Description of problem: Launch a RHEL-8 on GCP, enable FIPS, and try to install packages from the default RHUI. It always failed due to: Failed to download metadata for repo 'rhui-codeready-builder-for-rhel-8-x86_64-rhui-debug-rpms' as SSL certificate algorithm too weak Details could be found at: https://mastern-jenkins-csb-openshift-qe.apps.ocp4.prod.psi.redhat.com/job/ocp4-rhel-scaleup-runner/13053/console Red Hat Update Infrastructure for Cloud Providers Security High How producible: always Version-Release number of selected component (if applicable): Google-rhui-client-rhel8-2.1-1.noarch Steps to reproduce: Launch a RHEL-8 on GCP, enable FIPS, try to install packages from the default RHUI Actual result: Get available cri-o RPM versions failed, Rhel8 scaleup failed TASK [openshift_node : Get available cri-o RPM versions] *********************** Sunday 22 August 2021 14:53:50 +0800 (0:00:00.079) 0:00:05.587 ********* fatal: [10.0.128.6]: FAILED! => {"changed": false, "msg": "Failed to download metadata for repo 'rhui-codeready-builder-for-rhel-8-x86_64-rhui-debug-rpms': Cannot prepare internal mirrorlist: Curl error (60): Peer certificate cannot be authenticated with given CA certificates for https://cds.rhel.updates.googlecloud.com/pulp/mirror//content/dist/rhel8/rhui/8/x86_64/codeready-builder/debug [SSL certificate problem: CA signature digest algorithm too weak]", "rc": 1, "results": []} fatal: [10.0.128.5]: FAILED! => {"changed": false, "msg": "Failed to download metadata for repo 'rhui-codeready-builder-for-rhel-8-x86_64-rhui-debug-rpms': Cannot prepare internal mirrorlist: Curl error (60): Peer certificate cannot be Expected result: Get available cri-o RPM versions succeeded without error. Rhel8 scaleup succeeded Additional info: No such issue when fips is disabled. Strong crypto defaults in RHEL 8 and deprecation of weak crypto algorithms: https://access.redhat.com/articles/3642912
Seems it is an upstream issue. Created ticket to google https://issuetracker.google.com/issues/197769045?pli=1 instead.
Got feedback from google(seen from https://issuetracker.google.com/issues/197769045?pli=1): mo...<mo...> #3Sep 7, 2021 05:20PM Hello, I will summarize part of the investigation that has been done until today. Product team has reported that this is currently Work as Intended. RHUI (via Red Hat's implementation) is deployed using a self signed CA for the certificates between the clients and the distribution nodes. Short term plan is to not change them. These are the certs that RHUI creates and I believe they were sha1 because of RHEL 6. The Red Hat software controlled how they were created. From FIPS 140-2 Validated documentation: When your clients connect to Google infrastructure, their TLS clients must be configured to require use of secure FIPS-compliant algorithms; if the TLS client and GCP's TLS services agree on an encryption method that is incompatible with FIPS, a non-validated encryption implementation will be used. There is still an ongoing investigation about this issue and the confirmation of not declaring FIPS compliance at this level. Take into account there is no ETA for updates but we will update it shortly. Please feel free to add any other questions or information to speed up the resolution of this issue.
This is has been fixed in RHUI 4.0, which is the current release
The needinfo request[s] on this closed bug have been removed as they have been unresolved for 500 days