2105941 – After 6.10 to 6.11 upgrade on FIPS setup, repository sync operations fail with an error "[digital envelope routines: EVP_DigestInit_ex] disabled for fips"

Bug 2105941 - After 6.10 to 6.11 upgrade on FIPS setup, repository sync operations fail with an error "[digital envelope routines: EVP_DigestInit_ex] disabled for fips"

Summary: After 6.10 to 6.11 upgrade on FIPS setup, repository sync operations fail wit...

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat Satellite
Classification:	Red Hat
Component:	Pulp
Sub Component:
Version:	6.11.0
Hardware:	x86_64
OS:	Linux
Priority:	high
Severity:	high with 5 votes
Target Milestone:	6.12.0
Assignee:	satellite6-bugs
QA Contact:	Cole Higgins
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2022-07-11 09:38 UTC by Ashish Humbe
Modified:	2022-11-16 13:34 UTC (History)
CC List:	13 users (show)
Fixed In Version:
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Clones:	2110770 (view as bug list)
Environment:
Last Closed:	2022-11-16 13:34:16 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Priority	Status	Summary	Last Updated
Red Hat Issue Tracker	SAT-12378	None	None	None	2022-08-22 20:54:41 UTC
Red Hat Knowledge Base (Solution)	6969118	None	None	None	2022-07-23 15:52:18 UTC
Red Hat Product Errata	RHSA-2022:8506	None	None	None	2022-11-16 13:34:30 UTC

Description Ashish Humbe 2022-07-11 09:38:29 UTC

Description of problem:
After the satellite 6.10 to 6.11 upgrade on FIPS enabled system, the customer is not able to sync repositories. Repo Sync task fails with error: 

  error:
    traceback: !ruby/string:Sequel::SQL::Blob |2
        File "/opt/theforeman/tfm-pulpcore/root/usr/lib/python3.8/site-packages/pulpcore/tasking/pulpcore_worker.py", line 380, in _perform_task
          result = func(*args, **kwargs)
        File "/opt/theforeman/tfm-pulpcore/root/usr/lib/python3.8/site-packages/pulp_rpm/app/tasks/synchronizing.py", line 464, in synchronize
          remote_url = fetch_remote_url(remote, url)
        File "/opt/theforeman/tfm-pulpcore/root/usr/lib/python3.8/site-packages/pulp_rpm/app/tasks/synchronizing.py", line 285, in fetch_remote_url
          get_repomd_file(remote, normalized_remote_url)
        File "/opt/theforeman/tfm-pulpcore/root/usr/lib/python3.8/site-packages/pulp_rpm/app/tasks/synchronizing.py", line 241, in get_repomd_file
          return downloader.fetch()
        File "/opt/theforeman/tfm-pulpcore/root/usr/lib/python3.8/site-packages/pulpcore/download/base.py", line 180, in fetch
          return done.pop().result()
        File "/opt/theforeman/tfm-pulpcore/root/usr/lib/python3.8/site-packages/pulpcore/download/http.py", line 271, in run
          return await download_wrapper()
        File "/opt/theforeman/tfm-pulpcore/root/usr/lib/python3.8/site-packages/backoff/_async.py", line 133, in retry
          ret = await target(*args, **kwargs)
        File "/opt/theforeman/tfm-pulpcore/root/usr/lib/python3.8/site-packages/pulpcore/download/http.py", line 256, in download_wrapper
          return await self._run(extra_data=extra_data)
        File "/opt/theforeman/tfm-pulpcore/root/usr/lib/python3.8/site-packages/pulp_rpm/app/downloaders.py", line 118, in _run
          to_return = await self._handle_response(response)
        File "/opt/theforeman/tfm-pulpcore/root/usr/lib/python3.8/site-packages/pulpcore/download/http.py", line 209, in _handle_response
          await self.handle_data(chunk)
        File "/opt/theforeman/tfm-pulpcore/root/usr/lib/python3.8/site-packages/pulpcore/download/base.py", line 142, in handle_data
          self._ensure_writer_has_open_file()
        File "/opt/theforeman/tfm-pulpcore/root/usr/lib/python3.8/site-packages/pulpcore/download/base.py", line 127, in _ensure_writer_has_open_file
          self._digests = {n: pulp_hashlib.new(n) for n in Artifact.DIGEST_FIELDS}
        File "/opt/theforeman/tfm-pulpcore/root/usr/lib/python3.8/site-packages/pulpcore/download/base.py", line 127, in 
          self._digests = {n: pulp_hashlib.new(n) for n in Artifact.DIGEST_FIELDS}
        File "/opt/theforeman/tfm-pulpcore/root/usr/lib/python3.8/site-packages/pulpcore/app/pulp_hashlib.py", line 36, in new
          return the_real_hashlib.new(name, *args, **kwargs)
        File "/opt/rh/rh-python38/root/usr/lib64/python3.8/hashlib.py", line 169, in __hash_new
          return _hashlib.new(name, data, **kwargs)
    description: "[digital envelope routines: EVP_DigestInit_ex] disabled for fips"



Version-Release number of selected component (if applicable):
Satellite 6.11 + FIPS On RHEL 7.9


Steps to Reproduce:
1. Upgrade FIPS enabled Satelltie 6.10 to 6.11 
2. Try to sync repositories 
3.


Additional info:
Issue was fixed in Sat6.10 + FIPS as per the bz : https://bugzilla.redhat.com/show_bug.cgi?id=2012826

Comment 2 Benjamin Watts 2022-07-15 13:37:45 UTC

I have also experienced this bug when the server is running RHEL8 with FIPS enabled.

Comment 11 Sean Halpin 2022-08-01 14:25:14 UTC

My submitted Bug (ID 2110578) was closed as a duplicate of this, but just wanted to add to this one that it's not only related to upgrade installations from Red Hat Satellite 6.10.z to Red Hat Satellite 6.11.0.. Clean installs experience this issue as well. Also applies to RHEL 8 hosts (this ticket explicitly mentions RHEL 7.9). Likely same fix as Bug ID 2012826.

Comment 12 Odilon Sousa 2022-08-03 12:21:48 UTC

(In reply to Sean Halpin from comment #11)
> My submitted Bug (ID 2110578) was closed as a duplicate of this, but just
> wanted to add to this one that it's not only related to upgrade
> installations from Red Hat Satellite 6.10.z to Red Hat Satellite 6.11.0..
> Clean installs experience this issue as well. Also applies to RHEL 8 hosts
> (this ticket explicitly mentions RHEL 7.9). Likely same fix as Bug ID
> 2012826.

Hi Sean, this was BZ https://bugzilla.redhat.com/show_bug.cgi?id=2110770 that tracked the same subject for 6.11, it was closed yesterday after https://access.redhat.com/errata/RHBA-2022:5868 release. This Errata provides the fix for both RHEL7 and RHEL8 installations, and also for clean installs.

Regards,
Odilon Sousa

Comment 18 errata-xmlrpc 2022-11-16 13:34:16 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (Important: Satellite 6.12 Release), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2022:8506

Note You need to log in before you can comment on or make changes to this bug.