-
Bug
-
Resolution: Done-Errata
-
Major
-
6.12.0
-
False
-
-
False
-
CLOSED
-
4,500
-
Endeavour
-
-
-
Important
-
Yes
Description of problem:
RHEL9 clients with FIPS mode failed to upload compliance reports to Satellite and fails with exception(Unable to load certs)
Version-Release number of selected component (if applicable):
6.12.z
How reproducible:
100%
Steps to Reproduce:
1. RHEL9 clients with FIPS mode
2. Compliance policy is configured and push to the client host, policy is updated on the client however compliance scan fails with the below error:-
Actual results:
- /usr/bin/foreman_scap_client ds 2
DEBUG: running: oscap xccdf eval --profile xccdf_org.ssgproject.content_profile_cis --results-arf /tmp/d20230207-13679-39jgxn/results.xml /var/lib/openscap/content/5d420b764d7c13ef8ddb6e8f0c76094fa9df9848881be58a9361ddfb8e988824.xml
WARNING: Datastream component 'scap_org.open-scap_cref_security-data-oval-com.redhat.rhsa-RHEL9.xml.bz2' points out to the remote 'https://access.redhat.com/security/data/oval/com.redhat.rhsa-RHEL9.xml.bz2'. Use '--fetch-remote-resources' option to download it.
WARNING: Skipping 'https://access.redhat.com/security/data/oval/com.redhat.rhsa-RHEL9.xml.bz2' file which is referenced from datastream
WARNING: Skipping ./security-data-oval-com.redhat.rhsa-RHEL9.xml.bz2 file which is referenced from XCCDF content
DEBUG: running: /usr/bin/env bzip2 /tmp/d20230207-13679-39jgxn/results.xml
Uploading results to https://satellite.example.com:9090/compliance/arf/2
Unable to load certs =========================================> Error.
Neither PUB key nor PRIV key
Expected results:
The compliance report should be uploaded without any issues.
Additional info:
~~~~~~~~~~
=> RHEL8 clients with FIPS mode are working as expected.
=> Key is also 4096-bit:
- openssl x509 -noout -text -in /etc/rhsm/ca/katello-server-ca.pem | grep Public-Key
Public-Key: (4096 bit) - openssl x509 -noout -text -in /etc/pki/consumer/cert.pem | grep Public-Key
Public-Key: (4096 bit) - openssl x509 -noout -text -in /etc/pki/katello/certs/katello-default-ca.crt | grep Public-Key
~~~~~~~~~~~~
- clones
-
SAT-19389 RHEL9 clients with FIPS mode, failed to upload compliance report to Satellite and fails with exception(Unable to load certs)
- Closed
- is blocked by
-
RHEL-5590 ruby:3.1/ruby: Ruby cannot read private key in FIPS mode on RHEL 9 [rhel-9]
- Closed
- external trackers
- links to
-
RHBA-2024:135979 Satellite 6.15.2 Async Update