601623 – rhn-client-tools not working in fips mode -OpenSSL.SSL.Error, 'certificate verify failed'

RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 601623 - rhn-client-tools not working in fips mode -OpenSSL.SSL.Error, 'certificate verify failed'

Summary: rhn-client-tools not working in fips mode -OpenSSL.SSL.Error, 'certificate ve...

Keywords:
Status:	CLOSED DUPLICATE of bug 593811
Alias:	None
Product:	Red Hat Enterprise Linux 6
Classification:	Red Hat
Component:	rhn-client-tools
Sub Component:
Version:	6.0
Hardware:	All
OS:	Linux
Priority:	high
Severity:	high
Target Milestone:	rc
Target Release:	---
Assignee:	Milan Zázrivec
QA Contact:	Red Hat Satellite QA List
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:	559491 559492 582655
TreeView+	depends on / blocked

Reported:	2010-06-08 10:49 UTC by Jiri Kastner
Modified:	2010-06-08 13:04 UTC (History)
CC List:	0 users
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2010-06-08 13:04:46 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)
up2date log (9.36 KB, text/plain) 2010-06-08 10:49 UTC, Jiri Kastner	no flags	Details
View All

Description Jiri Kastner 2010-06-08 10:49:41 UTC

Created attachment 422137 [details]
up2date log

Description of problem:
all rhn-client-tools fails with same error

Version-Release number of selected component (if applicable):


How reproducible:
always

Steps to Reproduce:
1. disable prelinking in /etc/sysconfig/prelink, run 'prelink -u -a', append to kernel fips=1 to bootloader config file and reboot
2. run any command from rhn-setup{,-gnome} and yum with enabled rhnplugin
3. fails
  
Actual results:
fails with 
<class 'OpenSSL.SSL.Error'>: [('digital envelope routines', 'EVP_DigestInit_ex', 'unknown cipher'), ('asn1 encoding routines', 'ASN1_item_verify', 'EVP lib'), ('SSL routines', 'SSL3_GET_SERVER_CERTIFICATE', 'certificate verify failed')]

Expected results:
works as expected

Additional info:
################################ RHN_REGISTER ###############################################
sudo rhn_register --nox
[sudo] password for jkastner: 
There was an SSL error: [('digital envelope routines', 'EVP_DigestInit_ex', 'unknown cipher'), ('asn1 encoding routines', 'ASN1_item_verify', 'EVP lib'), ('SSL routines', 'SSL3_GET_SERVER_CERTIFICATE', 'certificate verify failed')]
A common cause of this error is the system time being incorrect. Verify that the time on this system is correct.

################################ RHN-CHANNEL ##############################################
sudo rhn-channel -l
Traceback (most recent call last):
  File "/usr/sbin/rhn-channel", line 95, in <module>
    main()
  File "/usr/sbin/rhn-channel", line 85, in main
    channels = map(lambda x: x['label'], getChannels().channels())
  File "/usr/share/rhn/up2date_client/rhnChannel.py", line 99, in getChannels
    up2dateChannels = s.up2date.listChannels(up2dateAuth.getSystemId())
  File "/usr/share/rhn/up2date_client/rhnserver.py", line 50, in __call__
    return rpcServer.doCall(method, *args, **kwargs)
  File "/usr/share/rhn/up2date_client/rpcServer.py", line 204, in doCall
    ret = method(*args, **kwargs)
  File "/usr/lib64/python2.6/xmlrpclib.py", line 1199, in __call__
    return self.__send(self.__name, args)
  File "/usr/share/rhn/up2date_client/rpcServer.py", line 39, in _request1
    ret = self._request(methodname, params)
  File "/usr/lib/python2.6/site-packages/rhn/rpclib.py", line 357, in _request
    self._handler, request, verbose=self._verbose)
  File "/usr/lib/python2.6/site-packages/rhn/transports.py", line 171, in request
    headers, fd = req.send_http(host, handler)
  File "/usr/lib/python2.6/site-packages/rhn/transports.py", line 704, in send_http
    headers=self.headers)
  File "/usr/lib64/python2.6/httplib.py", line 874, in request
    self._send_request(method, url, body, headers)
  File "/usr/lib64/python2.6/httplib.py", line 911, in _send_request
    self.endheaders()
  File "/usr/lib64/python2.6/httplib.py", line 868, in endheaders
    self._send_output()
  File "/usr/lib64/python2.6/httplib.py", line 740, in _send_output
    self.send(msg)
  File "/usr/lib64/python2.6/httplib.py", line 719, in send
    self.sock.sendall(str)
  File "/usr/lib/python2.6/site-packages/rhn/SSL.py", line 217, in write
    sent = self._connection.send(data)
OpenSSL.SSL.Error: [('digital envelope routines', 'EVP_DigestInit_ex', 'unknown cipher'), ('asn1 encoding routines', 'ASN1_item_verify', 'EVP lib'), ('SSL routines', 'SSL3_GET_SERVER_CERTIFICATE', 'certificate verify failed')]

################################## RHNREG_KS #########################################
sudo rhnreg_ks --force --username=rhn-engineering-qe-automation --password=redhatqa --profilename=fips-test-rhel6-jkastner
There was an SSL error: [('digital envelope routines', 'EVP_DigestInit_ex', 'unknown cipher'), ('asn1 encoding routines', 'ASN1_item_verify', 'EVP lib'), ('SSL routines', 'SSL3_GET_SERVER_CERTIFICATE', 'certificate verify failed')]
A common cause of this error is the system time being incorrect. Verify that the time on this system is correct.

########################### YUM + RHNPLUGIN ###################################
sudo yum check-update
Loaded plugins: rhnplugin
Traceback (most recent call last):
  File "/usr/bin/yum", line 29, in <module>
    yummain.user_main(sys.argv[1:], exit_code=True)
  File "/usr/share/yum-cli/yummain.py", line 254, in user_main
    errcode = main(args)
  File "/usr/share/yum-cli/yummain.py", line 88, in main
    base.getOptionsConfig(args)
  File "/usr/share/yum-cli/cli.py", line 192, in getOptionsConfig
    self.conf
  File "/usr/lib/python2.6/site-packages/yum/__init__.py", line 778, in <lambda>
    conf = property(fget=lambda self: self._getConfig(),
  File "/usr/lib/python2.6/site-packages/yum/__init__.py", line 311, in _getConfig
    self.plugins.run('init')
  File "/usr/lib/python2.6/site-packages/yum/plugins.py", line 177, in run
    func(conduitcls(self, self.base, conf, **kwargs))
  File "/usr/share/yum-plugins/rhnplugin.py", line 117, in init_hook
    login_info = up2dateAuth.getLoginInfo()
  File "/usr/share/rhn/up2date_client/up2dateAuth.py", line 219, in getLoginInfo
    login()
  File "/usr/share/rhn/up2date_client/up2dateAuth.py", line 186, in login
    li = server.up2date.login(systemId)
  File "/usr/share/rhn/up2date_client/rhnserver.py", line 50, in __call__
    return rpcServer.doCall(method, *args, **kwargs)
  File "/usr/share/rhn/up2date_client/rpcServer.py", line 204, in doCall
    ret = method(*args, **kwargs)
  File "/usr/lib64/python2.6/xmlrpclib.py", line 1199, in __call__
    return self.__send(self.__name, args)
  File "/usr/share/rhn/up2date_client/rpcServer.py", line 39, in _request1
    ret = self._request(methodname, params)
  File "/usr/lib/python2.6/site-packages/rhn/rpclib.py", line 357, in _request
    self._handler, request, verbose=self._verbose)
  File "/usr/lib/python2.6/site-packages/rhn/transports.py", line 171, in request
    headers, fd = req.send_http(host, handler)
  File "/usr/lib/python2.6/site-packages/rhn/transports.py", line 704, in send_http
    headers=self.headers)
  File "/usr/lib64/python2.6/httplib.py", line 874, in request
    self._send_request(method, url, body, headers)
  File "/usr/lib64/python2.6/httplib.py", line 911, in _send_request
    self.endheaders()
  File "/usr/lib64/python2.6/httplib.py", line 868, in endheaders
    self._send_output()
  File "/usr/lib64/python2.6/httplib.py", line 740, in _send_output
    self.send(msg)
  File "/usr/lib64/python2.6/httplib.py", line 719, in send
    self.sock.sendall(str)
  File "/usr/lib/python2.6/site-packages/rhn/SSL.py", line 217, in write
    sent = self._connection.send(data)
OpenSSL.SSL.Error: [('digital envelope routines', 'EVP_DigestInit_ex', 'unknown cipher'), ('asn1 encoding routines', 'ASN1_item_verify', 'EVP lib'), ('SSL routines', 'SSL3_GET_SERVER_CERTIFICATE', 'certificate verify failed')]

Comment 1 Jiri Kastner 2010-06-08 11:19:33 UTC

against rhn.errata.stage

Comment 2 Milan Zázrivec 2010-06-08 13:04:46 UTC


*** This bug has been marked as a duplicate of bug 593811 ***

Note You need to log in before you can comment on or make changes to this bug.