Uploaded image for project: 'RHEL'
  1. RHEL
  2. RHEL-40210

ipa replication installation fails in FIPS mode on rhel10

XMLWordPrintable

    • python-cryptography-43.0.0-3.el10
    • None
    • Important
    • 3
    • rhel-sst-idm-ipa
    • ssg_idm
    • 12
    • 14
    • 2
    • False
    • Hide

      None

      Show
      None
    • No
    • Red Hat Enterprise Linux
    • 2024-Q4-Bravo-S2, 2024-Q4-Bravo-S3, 2024-Q4-Bravo-S4
    • Unspecified Release Note Type - Unknown
    • None

      What were you trying to do that didn't work?

      Installation of a replica in FIPS mode is failing in RHEL10.

      Please provide the package NVR for which bug is seen:

      ipa-server-4.12.0-1.el10.x86_64

      How reproducible:

      Always

      Steps to reproduce

      1. Install an IPA server in FIPS mode: fips-mode-setup --enable;reboot;ipa-server-install --domain ipa.test --realm IPA.TEST --setup-dns --auto-forwarders -a Secret123 -p Secret123 -U
      2. Install an IPA replica in FIPS mode: fips-mode-setup --enable; reboot; ipa-replica-install --domain ipa.test --realm IPA.TEST --server server.ipa.test --principal admin --password Secret123 -U

      Expected results

      Replica installation should succeed

      Actual results

      The replica installation fails trying to get the private keys through custodia:

      # ipa-replica-install --domain ipa.test --realm IPA.TEST --server server.ipa.test --principal admin --password Secret123 -U
Configuring client side components
This program will set up IPA client.
Version 4.12.0
[...]
Configuring ipa-custodia
  [1/4]: Generating ipa-custodia config file
  [2/4]: Generating ipa-custodia keys
  [3/4]: starting ipa-custodia 
  [4/4]: configuring ipa-custodia to start on boot
Done configuring ipa-custodia.
Configuring certificate server (pki-tomcatd)
  [1/2]: configure certmonger for renewals
  [2/2]: Importing RA key
  [error] UnsupportedAlgorithm: This combination of padding and hash algorithm is not supported by this backend.
Your system may be partly configured.
Run /usr/sbin/ipa-server-install --uninstall to clean up.This combination of padding and hash algorithm is not supported by this backend.
The ipa-replica-install command failed. See /var/log/ipareplica-install.log for more information

      The /var/log/ipareplica-install.log file contains the following messages:

      2024-06-06T08:05:12Z DEBUG   [2/2]: Importing RA key
2024-06-06T08:05:12Z DEBUG Waiting up to 300 seconds to see our keys appear on host ldap://server.ipa.test
2024-06-06T08:05:12Z DEBUG Traceback (most recent call last):
  File "/usr/lib/python3.12/site-packages/ipaserver/install/service.py", line 686, in start_creation
    run_step(full_msg, method)
  File "/usr/lib/python3.12/site-packages/ipaserver/install/service.py", line 672, in run_step
    method()
  File "/usr/lib/python3.12/site-packages/ipaserver/install/cainstance.py", line 800, in __import_ra_key
    import_ra_key(self._custodia)
  File "/usr/lib/python3.12/site-packages/ipaserver/install/cainstance.py", line 2446, in import_ra_key
    custodia.import_ra_key()
  File "/usr/lib/python3.12/site-packages/ipaserver/install/custodiainstance.py", line 198, in import_ra_key
    cli.fetch_key('ra/ipaCert')
  File "/usr/lib/python3.12/site-packages/ipaserver/secrets/client.py", line 111, in fetch_key
    request = self.kemcli.make_request(keyname, encalg=encalg)
              ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/usr/lib/python3.12/site-packages/ipaserver/custodia/message/kem.py", line 214, in make_request
    return make_enc_kem(name, value,
           ^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/usr/lib/python3.12/site-packages/ipaserver/custodia/message/kem.py", line 240, in make_enc_kem
    jwe.add_recipient(enc_key)
  File "/usr/lib/python3.12/site-packages/jwcrypto/jwe.py", line 237, in add_recipient
    wrapped = alg.wrap(key, enc.wrap_key_size, self.cek, jh)
              ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/usr/lib/python3.12/site-packages/jwcrypto/jwa.py", line 362, in wrap
    ek = rk.encrypt(cek, self.padfn)
         ^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/usr/lib64/python3.12/site-packages/cryptography/hazmat/backends/openssl/rsa.py", line 550, in encrypt
    return _enc_dec_rsa(self._backend, self, plaintext, padding)
           ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/usr/lib64/python3.12/site-packages/cryptography/hazmat/backends/openssl/rsa.py", line 85, in _enc_dec_rsa
    raise UnsupportedAlgorithm(
cryptography.exceptions.UnsupportedAlgorithm: This combination of padding and hash algorithm is not supported by this backend.2024-06-06T08:05:12Z DEBUG   [error] UnsupportedAlgorithm: This combination of padding and hash algorithm is not supported by this backend.
2024-06-06T08:05:12Z DEBUG Removing /root/.dogtag/pki-tomcat/ca
2024-06-06T08:05:12Z DEBUG   File "/usr/lib/python3.12/site-packages/ipapython/admintool.py", line 180, in execute
    return_value = self.run()
                   ^^^^^^^^^^
  File "/usr/lib/python3.12/site-packages/ipapython/install/cli.py", line 344, in run
    return cfgr.run()
           ^^^^^^^^^^
  File "/usr/lib/python3.12/site-packages/ipapython/install/core.py", line 360, in run
    return self.execute()
           ^^^^^^^^^^^^^^
  File "/usr/lib/python3.12/site-packages/ipapython/install/core.py", line 386, in execute
    for rval in self._executor():
  File "/usr/lib/python3.12/site-packages/ipapython/install/core.py", line 435, in __runner
    exc_handler(exc_info)
  File "/usr/lib/python3.12/site-packages/ipapython/install/core.py", line 468, in _handle_execute_exception
    self._handle_exception(exc_info)
  File "/usr/lib/python3.12/site-packages/ipapython/install/core.py", line 458, in _handle_exception
    six.reraise(*exc_info)
  File "/usr/lib/python3.12/site-packages/six.py", line 719, in reraise
    raise value
  File "/usr/lib/python3.12/site-packages/ipapython/install/core.py", line 425, in __runner
    step()
  File "/usr/lib/python3.12/site-packages/ipapython/install/core.py", line 419, in step_next
    return next(self.__gen)
           ^^^^^^^^^^^^^^^^
  File "/usr/lib/python3.12/site-packages/ipapython/install/util.py", line 81, in run_generator_with_yield_from
    six.reraise(*exc_info)
  File "/usr/lib/python3.12/site-packages/six.py", line 719, in reraise
    raise value
  File "/usr/lib/python3.12/site-packages/ipapython/install/util.py", line 59, in run_generator_with_yield_from
    value = gen.send(prev_value)
            ^^^^^^^^^^^^^^^^^^^^
  File "/usr/lib/python3.12/site-packages/ipapython/install/core.py", line 663, in _configure
    next(executor)
  File "/usr/lib/python3.12/site-packages/ipapython/install/core.py", line 435, in __runner
    exc_handler(exc_info)
  File "/usr/lib/python3.12/site-packages/ipapython/install/core.py", line 468, in _handle_execute_exception
    self._handle_exception(exc_info)
  File "/usr/lib/python3.12/site-packages/ipapython/install/core.py", line 526, in _handle_exception
    self.__parent._handle_exception(exc_info)
  File "/usr/lib/python3.12/site-packages/ipapython/install/core.py", line 458, in _handle_exception
    six.reraise(*exc_info)
  File "/usr/lib/python3.12/site-packages/six.py", line 719, in reraise
    raise value
  File "/usr/lib/python3.12/site-packages/ipapython/install/core.py", line 523, in _handle_exception
    super(ComponentBase, self)._handle_exception(exc_info)
  File "/usr/lib/python3.12/site-packages/ipapython/install/core.py", line 458, in _handle_exception
    six.reraise(*exc_info)
  File "/usr/lib/python3.12/site-packages/six.py", line 719, in reraise
    raise value
  File "/usr/lib/python3.12/site-packages/ipapython/install/core.py", line 425, in __runner
    step()
  File "/usr/lib/python3.12/site-packages/ipapython/install/core.py", line 419, in step_next
    return next(self.__gen)
           ^^^^^^^^^^^^^^^^
  File "/usr/lib/python3.12/site-packages/ipapython/install/util.py", line 81, in run_generator_with_yield_from
    six.reraise(*exc_info)
  File "/usr/lib/python3.12/site-packages/six.py", line 719, in reraise
    raise value
  File "/usr/lib/python3.12/site-packages/ipapython/install/util.py", line 59, in run_generator_with_yield_from
    value = gen.send(prev_value)
            ^^^^^^^^^^^^^^^^^^^^
  File "/usr/lib/python3.12/site-packages/ipapython/install/common.py", line 65, in _install
    for unused in self._installer(self.parent):
  File "/usr/lib/python3.12/site-packages/ipaserver/install/server/__init__.py", line 641, in main
    replica_install(self)
  File "/usr/lib/python3.12/site-packages/ipaserver/install/server/replicainstall.py", line 387, in decorated
    func(installer)
  File "/usr/lib/python3.12/site-packages/ipaserver/install/server/replicainstall.py", line 1444, in install
    ca.install(False, config, options, custodia=custodia)   File "/usr/lib/python3.12/site-packages/ipaserver/install/ca.py", line 532, in install
    install_step_0(standalone, replica_config, options, custodia=custodia)
  File "/usr/lib/python3.12/site-packages/ipaserver/install/ca.py", line 607, in install_step_0
    ca.configure_instance(
  File "/usr/lib/python3.12/site-packages/ipaserver/install/cainstance.py", line 515, in configure_instance
    self.start_creation(runtime=runtime)
  File "/usr/lib/python3.12/site-packages/ipaserver/install/service.py", line 686, in start_creation
    run_step(full_msg, method)
  File "/usr/lib/python3.12/site-packages/ipaserver/install/service.py", line 672, in run_step
    method()
  File "/usr/lib/python3.12/site-packages/ipaserver/install/cainstance.py", line 800, in __import_ra_key
    import_ra_key(self._custodia)
  File "/usr/lib/python3.12/site-packages/ipaserver/install/cainstance.py", line 2446, in import_ra_key
    custodia.import_ra_key()
  File "/usr/lib/python3.12/site-packages/ipaserver/install/custodiainstance.py", line 198, in import_ra_key
    cli.fetch_key('ra/ipaCert')
  File "/usr/lib/python3.12/site-packages/ipaserver/secrets/client.py", line 111, in fetch_key
    request = self.kemcli.make_request(keyname, encalg=encalg)
              ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/usr/lib/python3.12/site-packages/ipaserver/custodia/message/kem.py", line 214, in make_request
    return make_enc_kem(name, value,
           ^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/usr/lib/python3.12/site-packages/ipaserver/custodia/message/kem.py", line 240, in make_enc_kem
    jwe.add_recipient(enc_key)
  File "/usr/lib/python3.12/site-packages/jwcrypto/jwe.py", line 237, in add_recipient
    wrapped = alg.wrap(key, enc.wrap_key_size, self.cek, jh)
              ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/usr/lib/python3.12/site-packages/jwcrypto/jwa.py", line 362, in wrap
    ek = rk.encrypt(cek, self.padfn)
         ^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/usr/lib64/python3.12/site-packages/cryptography/hazmat/backends/openssl/rsa.py", line 550, in encrypt
    return _enc_dec_rsa(self._backend, self, plaintext, padding)
           ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/usr/lib64/python3.12/site-packages/cryptography/hazmat/backends/openssl/rsa.py", line 85, in _enc_dec_rsa
    raise UnsupportedAlgorithm(2024-06-06T08:05:12Z DEBUG The ipa-replica-install command failed, exception: UnsupportedAlgorithm: This combination of padding and hash algorithm is not supported by this backend.
2024-06-06T08:05:12Z ERROR This combination of padding and hash algorithm is not supported by this backend.
2024-06-06T08:05:12Z ERROR The ipa-replica-install command failed. See /var/log/ipareplica-install.log for more information

              ftrivino@redhat.com Francisco Trivino Garcia
              frenaud@redhat.com Florence Renaud
              Francisco Trivino Garcia Francisco Trivino Garcia
              Michal Polovka Michal Polovka
              Votes:
              0 Vote for this issue
              Watchers:
              9 Start watching this issue

                Created:
                Updated: