Project

General

Profile

Bug #25447

Unable to create puppet certificate request from RHEL5 with fips enabled

Added by Ondřej Pražák over 3 years ago. Updated over 3 years ago.

Status:
New
Priority:
Normal
Assignee:
-
Category:
PuppetCA
Target version:
-
Difficulty:
Triaged:
Yes
Bugzilla link:
Pull request:
Fixed in Releases:
Found in Releases:

Description

Description of problem:
Unable to create certificate request for puppet with RHEL5 client that has FIPS enabled.

Version-Release number of selected component (if applicable):
RHEL 5.11

How reproducible:
100%

Steps to Reproduce:
1. Make RHEL5 FIPS compliant per => https://access.redhat.com/articles/38655
2. Register RHEL5 client to Foreman and install puppet
3. Add digest_algorithm = sha256 for puppet.conf for client and satellite
4. /usr/bin/puppet agent --test

Actual results:
info: Creating a new SSL certificate request for host-rhel5-puppet-interval.sysmgmt.lan
digest.c(151): OpenSSL internal error, assertion failed: Digest update previous FIPS forbidden algorithm error ignored
Aborted

Expected results:
For the certificate request to work

Additional info:

  1. cat /etc/redhat-release
    ~~
    Red Hat Enterprise Linux Server release 5.11 (Tikanga)
    ~
    ~
  1. grep fips /etc/pki/tls/openssl.cnf
    ~~~
  2. Algorithm configuration options. Currently just fips_mode
    fips_mode = yes
    ~~~
  1. cat /proc/sys/crypto/fips_enabled
    ~~
    1
    ~
    ~

SSL certs generated are correct sha256 algorithm:

  1. openssl x509 -text -in /var/lib/puppet/ssl/certs/ca.pem | grep -i sha256
    ~~
    Signature Algorithm: sha256WithRSAEncryption
    Signature Algorithm: sha256WithRSAEncryption
    ~
    ~
  1. /usr/bin/puppet agent --test --noop --tags no_such_tag --waitforcert 10 --digest=sha256
    ~~
    info: Creating a new SSL certificate request for host-rhel5-puppet-interval.sysmgmt.lan
    digest.c(151): OpenSSL internal error, assertion failed: Digest update previous FIPS forbidden algorithm error ignored
    Aborted
    ~
    ~

+++++++++++++++++++++++++++++++++++++++++

Following errata should have sha256 included for RHEL5 https://access.redhat.com/errata/RHBA-2014:1280
https://bugzilla.redhat.com/show_bug.cgi?id=1136542

Seems also according to the code it should allow sha256:

  1. vim +71 /usr/lib/ruby/site_ruby/1.8/puppet/ssl/certificate_request.rb

~~
...
csr.sign(key, OpenSSL::Digest::SHA256.new)
...
~
~


Related issues

Blocks Foreman - Feature #3511: As a security person, I would like Foreman to run in FIPS modeResolved

History

#1 Updated by Ondřej Pražák over 3 years ago

  • Blocks Feature #3511: As a security person, I would like Foreman to run in FIPS mode added

#2 Updated by Lukas Zapletal over 3 years ago

  • Triaged changed from No to Yes
  • Subject changed from Unable to create puppet certificate request from RHEL5 with fips enabled to Unable to create puppet certificate request from RHEL5 with fips enabled

Also available in: Atom PDF