Uploaded image for project: 'RHEL'
  1. RHEL
  2. RHEL-75155

CA Clone Installation is failing with 'Error verifying PKCS12 MAC; no PKCS12KDF support.' in FIPS mode

XMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Duplicate
    • Icon: Undefined Undefined
    • None
    • rhel-10.0
    • dogtag-pki
    • None
    • Yes
    • None
    • rhel-sst-idm-cs
    • ssg_idm
    • None
    • False
    • Hide

      None

      Show
      None
    • None
    • None
    • None
    • None
    • None

      What were you trying to do that didn't work?

      CA Clone Installation is failing with 'Error verifying PKCS12 MAC; no PKCS12KDF support.' in FIPS mode

      What is the impact of this issue to you?

      CA Clone installation is not working

      Please provide the package NVR for which the bug is seen:

      dogtag-pki-11.6.0-0.2.alpha2.el10.src.rpm

      jss-5.6.0-0.1.alpha1.el10.src.rpm

      How reproducible is this bug?:

      Always

      Steps to reproduce

      1. Setup 2 machines i.e master and clone
      2. Enable FIPS on both the machines
      3. Install Master CA and Clone CA with the below configs:

      Master CA:

      [DEFAULT]
pki_instance_name = topology-02-CA
pki_https_port = 20443
pki_http_port = 20080
pki_token_password = SECret.123
pki_admin_password = SECret.123
pki_admin_key_type=rsa
pki_admin_key_size=2048
pki_admin_key_algorithm=SHA512withRSA
pki_hostname = pki1.example.com
pki_security_domain_name = topology-02_Foobarmaster.org
pki_security_domain_password = SECret.123
pki_client_dir = /opt/topology-02-CA
pki_client_pkcs12_password = SECret.123
pki_backup_keys = True
pki_backup_password = SECret.123
pki_ds_password = SECret.123
pki_ds_ldap_port = 3389
pki_sslserver_key_algorithm=SHA512withRSA
pki_sslserver_key_size=2048
pki_sslserver_key_type=rsa
pki_subsystem_key_type=rsa
pki_subsystem_key_size=2048
pki_subsystem_key_algorithm=SHA512withRSA
pki_audit_signing_key_algorithm=SHA512withRSA
pki_audit_signing_key_size=2048
pki_audit_signing_key_type=rsa
pki_audit_signing_signing_algorithm=SHA512withRSA
[Tomcat]
pki_ajp_port = 20009
pki_tomcat_server_port = 20005
[CA]
pki_import_admin_cert = False
pki_ds_hostname = pki1.example.com
pki_admin_nickname = PKI CA Administrator for Example.Org
pki_ca_signing_key_algorithm=SHA512withRSA
pki_ca_signing_key_size=2048
pki_ca_signing_key_type=rsa
pki_ca_signing_signing_algorithm=SHA512withRSA
pki_ocsp_signing_key_algorithm=SHA512withRSA
pki_ocsp_signing_key_size=2048
pki_ocsp_signing_key_type=rsa
pki_ocsp_signing_signing_algorithm=SHA512withRSA

      Clone CA:

      [DEFAULT]
pki_instance_name = topology-02-CA
pki_https_port = 20443
pki_http_port = 20080
pki_ds_password = SECret.123
pki_ds_ldap_port = 3389
pki_security_domain_hostname=pki1.example.com
pki_security_domain_https_port=20443
pki_security_domain_user=caadmin
pki_security_domain_password=SECret.123
pki_client_database_purge=False
pki_client_pkcs12_password=SECret.123
pki_admin_password=SECret.123
pki_cert_chain_path=/tmp/rootCA.pem
[Tomcat]
pki_ajp_port = 20009
pki_tomcat_server_port = 20005
pki_clone=True
pki_clone_replicate_schema=True
pki_clone_uri=https://pki1.example.com:20443
pki_clone_pkcs12_path=/tmp/ca_certs.p12
pki_clone_pkcs12_password=SECret.123
[CA]
pki_admin_email=caadmin@example.com
pki_admin_name=caadmin
pki_admin_nickname = PKI CA Administrator for Example.Org
pki_admin_uid=caadmin
pki_ds_hostname=pki2.example.com
pki_ds_base_dn=o=topology-02-CA-CA
pki_ds_database=topology-02-testingmaster

       

      Reference Doc:
      https://github.com/dogtagpki/pki/blob/master/docs/installation/ca/Installing_CA_Clone.md

      Failing job:

      https://jenkins-csb-idmops-ci.dno.corp.redhat.com/view/Projects/job/Projects/job/dogtag/job/RHEL10/job/Nightly-FIPS-Tier1/job/2025-01-20_12-57/job/tier-1-Installation_sanity_topo_02_clone_fips/1/console

      Expected results

      The CA Clone installation with FIPS should work. The CA clone installation is working fine on non-FIPS-enabled VMs.

      Actual results

      The CA Clone installation is failing with the below error:

       

      2025-01-20T13:18:30   cmd: pkispawn -s CA -f /tmp/test_dir/ca_clone.cfg
2025-01-20T13:18:30   delta: '0:00:04.920421'
2025-01-20T13:18:30   end: '2025-01-20 08:18:29.263572'
2025-01-20T13:18:30   msg: non-zero return code
2025-01-20T13:18:30   rc: 1
2025-01-20T13:18:30   start: '2025-01-20 08:18:24.343151'
2025-01-20T13:18:30   stderr: |-
2025-01-20T13:18:30     WARNING: The 'pki_ds_hostname' in [CA] has been deprecated. Use 'pki_ds_url' instead.
2025-01-20T13:18:30     WARNING: The 'pki_ds_ldap_port' in [CA] has been deprecated. Use 'pki_ds_url' instead.
2025-01-20T13:18:30     ERROR: CalledProcessError: Command '['openssl', 'pkcs12', '-in', '/tmp/ca_certs.p12', '-out', '/var/lib/pki/topology-02-CA/conf/alias/ca.crt', '-nodes', '-nokeys', '-passin', 'pass:SECret.123']' returned non-zero exit status 1.
2025-01-20T13:18:30       File "/usr/lib/python3.12/site-packages/pki/server/pkispawn.py", line 594, in main
2025-01-20T13:18:30         deployer.spawn()
2025-01-20T13:18:30       File "/usr/lib/python3.12/site-packages/pki/server/deployment/__init__.py", line 5867, in spawn
2025-01-20T13:18:30         scriptlet.spawn(self)
2025-01-20T13:18:30       File "/usr/lib/python3.12/site-packages/pki/server/deployment/scriptlets/security_databases.py", line 40, in spawn
2025-01-20T13:18:30         deployer.import_clone_pkcs12()
2025-01-20T13:18:30       File "/usr/lib/python3.12/site-packages/pki/server/deployment/__init__.py", line 725, in import_clone_pkcs12
2025-01-20T13:18:30         res_ca = subprocess.check_output(
2025-01-20T13:18:30                  ^^^^^^^^^^^^^^^^^^^^^^^^
2025-01-20T13:18:30       File "/usr/lib64/python3.12/subprocess.py", line 466, in check_output
2025-01-20T13:18:30         return run(*popenargs, stdout=PIPE, timeout=timeout, check=True,
2025-01-20T13:18:30                ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
2025-01-20T13:18:30       File "/usr/lib64/python3.12/subprocess.py", line 571, in run
2025-01-20T13:18:30         raise CalledProcessError(retcode, process.args,
2025-01-20T13:18:30   stderr_lines: <omitted>
2025-01-20T13:18:30   stdout: |-
2025-01-20T13:18:30     ---------------
2025-01-20T13:18:30     4 entries found
2025-01-20T13:18:30     ---------------
2025-01-20T13:18:30       Certificate ID: 0xae74645358099f7032eecce75256c0b4b886fc95
2025-01-20T13:18:30       Serial Number: 0xbc49528bd2a5b97529de81fe021c089c
2025-01-20T13:18:30       Friendly Name: subsystemCert cert-topology-02-CA
2025-01-20T13:18:30       Subject DN: CN=Subsystem Certificate,OU=topology-02-CA,O=topology-02_Foobarmaster.org
2025-01-20T13:18:30       Issuer DN: CN=CA Signing Certificate,OU=topology-02-CA,O=topology-02_Foobarmaster.org
2025-01-20T13:18:30       Trust Flags: u,u,u
2025-01-20T13:18:30       Has Key: true
2025-01-20T13:18:30       Key ID: 0x8f85f398587692d7cdf12ddaec6f4a019e905f47
2025-01-20T13:18:30   
2025-01-20T13:18:30       Certificate ID: 0x235556e5fc9f6533880288ba0b0a8dda6b062bfe
2025-01-20T13:18:30       Serial Number: 0xc378518080b2d65582414a20d4df57c4
2025-01-20T13:18:30       Friendly Name: caSigningCert cert-topology-02-CA CA
2025-01-20T13:18:30       Subject DN: CN=CA Signing Certificate,OU=topology-02-CA,O=topology-02_Foobarmaster.org
2025-01-20T13:18:30       Issuer DN: CN=CA Signing Certificate,OU=topology-02-CA,O=topology-02_Foobarmaster.org
2025-01-20T13:18:30       Trust Flags: CTu,Cu,Cu
2025-01-20T13:18:30       Has Key: true
2025-01-20T13:18:30       Key ID: 0x234f3f0dbdd3494feb732f0ba7e6a8222d2a39e8
2025-01-20T13:18:30   
2025-01-20T13:18:30       Certificate ID: 0x95c695fa3285752f0752276f41529c655c33469d
2025-01-20T13:18:30       Serial Number: 0x55e86efb07cd6d94e6a7d9bc4ba978db
2025-01-20T13:18:30       Friendly Name: ocspSigningCert cert-topology-02-CA CA
2025-01-20T13:18:30       Subject DN: CN=CA OCSP Signing Certificate,OU=topology-02-CA,O=topology-02_Foobarmaster.org
2025-01-20T13:18:30       Issuer DN: CN=CA Signing Certificate,OU=topology-02-CA,O=topology-02_Foobarmaster.org
2025-01-20T13:18:30       Trust Flags: u,u,u
2025-01-20T13:18:30       Has Key: true
2025-01-20T13:18:30       Key ID: 0x458bdd50992aab098e427f9c0a6419a565ff293a
2025-01-20T13:18:30   
2025-01-20T13:18:30       Certificate ID: 0x270e62aaab9c553f75f7a9c758debc6e3a7da47a
2025-01-20T13:18:30       Serial Number: 0xb7d2e69c9c98ff7c74b2d7503483985f
2025-01-20T13:18:30       Friendly Name: auditSigningCert cert-topology-02-CA CA
2025-01-20T13:18:30       Subject DN: CN=CA Audit Signing Certificate,OU=topology-02-CA,O=topology-02_Foobarmaster.org
2025-01-20T13:18:30       Issuer DN: CN=CA Signing Certificate,OU=topology-02-CA,O=topology-02_Foobarmaster.org
2025-01-20T13:18:30       Trust Flags: u,u,Pu
2025-01-20T13:18:30       Has Key: true
2025-01-20T13:18:30       Key ID: 0xcd21b23e7ddd1534ce3567cd044a8061c9694542
2025-01-20T13:18:30   
2025-01-20T13:18:30     Certificate Nickname                                         Trust Attributes
2025-01-20T13:18:30                                                                  SSL,S/MIME,JAR/XPI
2025-01-20T13:18:30   
2025-01-20T13:18:30     subsystemCert cert-topology-02-CA                            u,u,u
2025-01-20T13:18:30     caSigningCert cert-topology-02-CA CA                         CTu,Cu,Cu
2025-01-20T13:18:30     ocspSigningCert cert-topology-02-CA CA                       u,u,u
2025-01-20T13:18:30     auditSigningCert cert-topology-02-CA CA                      u,u,Pu
2025-01-20T13:18:30     Loading deployment configuration from /tmp/test_dir/ca_clone.cfg.
2025-01-20T13:18:30     Installing CA into /var/lib/pki/topology-02-CA.
2025-01-20T13:18:30     Certificates in /var/lib/pki/topology-02-CA/conf/alias:
2025-01-20T13:18:30   
2025-01-20T13:18:30     Installation failed: Command failed: openssl pkcs12 -in /tmp/ca_certs.p12 -out /var/lib/pki/topology-02-CA/conf/alias/ca.crt -nodes -nokeys -passin pass:SECret.123
2025-01-20T13:18:30     b'Error verifying PKCS12 MAC; no PKCS12KDF support.\nUse -nomacver if MAC verification is not required.\n'

              rhcs-maint RHCS Maintenance
              prisingh@redhat.com Pritam Singh
              RHCS Maintenance RHCS Maintenance
              IdM CS QE IdM CS QE
              Votes:
              0 Vote for this issue
              Watchers:
              3 Start watching this issue

                Created:
                Updated:
                Resolved: