-
Bug
-
Resolution: Done-Errata
-
Major
-
6.14.3
-
None
-
0
-
False
-
-
False
-
CLOSED
-
1,300
-
Platform
-
-
-
Important
-
No
Description of problem:
Once LEAPP is not an option for FIPS server, backup and restore is one, but it's failing for smart-proxy.
Let's picture this scenario, satellite 6.11@rhel7 FIPS, backup created, and restored in a server with satellite 6.11@rhel8 FIPS.
Everything seems to be ok. However, when accessing the capsules / Puppet CA page, we can see errors as below
—
Failure: ERF50-5345 [Foreman::WrappedException]: Unable to connect ([ProxyAPI::ProxyException]: ERF12-5356 [ProxyAPI::ProxyException]: Unable to get PuppetCA certificates ([RestClient::NotAcceptable]: 406 Not Acceptable) for Capsule https://satellite_fqdn_here:9090/puppet/ca)
—
// Current crypto-policy status
—
- update-crypto-policies --show
FIPS
—
// Changing to LEGACY
—
- update-crypto-policies --set LEGACY
Warning: Using 'update-crypto-policies --set' in FIPS mode will make the system
non-compliant with FIPS.
It can also break the ssh access to the system.
Use 'fips-mode-setup --disable' to disable the system FIPS mode.
Setting system policy to LEGACY
Note: System-wide crypto policies are applied on application start-up.
It is recommended to restart the system for the change of policies
to fully take place.
—
// Checking once again
—
- update-crypto-policies --show
LEGACY
—
// Restarting satellite suite
—
foreman-maintain service restart
—
After that, there is no more error accessing this page, nor in the foreman-proxy logs.
Version-Release number of selected component (if applicable):
6.14
How reproducible:
100%
Steps to Reproduce:
1. Install sat611@rhel7 + FIPS + PuppetCA
2. Create a backup
3. Restore the backup on sat611@rhel8 + FIPS
Actual results:
Puppet CA page failing when crypto-policy is set to FIPS
Expected results:
Puppet CA page working when crypto-policy is set to FIPS
Additional info:
- links to
-
RHBA-2024:140284 Important: Satellite 6.16.0 release