Description of problem:
Unable to create certificate request for puppet with RHEL5 client that has FIPS enabled.

Version-Release number of selected component (if applicable):
RHEL 5.11

How reproducible:
100%

Steps to Reproduce:
1. Make RHEL5 FIPS compliant per => https://access.redhat.com/articles/38655
2. Register RHEL5 client to Foreman and install puppet
3. Add digest_algorithm = sha256 for puppet.conf for client and satellite
4. /usr/bin/puppet agent --test

Actual results:
info: Creating a new SSL certificate request for host-rhel5-puppet-interval.sysmgmt.lan
digest.c(151): OpenSSL internal error, assertion failed: Digest update previous FIPS forbidden algorithm error ignored
Aborted

Expected results:
For the certificate request to work

Additional info:

1. cat /etc/redhat-release
   ~_{~
   Red Hat Enterprise Linux Server release 5.11 (Tikanga)}
   ~~

1. grep fips /etc/pki/tls/openssl.cnf
   ~~~
2. Algorithm configuration options. Currently just fips_mode
   fips_mode = yes
   ~~~

1. cat /proc/sys/crypto/fips_enabled
   ~_{~
   1}
   ~~

SSL certs generated are correct sha256 algorithm:

1. openssl x509 -text -in /var/lib/puppet/ssl/certs/ca.pem | grep -i sha256
   ~_{~
   Signature Algorithm: sha256WithRSAEncryption
   Signature Algorithm: sha256WithRSAEncryption}
   ~~

1. /usr/bin/puppet agent --test --noop --tags no_such_tag --waitforcert 10 --digest=sha256
   ~_{~
   info: Creating a new SSL certificate request for host-rhel5-puppet-interval.sysmgmt.lan
   digest.c(151): OpenSSL internal error, assertion failed: Digest update previous FIPS forbidden algorithm error ignored
   Aborted}
   ~~

+++++++++++++++++++++++++++++++++++++++++

Following errata should have sha256 included for RHEL5 https://access.redhat.com/errata/RHBA-2014:1280
https://bugzilla.redhat.com/show_bug.cgi?id=1136542

Seems also according to the code it should allow sha256:

1. vim +71 /usr/lib/ruby/site_ruby/1.8/puppet/ssl/certificate_request.rb

~_{~
...
csr.sign(key, OpenSSL::Digest::SHA256.new)
...}
~~