Actions
Bug #32068
closed
Installation of katello-ca-consumer fails on RHEL with enabled FIPS
Status:
Rejected
Priority:
Normal
Assignee:
-
Category:
Foreman modules
Target version:
-
Description
Preconditions:
RHEL with enabled fips:
fips-mode-setup --enable
reboot
fips-mode-setup --check
# -> FIPS mode is enabled.
Steps to reproduce
curl -o katello-ca-consumer-latest.noarch.rpm http://foreman.example.com/pub/katello-ca-consumer-latest.noarch.rpm
yum localinstall -y katello-ca-consumer-latest.noarch.rpm
Downloading Packages:
Running transaction check
Transaction check succeeded.
Running transaction test
Error: Transaction test error:
package katello-ca-consumer-centos7-katello-devel-stable.example.com-1.0-1.noarch does not verify: no digest
Workaround
rpm -ivh --nodigest katello-ca-consumer-latest.noarch.rpm
Updated by Ewoud Kohl van Wijngaarden about 3 years ago
- Project changed from Packaging to Installer
- Category set to Foreman modules
- Triaged changed from No to Yes
- Found in Releases 2.4.0 added
Technically the installer generates this consumer CA RPM. I'm going to guess this shows up in every release but I'm picking the latest RC now.
Updated by Ewoud Kohl van Wijngaarden about 3 years ago
I can't reproduce this with a CentOS 8 server:
[root@centos8 ~]# dnf install http://pipe-katello-server-nightly-centos8.wisse.example.com/pub/katello-ca-consumer-latest.noarch.rpm Last metadata expiration check: 0:04:10 ago on Thu 11 Mar 2021 11:01:45 UTC. katello-ca-consumer-latest.noarch.rpm 549 kB/s | 13 kB 00:00 Dependencies resolved. ====================================================================================================================================================================================== Package Architecture Version Repository Size ====================================================================================================================================================================================== Installing: katello-ca-consumer-pipe-katello-server-nightly-centos8.wisse.example.com noarch 1.0-1 @commandline 13 k Installing dependencies: dnf-plugin-subscription-manager x86_64 1.27.16-1.el8 baseos 288 k python3-ethtool x86_64 0.14-3.el8 baseos 45 k python3-iniparse noarch 0.4-31.el8 baseos 49 k python3-inotify noarch 0.9.6-13.el8 baseos 57 k python3-librepo x86_64 1.12.0-2.el8 baseos 52 k python3-subscription-manager-rhsm x86_64 1.27.16-1.el8 baseos 360 k subscription-manager x86_64 1.27.16-1.el8 baseos 1.1 M subscription-manager-rhsm-certificates x86_64 1.27.16-1.el8 baseos 256 k usermode x86_64 1.113-1.el8 baseos 202 k Transaction Summary ====================================================================================================================================================================================== Install 10 Packages Total size: 2.4 M Total download size: 2.4 M Installed size: 6.2 M Is this ok [y/N]: y Downloading Packages: (1/9): python3-iniparse-0.4-31.el8.noarch.rpm 592 kB/s | 49 kB 00:00 (2/9): python3-ethtool-0.14-3.el8.x86_64.rpm 394 kB/s | 45 kB 00:00 (3/9): python3-inotify-0.9.6-13.el8.noarch.rpm 922 kB/s | 57 kB 00:00 (4/9): python3-librepo-1.12.0-2.el8.x86_64.rpm 463 kB/s | 52 kB 00:00 (5/9): dnf-plugin-subscription-manager-1.27.16-1.el8.x86_64.rpm 822 kB/s | 288 kB 00:00 (6/9): python3-subscription-manager-rhsm-1.27.16-1.el8.x86_64.rpm 1.2 MB/s | 360 kB 00:00 (7/9): usermode-1.113-1.el8.x86_64.rpm 784 kB/s | 202 kB 00:00 (8/9): subscription-manager-rhsm-certificates-1.27.16-1.el8.x86_64.rpm 544 kB/s | 256 kB 00:00 (9/9): subscription-manager-1.27.16-1.el8.x86_64.rpm 626 kB/s | 1.1 MB 00:01 -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- Total 997 kB/s | 2.4 MB 00:02 Running transaction check Transaction check succeeded. Running transaction test Transaction test succeeded. Running transaction Preparing : 1/1 Installing : python3-iniparse-0.4-31.el8.noarch 1/10 Installing : usermode-1.113-1.el8.x86_64 2/10 Installing : subscription-manager-rhsm-certificates-1.27.16-1.el8.x86_64 3/10 Installing : python3-subscription-manager-rhsm-1.27.16-1.el8.x86_64 4/10 Installing : python3-librepo-1.12.0-2.el8.x86_64 5/10 Installing : dnf-plugin-subscription-manager-1.27.16-1.el8.x86_64 6/10 Installing : python3-inotify-0.9.6-13.el8.noarch 7/10 Installing : python3-ethtool-0.14-3.el8.x86_64 8/10 Installing : subscription-manager-1.27.16-1.el8.x86_64 9/10 Running scriptlet: subscription-manager-1.27.16-1.el8.x86_64 9/10 Installing : katello-ca-consumer-pipe-katello-server-nightly-centos8.wisse.example.com-1.0-1.noarch 10/10 Running scriptlet: katello-ca-consumer-pipe-katello-server-nightly-centos8.wisse.example.com-1.0-1.noarch 10/10 WARNING The yum/dnf plugins: /etc/dnf/plugins/subscription-manager.conf were automatically enabled for the benefit of Red Hat Subscription Management. If not desired, use "subscription-manager config --rhsm.auto_enable_yum_plugins=0" to block this behavior. Verifying : dnf-plugin-subscription-manager-1.27.16-1.el8.x86_64 1/10 Verifying : python3-ethtool-0.14-3.el8.x86_64 2/10 Verifying : python3-iniparse-0.4-31.el8.noarch 3/10 Verifying : python3-inotify-0.9.6-13.el8.noarch 4/10 Verifying : python3-librepo-1.12.0-2.el8.x86_64 5/10 Verifying : python3-subscription-manager-rhsm-1.27.16-1.el8.x86_64 6/10 Verifying : subscription-manager-1.27.16-1.el8.x86_64 7/10 Verifying : subscription-manager-rhsm-certificates-1.27.16-1.el8.x86_64 8/10 Verifying : usermode-1.113-1.el8.x86_64 9/10 Verifying : katello-ca-consumer-pipe-katello-server-nightly-centos8.wisse.example.com-1.0-1.noarch 10/10 Installed: dnf-plugin-subscription-manager-1.27.16-1.el8.x86_64 katello-ca-consumer-pipe-katello-server-nightly-centos8.wisse.example.com-1.0-1.noarch python3-ethtool-0.14-3.el8.x86_64 python3-iniparse-0.4-31.el8.noarch python3-inotify-0.9.6-13.el8.noarch python3-librepo-1.12.0-2.el8.x86_64 python3-subscription-manager-rhsm-1.27.16-1.el8.x86_64 subscription-manager-1.27.16-1.el8.x86_64 subscription-manager-rhsm-certificates-1.27.16-1.el8.x86_64 usermode-1.113-1.el8.x86_64 Complete! [root@centos8 ~]# fips-mode-setup --check FIPS mode is enabled.
Going to spin up a CentOS 7 server to check.
Updated by Ewoud Kohl van Wijngaarden about 3 years ago
Confirmed with an EL7 version built on Katello 3.18:
[root@centos8 ~]# dnf install http://centos7-katello-3-18.wisse.example.com/pub/katello-ca-consumer-latest.noarch.rpm Last metadata expiration check: 0:31:35 ago on Thu 11 Mar 2021 11:20:13 UTC. katello-ca-consumer-latest.noarch.rpm 295 kB/s | 8.4 kB 00:00 Dependencies resolved. ====================================================================================================================================================================================== Package Architecture Version Repository Size ====================================================================================================================================================================================== Installing: katello-ca-consumer-centos7-katello-3-18.wisse.example.com noarch 1.0-1 @commandline 8.4 k Installing dependencies: dnf-plugin-subscription-manager x86_64 1.27.16-1.el8 baseos 288 k python3-ethtool x86_64 0.14-3.el8 baseos 45 k python3-iniparse noarch 0.4-31.el8 baseos 49 k python3-inotify noarch 0.9.6-13.el8 baseos 57 k python3-librepo x86_64 1.12.0-2.el8 baseos 52 k python3-subscription-manager-rhsm x86_64 1.27.16-1.el8 baseos 360 k subscription-manager x86_64 1.27.16-1.el8 baseos 1.1 M subscription-manager-rhsm-certificates x86_64 1.27.16-1.el8 baseos 256 k usermode x86_64 1.113-1.el8 baseos 202 k Transaction Summary ====================================================================================================================================================================================== Install 10 Packages Total size: 2.4 M Total download size: 2.4 M Installed size: 6.2 M Is this ok [y/N]: y Downloading Packages: (1/9): python3-iniparse-0.4-31.el8.noarch.rpm 461 kB/s | 49 kB 00:00 (2/9): python3-ethtool-0.14-3.el8.x86_64.rpm 418 kB/s | 45 kB 00:00 (3/9): python3-librepo-1.12.0-2.el8.x86_64.rpm 1.9 MB/s | 52 kB 00:00 (4/9): python3-inotify-0.9.6-13.el8.noarch.rpm 1.4 MB/s | 57 kB 00:00 (5/9): dnf-plugin-subscription-manager-1.27.16-1.el8.x86_64.rpm 1.9 MB/s | 288 kB 00:00 (6/9): subscription-manager-rhsm-certificates-1.27.16-1.el8.x86_64.rpm 5.3 MB/s | 256 kB 00:00 (7/9): python3-subscription-manager-rhsm-1.27.16-1.el8.x86_64.rpm 6.2 MB/s | 360 kB 00:00 (8/9): usermode-1.113-1.el8.x86_64.rpm 5.3 MB/s | 202 kB 00:00 (9/9): subscription-manager-1.27.16-1.el8.x86_64.rpm 5.8 MB/s | 1.1 MB 00:00 -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- Total 5.5 MB/s | 2.4 MB 00:00 Running transaction check Transaction check succeeded. Running transaction test The downloaded packages were saved in cache until the next successful transaction. You can remove cached packages by executing 'dnf clean packages'. Error: Transaction test error: package katello-ca-consumer-centos7-katello-3-18.wisse.example.com-1.0-1.noarch does not verify: no digest
Updated by Ewoud Kohl van Wijngaarden about 3 years ago
- Status changed from New to Rejected
https://access.redhat.com/solutions/4460971 describes it but since it's behind a paywall. I'll summarize here.
Essentially RPM on EL8 can generate SHA256 digests but RPM on EL7 can't. With FIPS you're not allowed to use MD5 nor SHA1. The workaround is to not verify digests. Effectively it means enabling FIPS leads to a less secure installation, but at least it's compliant.
There's nothing we can do here since it would mean we have to ship a newer RPM on EL7 which is not something we want to do.
Actions