2109587 – Octavia TLS tests fail when FIPS is enabled

Bug 2109587 - Octavia TLS tests fail when FIPS is enabled

Summary: Octavia TLS tests fail when FIPS is enabled

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat OpenStack
Classification:	Red Hat
Component:	python-octavia-tests-tempest
Sub Component:
Version:	17.0 (Wallaby)
Hardware:	Unspecified
OS:	Unspecified
Priority:	high
Severity:	high
Target Milestone:	ga
Target Release:	17.0
Assignee:	Gregory Thiemonge
QA Contact:	Bruna Bonguardo
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2022-07-21 14:34 UTC by Gregory Thiemonge
Modified:	2022-09-21 12:24 UTC (History)
CC List:	3 users (show)
Fixed In Version:	python-octavia-tests-tempest-1.9.0-0.20220724220742.a3a95b1.el9ost
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:	2022-09-21 12:24:19 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Priority	Status	Summary	Last Updated
OpenStack gerrit	840152	None	MERGED	Remove deprecated OpenSSL methods	2022-07-22 06:47:16 UTC
OpenStack gerrit	849356	None	MERGED	Fix TLS*_METHOD for old pyopenssl releases	2022-07-22 08:32:55 UTC
OpenStack gerrit	850629	None	MERGED	Fix generate_pkcs12_bundle for FIPS	2022-07-22 12:46:50 UTC
Red Hat Issue Tracker	OSP-17782	None	None	None	2022-07-21 14:50:44 UTC
Red Hat Product Errata	RHEA-2022:6543	None	None	None	2022-09-21 12:24:40 UTC

Description Gregory Thiemonge 2022-07-21 14:34:09 UTC

Description of problem:

When FIPS is enabled, the Octavia TLS tests fail with a "The PKCS12 bundle is unreadable" exception

2022-07-19 23:04:35,003 307618 INFO     [tempest.lib.common.rest_client] Request (TLSWithBarbicanTest:test_alpn_fallback_tls_traffic): 400 POST https://10.0.0.142:13876/v2.0/lbaas/listeners 4.394s
2022-07-19 23:04:35,004 307618 DEBUG    [tempest.lib.common.rest_client] Request - Headers: {'Content-Type': 'application/json', 'Accept': 'application/json', 'X-Auth-Token': '<omitted>'}
        Body: {"listener": {"protocol": "TERMINATED_HTTPS", "protocol_port": "443", "loadbalancer_id": "27b2c96f-e454-44ef-8d88-39bfed884246", "name": "tempest-lb_member_listener1-tls-alpn-1345456376", "default_pool_id": "e4a4af46-8b21-4130-9d00-cff6e0925e34", "default_tls_container_ref": "https://10.0.0.142:13311/v1/secrets/a3cb9bbf-47a3-4fdd-9d00-9b6df7a26624", "alpn_protocols": ["http/1.0", "http/1.1"]}}
    Response - Headers: {'date': 'Tue, 19 Jul 2022 23:04:30 GMT', 'server': 'Apache', 'content-length': '250', 'x-openstack-request-id': 'req-3280923b-c93d-4aec-bcd8-2d575e572c63', 'content-type': 'application/json', 'connection': 'close', 'status': '400', 'content-location': 'https://10.0.0.142:13876/v2.0/lbaas/listeners'}
        Body: b'{"faultcode": "Client", "faultstring": "The PKCS12 bundle is unreadable. Please check the PKCS12 bundle validity. In addition, make sure it does not require a pass phrase. Error: [(\'digital envelope routines\', \'\', \'unsupported\')]", "debuginfo": null}'
}}}

Traceback (most recent call last):
  File "/usr/lib/python3.9/site-packages/octavia_tempest_plugin/tests/barbican_scenario/v2/test_tls_barbican.py", line 1113, in test_alpn_fallback_tls_traffic
    self._test_alpn_tls_traffic(s_protos, c_protos, expected)
  File "/usr/lib/python3.9/site-packages/octavia_tempest_plugin/tests/barbican_scenario/v2/test_tls_barbican.py", line 1152, in _test_alpn_tls_traffic
    listener = self.mem_listener_client.create_listener(**listener_kwargs)
  File "/usr/lib/python3.9/site-packages/octavia_tempest_plugin/common/decorators.py", line 42, in wrapper
    return f(*func_args, **func_kwargs)
  File "/usr/lib/python3.9/site-packages/octavia_tempest_plugin/services/load_balancer/v2/listener_client.py", line 127, in create_listener
    return self._create_object(**kwargs)
  File "/usr/lib/python3.9/site-packages/octavia_tempest_plugin/services/load_balancer/v2/base_client.py", line 101, in _create_object
    response, body = self.post(request_uri, jsonutils.dumps(obj_dict))
  File "/usr/lib/python3.9/site-packages/tempest/lib/common/rest_client.py", line 299, in post
    return self.request('POST', url, extra_headers, headers, body, chunked)
  File "/usr/lib/python3.9/site-packages/tempest/lib/common/rest_client.py", line 720, in request
    self._error_checker(resp, resp_body)
  File "/usr/lib/python3.9/site-packages/tempest/lib/common/rest_client.py", line 831, in _error_checker
    raise exceptions.BadRequest(resp_body, resp=resp)
tempest.lib.exceptions.BadRequest: Bad request
Details: {'faultcode': 'Client', 'faultstring': "The PKCS12 bundle is unreadable. Please check the PKCS12 bundle validity. In addition, make sure it does not require a pass phrase. Error: [('digital envelope routines', '', 'unsupported')]", 'debuginfo': None}


Version-Release number of selected component (if applicable):
17.0

How reproducible:
100%

Steps to Reproduce:
1. deploy OSP17 with FIPS
2. run the TLS tests from octavia-tempest-plugin (TLSWithBarbicanTest)
3.

Comment 11 errata-xmlrpc 2022-09-21 12:24:19 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (Release of components for Red Hat OpenStack Platform 17.0 (Wallaby)), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHEA-2022:6543

Note You need to log in before you can comment on or make changes to this bug.