Bug #26088
closed
httpd fails to start after installing capsule in FIPS mode
Added by Ivan Necas almost 6 years ago.
Updated over 5 years ago.
Description
Steps to Reproduce:
1. install katello server in fips mode
2. try to install capsule in fips mode
Actual results:
the installer on capsule fails, the httpd fails with
> /var/log/httpd/katello-reverse-proxy_error_ssl.log <
AH02252: incomplete client cert configured for SSL proxy (missing or encrypted private key?)
Expected results:
capsule installed as expected
Additional info:
Combining "Note: Apache httpd mod_ssl [SSLProxyMachineCertificateFile] does not support PKCS#8 key format." from https://access.redhat.com/solutions/3214421 and "You can't [use BEGIN RSA PRIVATE KEY] because the format isn't allowed in FIPS mode because it uses MD5 for key derivation." from http://openssl.6102.n7.nabble.com/Not-getting-quot-RSA-quot-keyword-for-a-key-in-fips-mode-td58588.html, it gives us the only option of not using SSLProxyMachineCertificateFile for the capsule.
I was not able to find any reason why to set the SSLProxyMachineCertificateFile for defining
the rhsm proxy (my tests showed that the proxying the client requests with consumer ceriticates
worked just find), but if anyone can think of one reason, please speak up.
- Subject changed from httpd fails to start after installing capsule in FIPS mode
to httpd fails to start after installing capsule in FIPS mode
- Category changed from Foreman Proxy Content to Installer
- Status changed from New to Assigned
- Assignee changed from Lukas Zapletal to Ivan Necas
- Project changed from Katello to Installer
- Category changed from Installer to Foreman modules
- Is duplicate of Bug #24974: The kafo configure is generating incorrect 'foreman-proxy-client-bundle.pem' which is not allowing httpd service to start added
- Status changed from Assigned to Duplicate
- Status changed from Duplicate to Closed
- Target version set to 1.22.0
- Fixed in Releases 1.20.3, 1.21.1, 1.22.0 added
This was the one that was actually merged.
- Pull request https://github.com/theforeman/puppet-certs/pull/242 added
- Related to Feature #3511: As a security person, I would like Foreman to run in FIPS mode added
- Is duplicate of deleted (Bug #24974: The kafo configure is generating incorrect 'foreman-proxy-client-bundle.pem' which is not allowing httpd service to start)
- Has duplicate Bug #24974: The kafo configure is generating incorrect 'foreman-proxy-client-bundle.pem' which is not allowing httpd service to start added
- Pull request https://github.com/theforeman/puppet-certs/pull/243 added
- Pull request deleted (
https://github.com/theforeman/puppet-certs/pull/242)
- Fixed in Releases deleted (
1.20.3)
This was released as puppet-certs 4.4.3 but Katello 3.10 includes 4.4.2. There likely won't be a Katello 3.10.2 to include this.
Also available in: Atom
PDF
Updated by 
Updated by 
Updated by 
Updated by