_openssl_privatekey_payload_8broM6/__main__.py\", line 703, in <module>\n  File \"/tmp/ansible_openssl_privatekey_payload_8broM6/__main__.py\", line 687, in main\n  File \"/tmp/ansible_openssl_privatekey_payload_8broM6/__main__.py\", line 318, in generate\n  File \"/tmp/ansible_openssl_privatekey_payload_8broM6/__main__.py\", line 559, in _get_fingerprint\n  File \"/tmp/ansible_openssl_privatekey_payload_8broM6/ansible_openssl_privatekey_payload.zip/ansible/module_utils/crypto.py\", line 86, in get_fingerprint_of_bytes\nValueError: error:060800A3:digital envelope routines:EVP_DigestInit_ex:disabled for fips\n", "module_stdout": "", "msg": "MODULE FAILURE\nSee stdout/stderr for the exact error", "rc": 1}


Expected results:


Additional info:

Comment 4 Peter Ruan 2020-01-30 18:30:01 UTC

verified with  imageID: quay.io/openshift/origin-metering-ansible-operator@sha256:d8eb8c604066c5fd1b398456f274217cc2907cedd6fddeda72691945979d1196

I can install successfully and get report data back.

Comment 6 errata-xmlrpc 2020-05-04 11:22:02 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2020:0581

Note You need to log in before you can comment on or make changes to this bug.