Uploaded image for project: 'Satellite'
  1. Satellite
  2. SAT-24073

Once LEAPP is not an option for FIPS server, backup and restore is one, but it's failing for smart-proxy

XMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Done-Errata
    • Icon: Major Major
    • 6.16.0
    • 6.14.3
    • None
    • Important
    • No

      Description of problem:
      Once LEAPP is not an option for FIPS server, backup and restore is one, but it's failing for smart-proxy.

      Let's picture this scenario, satellite 6.11@rhel7 FIPS, backup created, and restored in a server with satellite 6.11@rhel8 FIPS.

      Everything seems to be ok. However, when accessing the capsules / Puppet CA page, we can see errors as below

      Failure: ERF50-5345 [Foreman::WrappedException]: Unable to connect ([ProxyAPI::ProxyException]: ERF12-5356 [ProxyAPI::ProxyException]: Unable to get PuppetCA certificates ([RestClient::NotAcceptable]: 406 Not Acceptable) for Capsule https://satellite_fqdn_here:9090/puppet/ca)

      // Current crypto-policy status

      1. update-crypto-policies --show
        FIPS

      // Changing to LEGACY

      1. update-crypto-policies --set LEGACY
        Warning: Using 'update-crypto-policies --set' in FIPS mode will make the system
        non-compliant with FIPS.
        It can also break the ssh access to the system.
        Use 'fips-mode-setup --disable' to disable the system FIPS mode.
        Setting system policy to LEGACY
        Note: System-wide crypto policies are applied on application start-up.
        It is recommended to restart the system for the change of policies
        to fully take place.

      // Checking once again

      1. update-crypto-policies --show
        LEGACY

      // Restarting satellite suite

      foreman-maintain service restart

      After that, there is no more error accessing this page, nor in the foreman-proxy logs.

      Version-Release number of selected component (if applicable):
      6.14

      How reproducible:
      100%

      Steps to Reproduce:
      1. Install sat611@rhel7 + FIPS + PuppetCA
      2. Create a backup
      3. Restore the backup on sat611@rhel8 + FIPS

      Actual results:
      Puppet CA page failing when crypto-policy is set to FIPS

      Expected results:
      Puppet CA page working when crypto-policy is set to FIPS

      Additional info:

            ekohlvan@redhat.com Ewoud Kohl van Wijngaarden
            rhn-support-wpinheir Waldirio Pinheiro
            Votes:
            0 Vote for this issue
            Watchers:
            4 Start watching this issue

              Created:
              Updated:
              Resolved: