2053956 – Installing Satellite 7.0 on FIPS enabled RHEL 8.5 fails on "katello-ssl-tool --gen-ca" step with error "ERROR: Certificate Authority private SSL key generation failed"

Red Hat Satellite engineering is moving the tracking of its product development work on Satellite to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "Satellite project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs will be migrated starting at the end of May. If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "Satellite project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/SAT-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 2053956 - Installing Satellite 7.0 on FIPS enabled RHEL 8.5 fails on "katello-ssl-tool --gen-ca" step with error "ERROR: Certificate Authority private SSL key generation failed"

Summary: Installing Satellite 7.0 on FIPS enabled RHEL 8.5 fails on "katello-ssl-tool ...

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat Satellite
Classification:	Red Hat
Component:	Installation
Sub Component:
Version:	6.11.0
Hardware:	x86_64
OS:	Linux
Priority:	high
Severity:	high
Target Milestone:	6.11.0
Assignee:	Eric Helms
QA Contact:	Peter Ondrejka
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2022-02-13 15:45 UTC by Sayan Das
Modified:	2022-07-19 16:45 UTC (History)
CC List:	3 users (show)
Fixed In Version:	foreman-installer-3.1.2.1
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:	2022-07-05 14:33:17 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)
installer log file [ just in case it is needed ] (5.23 MB, application/x-tar) 2022-02-13 16:05 UTC, Sayan Das	no flags	Details
View All

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHSA-2022:5498	0	None	None	None	2022-07-05 14:33:29 UTC

Description Sayan Das 2022-02-13 15:45:54 UTC

Description of problem:

Installing Satellite 7.0 on FIPS enabled RHEL 8.5 fails on "katello-ssl-tool --gen-ca" step with error "ERROR: Certificate Authority private SSL key generation failed"


Version-Release number of selected component (if applicable):

Satellite 7.0 (latest snap)

RHEL 8.5 + FIPS

How reproducible:

Always

Steps to Reproduce:
1. Install RHEL 8.5 with FIPS enabled
2. Setup repos for SAtellite 7.0 installation on RHEL 8, enable necessary modules, and apply the workarounds before proceeding with package installation.

subscription-manager repo-override --repo=Sat6-CI_Satellite_Capsule_7_0_Composes_Satellite_Capsule_7_0_RHEL8 --add=module_hotfixes:1
dnf -y module enable ruby:2.7
dnf -y module enable pki-core

3. yum install satellite
4. Run "satellite-installer -S satellite"


Actual results:

2022-02-13 10:16:36 [NOTICE] [root] Loading installer configuration. This will take some time.
2022-02-13 10:16:40 [NOTICE] [root] Running installer with log based terminal output at level NOTICE.
2022-02-13 10:16:40 [NOTICE] [root] Use -l to set the terminal output log level to ERROR, WARN, NOTICE, INFO, or DEBUG. See --full-help for definitions.
2022-02-13 10:23:05 [NOTICE] [configure] Starting system configuration.
2022-02-13 10:29:09 [NOTICE] [configure] 250 configuration steps out of 1742 steps complete.
2022-02-13 10:31:12 [ERROR ] [configure] Execution of '/bin/katello-ssl-tool --gen-ca --dir /root/ssl-build -p file:/etc/pki/katello/private/katello-default-ca.pwd --force --ca-cert-dir /etc/pki/katello-certs-tools/certs --set-common-name satellite70.test.lan8 --ca-cert katello-default-ca.crt --ca-key katello-default-ca.key --ca-cert-rpm katello-default-ca --set-country US --set-state North Carolina --set-city Raleigh --set-org Katello --set-org-unit SomeOrgUnit --set-email  --cert-expiration 36500' returned 10: ERROR: Certificate Authority private SSL key generation failed:
2022-02-13 10:31:12 [ERROR ] [configure] 
2022-02-13 10:31:12 [ERROR ] [configure] Generating RSA private key, 4096 bit long modulus (2 primes)
2022-02-13 10:31:12 [ERROR ] [configure] *********************************************************************************************************************************************************************************************************++++
2022-02-13 10:31:12 [ERROR ] [configure] **********************************************************************************************************************++++
2022-02-13 10:31:12 [ERROR ] [configure] e is 65537 (0x010001)
2022-02-13 10:31:12 [ERROR ] [configure] 140170411415360:error:060800C8:digital envelope routines:EVP_DigestInit_ex:disabled for FIPS:crypto/evp/digest.c:135:
2022-02-13 10:31:12 [ERROR ] [configure] 
2022-02-13 10:31:12 [ERROR ] [configure] Generating private CA key: /root/ssl-build/katello-default-ca.key
2022-02-13 10:31:12 [ERROR ] [configure] /Stage[main]/Certs::Ca/Ca[katello-default-ca]/ensure: change from 'absent' to 'present' failed: Execution of '/bin/katello-ssl-tool --gen-ca --dir /root/ssl-build -p file:/etc/pki/katello/private/katello-default-ca.pwd --force --ca-cert-dir /etc/pki/katello-certs-tools/certs --set-common-name satellite70.test.lan8 --ca-cert katello-default-ca.crt --ca-key katello-default-ca.key --ca-cert-rpm katello-default-ca --set-country US --set-state North Carolina --set-city Raleigh --set-org Katello --set-org-unit SomeOrgUnit --set-email  --cert-expiration 36500' returned 10: ERROR: Certificate Authority private SSL key generation failed:
2022-02-13 10:31:12 [ERROR ] [configure] 
2022-02-13 10:31:12 [ERROR ] [configure] Generating RSA private key, 4096 bit long modulus (2 primes)
2022-02-13 10:31:12 [ERROR ] [configure] *********************************************************************************************************************************************************************************************************++++
2022-02-13 10:31:12 [ERROR ] [configure] **********************************************************************************************************************++++
2022-02-13 10:31:12 [ERROR ] [configure] e is 65537 (0x010001)
2022-02-13 10:31:12 [ERROR ] [configure] 140170411415360:error:060800C8:digital envelope routines:EVP_DigestInit_ex:disabled for FIPS:crypto/evp/digest.c:135:
2022-02-13 10:31:12 [ERROR ] [configure] 
2022-02-13 10:31:12 [ERROR ] [configure] Generating private CA key: /root/ssl-build/katello-default-ca.key
2022-02-13 10:31:12 [ERROR ] [configure] Could not set 'present' on ensure: No such file or directory @ rb_sysopen - /root/ssl-build/katello-default-ca.crt (file: /usr/share/foreman-installer/modules/certs/manifests/ca.pp, line: 61)
2022-02-13 10:31:12 [ERROR ] [configure] Could not set 'present' on ensure: No such file or directory @ rb_sysopen - /root/ssl-build/katello-default-ca.crt (file: /usr/share/foreman-installer/modules/certs/manifests/ca.pp, line: 61)
2022-02-13 10:31:12 [ERROR ] [configure] Wrapped exception:
2022-02-13 10:31:12 [ERROR ] [configure] No such file or directory @ rb_sysopen - /root/ssl-build/katello-default-ca.crt
2022-02-13 10:31:12 [ERROR ] [configure] /Stage[main]/Certs::Ca/Ca[katello-server-ca]/ensure: change from 'absent' to 'present' failed: Could not set 'present' on ensure: No such file or directory @ rb_sysopen - /root/ssl-build/katello-default-ca.crt (file: /usr/share/foreman-installer/modules/certs/manifests/ca.pp, line: 61)
2022-02-13 10:31:12 [ERROR ] [configure] /Stage[main]/Certs::Ca/File[/etc/pki/katello/certs/katello-default-ca.crt]: Could not evaluate: Could not retrieve information from environment production source(s) file:///root/ssl-build/katello-default-ca.crt
2022-02-13 10:31:12 [ERROR ] [configure] /Stage[main]/Certs::Ca/File[/etc/pki/katello/certs/katello-server-ca.crt]: Could not evaluate: Could not retrieve information from environment production source(s) file:///root/ssl-build/katello-server-ca.crt
2022-02-13 10:31:14 [ERROR ] [configure] Failed to generate new keystore with temporary entry: Execution of '/bin/keytool -genkey -storetype pkcs12 -keystore /etc/candlepin/certs/keystore -storepass:file /etc/pki/katello/keystore_password-file -alias temporary-entry -dname CN=temporary-entry' returned 1: keytool error: java.security.KeyStoreException: Key protection  algorithm not found: java.lang.NullPointerException
2022-02-13 10:31:14 [ERROR ] [configure] Failed to generate new truststore with temporary entry: Execution of '/bin/keytool -genkey -storetype pkcs12 -keystore /etc/candlepin/certs/truststore -storepass:file /etc/pki/katello/truststore_password-file -alias temporary-entry -dname CN=temporary-entry' returned 1: keytool error: java.security.KeyStoreException: Key protection  algorithm not found: java.lang.NullPointerException
2022-02-13 10:35:03 [NOTICE] [configure] 500 configuration steps out of 2591 steps complete.
2022-02-13 10:35:04 [NOTICE] [configure] 750 configuration steps out of 2591 steps complete.
2022-02-13 10:35:05 [NOTICE] [configure] 1000 configuration steps out of 2591 steps complete.


Expected results:

Installation should be completed without errors on RHEL 8 (as I am assuming we will support FIPS-enabled setup on RHEL 8 as well).


Additional info:

NA

Comment 1 Sayan Das 2022-02-13 16:05:43 UTC

Created attachment 1860881 [details]
installer log file [  just in case it is needed ]

Comment 6 Peter Ondrejka 2022-04-14 10:21:46 UTC

Verified on Satellite 6.11 snap 16, installation on fips-enabled rhel8 completes successfully

Comment 9 errata-xmlrpc 2022-07-05 14:33:17 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (Moderate: Satellite 6.11 Release), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2022:5498

Note You need to log in before you can comment on or make changes to this bug.