Uploaded image for project: 'Satellite'
  1. Satellite
  2. SAT-24779

Upgrading a FIPS enabled Red Hat Satellite 6.14 to 6.15 face issues with Candlepin keystore

XMLWordPrintable

    • Important
    • No

      Description

      When upgrading to Satellite 6.15 we are seeing issues related to regenerating and reimporting the candlepin-ca;
      ~~~
      2024-04-24 11:22:55 [ERROR ] [configure] /Stage[main]/Certs::Candlepin/Truststore_certificate[/etc/candlepin/certs/truststore:candlepin-ca]/ensure: change from 'absent' to 'present' failed: Execution of '/bin/keytool -import -v -noprompt -storetype pkcs12 -keystore /etc/candlepin/certs/truststore -alias candlepin-ca -file /etc/candlepin/certs/candlepin-ca.crt -storepass:file /etc/pki/katello/truststore_password-file -J-Dcom.redhat.fips=false' returned 1: keytool error: java.io.IOException: keystore password was incorrect
      2024-04-24 11:22:55 [ERROR ] [configure] java.io.IOException: keystore password was incorrect
      2024-04-24 11:22:55 [ERROR ] [configure] at sun.security.pkcs12.PKCS12KeyStore.engineLoad(PKCS12KeyStore.java:2089)
      2024-04-24 11:22:55 [ERROR ] [configure] at java.security.KeyStore.load(KeyStore.java:1445)
      2024-04-24 11:22:55 [ERROR ] [configure] at sun.security.tools.keytool.Main.doCommands(Main.java:839)
      2024-04-24 11:22:55 [ERROR ] [configure] at sun.security.tools.keytool.Main.run(Main.java:380)
      2024-04-24 11:22:55 [ERROR ] [configure] at sun.security.tools.keytool.Main.main(Main.java:373)
      2024-04-24 11:22:55 [ERROR ] [configure] Caused by: java.security.UnrecoverableKeyException: failed to decrypt safe contents entry: javax.crypto.BadPaddingException: Given final block not properly padded. Such issues can arise if a bad key is used during decryption.
      ~~~

      Steps to reproduce:

      • Install RHEL 8.9 and enable FIPS
      • Install a Satellite 6.14 on top of it.
      • Try to upgrade the instance to Satellite 6.15.0

      Actual Results:

      Errors with candlepin keystore password as mentioned above

      Expected Results:

      No such errors and the upgrade should happen without any such issues.

            egolov@redhat.com Evgeni Golov
            rhn-support-pdudley Paul Dudley
            Griffin Sullivan Griffin Sullivan
            Votes:
            0 Vote for this issue
            Watchers:
            6 Start watching this issue

              Created:
              Updated:
              Resolved: