Bug 2109606
| Summary: | Not able to enable repositories when FIPS is enabled. | ||||||
|---|---|---|---|---|---|---|---|
| Product: | Red Hat Satellite | Reporter: | Charles <chrandal> | ||||
| Component: | Repositories | Assignee: | Eric Helms <ehelms> | ||||
| Status: | CLOSED ERRATA | QA Contact: | Cole Higgins <chiggins> | ||||
| Severity: | high | Docs Contact: | |||||
| Priority: | high | ||||||
| Version: | 6.11.0 | CC: | chrandal, ehelms, osousa, saydas, zhunting | ||||
| Target Milestone: | 6.12.0 | Keywords: | Triaged | ||||
| Target Release: | Unused | ||||||
| Hardware: | x86_64 | ||||||
| OS: | Linux | ||||||
| Whiteboard: | |||||||
| Fixed In Version: | tfm-rubygem-katello-4.5.0.2-1 | Doc Type: | If docs needed, set a value | ||||
| Doc Text: | Story Points: | --- | |||||
| Clone Of: | |||||||
| : | 2110572 (view as bug list) | Environment: | |||||
| Last Closed: | 2022-11-16 13:34:44 UTC | Type: | Bug | ||||
| Regression: | --- | Mount Type: | --- | ||||
| Documentation: | --- | CRM: | |||||
| Verified Versions: | Category: | --- | |||||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||
| Cloudforms Team: | --- | Target Upstream Version: | |||||
| Embargoed: | |||||||
| Attachments: |
|
||||||
The cause of the breakage is the redhat-uep.pem that is shipped by Satellite is older (from a RHEL 7 system) that had only sha1 based signature's in the certificates. The solution is for Satellite to ship a redhat-uep.pem from a RHEL 8 machine. In the meantime, the work around is as follows, on a FIPS enabled RHEL 8 Satellite: cp /etc/rhsm/ca/redhat-uep.pem /usr/share/gems/gems/ca/redhat-uep.pem NOTE: This will get over written and need to be re-done *any* time the rubygem-katello package is updated until we ship an official update. (In reply to Eric Helms from comment #2) > The cause of the breakage is the redhat-uep.pem that is shipped by Satellite > is older (from a RHEL 7 system) that had only sha1 based signature's in the > certificates. The solution is for Satellite to ship a redhat-uep.pem from a > RHEL 8 machine. > > In the meantime, the work around is as follows, on a FIPS enabled RHEL 8 > Satellite: > > > cp /etc/rhsm/ca/redhat-uep.pem /usr/share/gems/gems/ca/redhat-uep.pem > > > NOTE: This will get over written and need to be re-done *any* time the > rubygem-katello package is updated until we ship an official update. Apologies, I goofed the path slightly: cp /etc/rhsm/ca/redhat-uep.pem /usr/share/gems/gems/katello-*/ca/redhat-uep.pem Created redmine issue https://projects.theforeman.org/issues/35262 from this bug Upstream bug assigned to ehelms Upstream bug assigned to ehelms Moving this bug to POST for triage into Satellite since the upstream issue https://projects.theforeman.org/issues/35262 has been resolved. Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory (Important: Satellite 6.12 Release), and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHSA-2022:8506 |
Created attachment 1898519 [details] Error message Description of problem: Not able to enable repositories when FIPS is enabled. Version-Release number of selected component (if applicable): RHEL 8.6 FIPS enabled, Satellite 6.11.0, IPA version 4.9.8 on RHEL 9 FIPS enabled How reproducible: Steps to Reproduce: 1. Install RHEL 8.6 on new VM 2. Enable FIPS mode and reboot 3. Bind OS to IDM 4. Create HTTP service in IDM for Satellite 5. Issue certificate for Satellite from IDM 6. Install Satellite with custom certificates from IDM and enable foreman-ipa-authentication true 7. Download and install manifest 8. Attempt to enable repositories Actual results: ERROR: SSL_connect returned=1 errno=0 state=error: certificate verify failed (CA signature digest algorithm too weak) Expected results: Repositories enabled without issue. Additional info: When FIPS is turned off, repositories are able to be enabled and synced.