Bug 2168931 - RHEL9 clients with FIPS mode, failed to upload compliance report to Satellite and fails with exception(Unable to load certs)
Summary: RHEL9 clients with FIPS mode, failed to upload compliance report to Satellite...
Keywords:
Status: NEW
Alias: None
Product: Red Hat Satellite
Classification: Red Hat
Component: SCAP Plugin
Version: 6.12.0
Hardware: Unspecified
OS: Unspecified
high
high
Target Milestone: Unspecified
Assignee: satellite6-bugs
QA Contact: Jameer Pathan
URL:
Whiteboard:
Depends On: 2170105
Blocks:
TreeView+ depends on / blocked
 
Reported: 2023-02-10 15:52 UTC by Satyajit Das
Modified: 2023-08-05 00:23 UTC (History)
5 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Issue Tracker SAT-19389 0 None None None 2023-08-04 12:34:03 UTC
Red Hat Knowledge Base (Solution) 7008468 0 None None None 2023-04-26 16:15:27 UTC

Description Satyajit Das 2023-02-10 15:52:09 UTC 
Description of problem:

RHEL9 clients with FIPS mode failed to upload compliance reports to Satellite and fails with exception(Unable to load certs)

Version-Release number of selected component (if applicable):

6.12.z

How reproducible:

100%


Steps to Reproduce:

1. RHEL9 clients with FIPS mode
2. Compliance policy is configured and push to the client host, policy is updated on the client however compliance scan fails with the below error:-

Actual results:

# /usr/bin/foreman_scap_client ds 2
DEBUG: running: oscap xccdf eval  --profile xccdf_org.ssgproject.content_profile_cis  --results-arf /tmp/d20230207-13679-39jgxn/results.xml /var/lib/openscap/content/5d420b764d7c13ef8ddb6e8f0c76094fa9df9848881be58a9361ddfb8e988824.xml
WARNING: Datastream component 'scap_org.open-scap_cref_security-data-oval-com.redhat.rhsa-RHEL9.xml.bz2' points out to the remote 'https://access.redhat.com/security/data/oval/com.redhat.rhsa-RHEL9.xml.bz2'. Use '--fetch-remote-resources' option to download it.
WARNING: Skipping 'https://access.redhat.com/security/data/oval/com.redhat.rhsa-RHEL9.xml.bz2' file which is referenced from datastream
WARNING: Skipping ./security-data-oval-com.redhat.rhsa-RHEL9.xml.bz2 file which is referenced from XCCDF content
DEBUG: running: /usr/bin/env bzip2 /tmp/d20230207-13679-39jgxn/results.xml
Uploading results to https://satellite.example.com:9090/compliance/arf/2


Unable to load certs  =========================================> Error.
Neither PUB key nor PRIV key

Expected results:

The compliance report should be uploaded without any issues.


Additional info:

~~~~~~~~~~
=> RHEL8 clients with FIPS mode are working as expected.
=> Key is also 4096-bit:
 # openssl x509 -noout -text -in /etc/rhsm/ca/katello-server-ca.pem | grep Public-Key
                Public-Key: (4096 bit)
# openssl x509 -noout -text -in /etc/pki/consumer/cert.pem | grep Public-Key
                Public-Key: (4096 bit)
# openssl x509 -noout -text -in /etc/pki/katello/certs/katello-default-ca.crt | grep Public-Key
~~~~~~~~~~~~
Comment 1 Eric Helms 2023-02-10 16:11:58 UTC 
My initial investigation points to this being a problem with Ruby support for OpenSSL 3. On RHEL 9, OpenSSL 3 is available and Ruby does not have full support for it. The support it does have appears to be good enough for RHEL 9 in non-FIPS mode but once the additional restrictions of FIPS are in place the support breaks. This means there is presently no work-around available.

We will either need to wait for the fix in Ruby and to propagate through the RHEL release cycle or to consider a re-write of the foreman_scap_client into a different language (e.g. python).



https://github.com/ruby/openssl/issues/369
Comment 2 Brad Buckingham 2023-02-13 14:20:17 UTC 
Is there a RHEL bugzilla open to track the issue that Eric has found in comment 1?
If not, can one be created?

Thanks!
Note You need to log in before you can comment on or make changes to this bug.