CC @slaznick@redhat.com

JFTR, I also placed a related request in adding the needed information to RHEL's IdM guide, which is still the most complete FreeIPA/IdM guide, currently:

https://bugzilla.redhat.com/show_bug.cgi?id=1510313#c13

Design page "How to use" section updated with "Enabling FIPS after installation of IPA on the machine is not supported - some operations will not work. "

I ran into one of these recently. A user of freeipa-healthcheck reported failures in https://github.com/freeipa/freeipa-healthcheck/issues/342

It was due to installing non-FIPS and switching to FIPS.

I propose that we store a flag in sysrestore.state indicating whether FIPS was enabled at install time. We can use this to determine what to do both for healthcheck and IPA.

The most radical approach would be to fail to start if this is encountered. We could test in ipactl pretty easily.

We also need to consider the reverse situation where a server was installed as FIPS and then switched to non-FIPS. The NSS token name will change which will likely cause renewal issues in certmonger. I imagine these would be quite difficult to troubleshoot.

added: it may also be that ipa-server-upgrade will correct the certmonger token name. It may be fine to go from FIPS -> non-FIPS but definitely not the other way.

Verified that if you go from a FIPS install to non-FIPS certmonger renewal will fail:
State GENERATING_CSR, stuck: no.
State NEED_CSR_GEN_TOKEN, stuck: yes.

In the journal certmonger will report issues in finding the token

Token is named "NSS Certificate DB", not "NSS FIPS 140-2 Certificate DB", skipping.

and give up with "Error locating a key".

Opened a PR to argue over my approach https://github.com/freeipa/freeipa/pull/7582

I closed my PR. A bunch of corner cases were identified. If we want to take this up again we'll need to plan accordingly.