freeipa

Clone
Source Code
GIT

#9577 Replica installation fails in FIPS mode in fedora 39+
Closed: fixed 9 months ago by frenaud. Opened a year ago by frenaud.

Closed: fixed
Reopen Issue

Issue

The installation of a replica fails in FIPS mode in fedora 39.

Steps to Reproduce

  1. On server and replica, configure fips mode (fips-mode-setup --enable; reboot)
  2. install the server with ipa-server-install --domain ipa.test --realm IPA.TEST -a Secret123 -p Secret123 -U
  3. install the replica withipa-replica-install --domain ipa.test --realm IPA.TEST --server server.ipa.test --principal admin --password Secret123 -U

Actual behavior

Replica installation fails in the step Importing the RA key:

...
Configuring ipa-custodia
  [1/4]: Generating ipa-custodia config file
  [2/4]: Generating ipa-custodia keys
  [3/4]: starting ipa-custodia 
  [4/4]: configuring ipa-custodia to start on boot
Done configuring ipa-custodia.
Configuring certificate server (pki-tomcatd)
  [1/2]: configure certmonger for renewals
  [2/2]: Importing RA key
/usr/lib/python3.12/site-packages/ipaserver/custodia/message/kem.py:227: DeprecationWarning: Call to deprecated function (or staticmethod) key_id.
  header = {'kid': key.key_id, 'alg': alg}
/usr/lib/python3.12/site-packages/ipaserver/custodia/message/kem.py:238: DeprecationWarning: Call to deprecated function (or staticmethod) key_id.
  eprot = {'kid': enc_key.key_id, 'alg': enc[0], 'enc': enc[1]}
  [error] UnsupportedAlgorithm: This combination of padding and hash algorithm is not supported by this backend.
Your system may be partly configured.
Run /usr/sbin/ipa-server-install --uninstall to clean up.

This combination of padding and hash algorithm is not supported by this backend.
The ipa-replica-install command failed. See /var/log/ipareplica-install.log for more information

Expected behavior

Replica installation should succeed.

Version/Release/Distribution

freeipa-server-4.12.0.dev202404151410+git-0.fc39.x86_64
freeipa-client-4.12.0.dev202404151410+git-0.fc39.x86_64
389-ds-base-2.4.5-1.fc39.x86_64
dogtag-pki-ca-11.4.3-2.fc39.1.noarch
krb5-server-1.21.2-3.fc39.x86_64
openssl-3.1.1-4.fc39.x86_64

Content of /var/log/ipareplica-install.log:

2024-04-09T04:58:09Z DEBUG   [2/2]: Importing RA key
2024-04-09T04:58:09Z DEBUG Waiting up to 300 seconds to see our keys appear on host ldap://master.ufreeipa.test
2024-04-09T04:58:10Z DEBUG Traceback (most recent call last):
  File "/usr/lib/python3.12/site-packages/ipaserver/install/service.py", line 686, in start_creation
    run_step(full_msg, method)
  File "/usr/lib/python3.12/site-packages/ipaserver/install/service.py", line 672, in run_step
    method()
  File "/usr/lib/python3.12/site-packages/ipaserver/install/cainstance.py", line 774, in __import_ra_key
    import_ra_key(self._custodia)
  File "/usr/lib/python3.12/site-packages/ipaserver/install/cainstance.py", line 2382, in import_ra_key
    custodia.import_ra_key()
  File "/usr/lib/python3.12/site-packages/ipaserver/install/custodiainstance.py", line 198, in import_ra_key
    cli.fetch_key('ra/ipaCert')
  File "/usr/lib/python3.12/site-packages/ipaserver/secrets/client.py", line 111, in fetch_key
    request = self.kemcli.make_request(keyname, encalg=encalg)
              ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/usr/lib/python3.12/site-packages/ipaserver/custodia/message/kem.py", line 214, in make_request
    return make_enc_kem(name, value,
           ^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/usr/lib/python3.12/site-packages/ipaserver/custodia/message/kem.py", line 240, in make_enc_kem
    jwe.add_recipient(enc_key)
  File "/usr/lib/python3.12/site-packages/jwcrypto/jwe.py", line 237, in add_recipient
    wrapped = alg.wrap(key, enc.wrap_key_size, self.cek, jh)
              ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/usr/lib/python3.12/site-packages/jwcrypto/jwa.py", line 362, in wrap
    ek = rk.encrypt(cek, self.padfn)
         ^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/usr/lib64/python3.12/site-packages/cryptography/hazmat/backends/openssl/rsa.py", line 550, in encrypt
    return _enc_dec_rsa(self._backend, self, plaintext, padding)
           ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/usr/lib64/python3.12/site-packages/cryptography/hazmat/backends/openssl/rsa.py", line 85, in _enc_dec_rsa
    raise UnsupportedAlgorithm(
cryptography.exceptions.UnsupportedAlgorithm: This combination of padding and hash algorithm is not supported by this backend.

2024-04-09T04:58:10Z DEBUG   [error] UnsupportedAlgorithm: This combination of padding and hash algorithm is not supported by this backend.
2024-04-09T04:58:10Z DEBUG Removing /root/.dogtag/pki-tomcat/ca
2024-04-09T04:58:10Z DEBUG   File "/usr/lib/python3.12/site-packages/ipapython/admintool.py", line 180, in execute
    return_value = self.run()
                   ^^^^^^^^^^
  File "/usr/lib/python3.12/site-packages/ipapython/install/cli.py", line 344, in run
    return cfgr.run()
           ^^^^^^^^^^
  File "/usr/lib/python3.12/site-packages/ipapython/install/core.py", line 360, in run
    return self.execute()
           ^^^^^^^^^^^^^^
  File "/usr/lib/python3.12/site-packages/ipapython/install/core.py", line 386, in execute
    for rval in self._executor():
  File "/usr/lib/python3.12/site-packages/ipapython/install/core.py", line 435, in __runner
    exc_handler(exc_info)
  File "/usr/lib/python3.12/site-packages/ipapython/install/core.py", line 468, in _handle_execute_exception
    self._handle_exception(exc_info)
  File "/usr/lib/python3.12/site-packages/ipapython/install/core.py", line 458, in _handle_exception
    six.reraise(*exc_info)
  File "/usr/lib/python3.12/site-packages/six.py", line 719, in reraise
    raise value
  File "/usr/lib/python3.12/site-packages/ipapython/install/core.py", line 425, in __runner
    step()
  File "/usr/lib/python3.12/site-packages/ipapython/install/core.py", line 419, in step_next
    return next(self.__gen)
           ^^^^^^^^^^^^^^^^
  File "/usr/lib/python3.12/site-packages/ipapython/install/util.py", line 81, in run_generator_with_yield_from
    six.reraise(*exc_info)
  File "/usr/lib/python3.12/site-packages/six.py", line 719, in reraise
    raise value
  File "/usr/lib/python3.12/site-packages/ipapython/install/util.py", line 59, in run_generator_with_yield_from
    value = gen.send(prev_value)
            ^^^^^^^^^^^^^^^^^^^^
  File "/usr/lib/python3.12/site-packages/ipapython/install/core.py", line 663, in _configure
    next(executor)
  File "/usr/lib/python3.12/site-packages/ipapython/install/core.py", line 435, in __runner
    exc_handler(exc_info)
  File "/usr/lib/python3.12/site-packages/ipapython/install/core.py", line 468, in _handle_execute_exception
    self._handle_exception(exc_info)
  File "/usr/lib/python3.12/site-packages/ipapython/install/core.py", line 526, in _handle_exception
    self.__parent._handle_exception(exc_info)
  File "/usr/lib/python3.12/site-packages/ipapython/install/core.py", line 458, in _handle_exception
    six.reraise(*exc_info)
  File "/usr/lib/python3.12/site-packages/six.py", line 719, in reraise
    raise value
  File "/usr/lib/python3.12/site-packages/ipapython/install/core.py", line 523, in _handle_exception
    super(ComponentBase, self)._handle_exception(exc_info)
  File "/usr/lib/python3.12/site-packages/ipapython/install/core.py", line 458, in _handle_exception
    six.reraise(*exc_info)
  File "/usr/lib/python3.12/site-packages/six.py", line 719, in reraise
    raise value
  File "/usr/lib/python3.12/site-packages/ipapython/install/core.py", line 425, in __runner
    step()
  File "/usr/lib/python3.12/site-packages/ipapython/install/core.py", line 419, in step_next
    return next(self.__gen)
           ^^^^^^^^^^^^^^^^
  File "/usr/lib/python3.12/site-packages/ipapython/install/util.py", line 81, in run_generator_with_yield_from
    six.reraise(*exc_info)
  File "/usr/lib/python3.12/site-packages/six.py", line 719, in reraise
    raise value
  File "/usr/lib/python3.12/site-packages/ipapython/install/util.py", line 59, in run_generator_with_yield_from
    value = gen.send(prev_value)
            ^^^^^^^^^^^^^^^^^^^^
  File "/usr/lib/python3.12/site-packages/ipapython/install/common.py", line 65, in _install
    for unused in self._installer(self.parent):
  File "/usr/lib/python3.12/site-packages/ipaserver/install/server/__init__.py", line 599, in main
    replica_install(self)
  File "/usr/lib/python3.12/site-packages/ipaserver/install/server/replicainstall.py", line 383, in decorated
    func(installer)
  File "/usr/lib/python3.12/site-packages/ipaserver/install/server/replicainstall.py", line 1369, in install
    ca.install(False, config, options, custodia=custodia)
  File "/usr/lib/python3.12/site-packages/ipaserver/install/ca.py", line 354, in install
    install_step_0(standalone, replica_config, options, custodia=custodia)
  File "/usr/lib/python3.12/site-packages/ipaserver/install/ca.py", line 423, in install_step_0
    ca.configure_instance(
  File "/usr/lib/python3.12/site-packages/ipaserver/install/cainstance.py", line 507, in configure_instance
    self.start_creation(runtime=runtime)
  File "/usr/lib/python3.12/site-packages/ipaserver/install/service.py", line 686, in start_creation
    run_step(full_msg, method)
  File "/usr/lib/python3.12/site-packages/ipaserver/install/service.py", line 672, in run_step
    method()
  File "/usr/lib/python3.12/site-packages/ipaserver/install/cainstance.py", line 774, in __import_ra_key
    import_ra_key(self._custodia)
  File "/usr/lib/python3.12/site-packages/ipaserver/install/cainstance.py", line 2382, in import_ra_key
    custodia.import_ra_key()
  File "/usr/lib/python3.12/site-packages/ipaserver/install/custodiainstance.py", line 198, in import_ra_key
    cli.fetch_key('ra/ipaCert')
  File "/usr/lib/python3.12/site-packages/ipaserver/secrets/client.py", line 111, in fetch_key
    request = self.kemcli.make_request(keyname, encalg=encalg)
              ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/usr/lib/python3.12/site-packages/ipaserver/custodia/message/kem.py", line 214, in make_request
    return make_enc_kem(name, value,
           ^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/usr/lib/python3.12/site-packages/ipaserver/custodia/message/kem.py", line 240, in make_enc_kem
    jwe.add_recipient(enc_key)
  File "/usr/lib/python3.12/site-packages/jwcrypto/jwe.py", line 237, in add_recipient
    wrapped = alg.wrap(key, enc.wrap_key_size, self.cek, jh)
              ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/usr/lib/python3.12/site-packages/jwcrypto/jwa.py", line 362, in wrap
    ek = rk.encrypt(cek, self.padfn)
         ^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/usr/lib64/python3.12/site-packages/cryptography/hazmat/backends/openssl/rsa.py", line 550, in encrypt
    return _enc_dec_rsa(self._backend, self, plaintext, padding)
           ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/usr/lib64/python3.12/site-packages/cryptography/hazmat/backends/openssl/rsa.py", line 85, in _enc_dec_rsa
    raise UnsupportedAlgorithm(

2024-04-09T04:58:10Z DEBUG The ipa-replica-install command failed, exception: UnsupportedAlgorithm: This combination of padding and hash algorithm is not supported by this backend.
2024-04-09T04:58:10Z ERROR This combination of padding and hash algorithm is not supported by this backend.
2024-04-09T04:58:10Z ERROR The ipa-replica-install command failed. See /var/log/ipareplica-install.log for more information

The code is calling make_enc_kem(name, value, sig_key, alg, enc_key, enc) with the following arguments:

name = 'ra/ipaCert'
value = None
sig_key = {"kid":"host/replica.ufreeipa.test@UFREEIPA.TEST","thumbprint":"v6bObCaXvtLS9Zs3jVQS2djgs5YV5J16DF6mbwT9rh0"}
alg = 'RS256'
enc_key = {"kid":"Missing Key ID","thumbprint":"Plm4GZfah7VysV7r4kThF7dKVu2yNBNJrxX1axpJFvs"}
enc = ('RSA-OAEP', 'A256CBC-HS512')

Metadata Update from @frenaud:
- Custom field rhbz adjusted to https://issues.redhat.com/browse/RHEL-40210
a year ago

Issue reported against python-cryptography: https://github.com/pyca/cryptography/issues/11512

Issue reported against python-cryptography: https://github.com/pyca/cryptography/issues/11512

python-cryptography fixed the issue in python-cryptography-43.0.0-3.fc42 but the replica installation is now hitting a different issue. Custodia is using the command "openssl pkcs12" to export and import private keys, and in FIPS mode we need to add "-nomac" / "-nomacver" options.

Same reproducer: in FIPS mode install server, then install replica. Replica installation fails importing custodia keys for RA:

Done configuring ipa-custodia.
Configuring certificate server (pki-tomcatd)
  [1/2]: configure certmonger for renewals
  [2/2]: Importing RA key
  [error] HTTPError: 404 Client Error: Not Found for url: https://server.ipa.test/ipa/keys/ra/ipaCert?type=kem&value=eyJhbGciOiJSU0EtT0FFUCIsImVuYyI6IkEyNTZDQkMtSFM1MTIiLCJraWQiOm51bGx9.bUYNngtMWVoeqgCa-NaTxE2BCxfPDF2eBvqZfpsA9RlbEmdRYgnhrImcUkE5krlzXRh3v-Q9W3pzaHgfcqIcNLSLYVP5ZTnSYXs3B900UFJdlMLH9JZ4Xjat050mhF8A3fzRkQEPNVaRK8682G_-iVisR5lZ4lI0IVVPphJT-WzRdlRyiQfFrYWXByW6zrsSjDN61XlaASzPyPEBuXJX4J--59jRMZcAFD2kD-GtnHPO2GRE4fg99sJ99czIM2s_ZGELIBjIYVX6uNUfNIPYCejZ_jj_7gcRinJkVPwTGM8VIyJOZ1SRvYBqLeICwt0xnecaY7nD6PdAR52vOVvqFA.n5w-X7f4d38OerqCSR7fgg.PlrqgWjMbkvEXEVbdXhoW5RzkAvsyK-bdveYtCDBydL_6b1CXEQOJ5vZqlnZeKQDGb4-_WlSjGmyw7U-Gk8XhCFy0TlkvDalYCokhHhaSpwjOU6VJr4cww_EmKegKH6BgMcxTI4pYwCl8hraJmgLdlg_3ToJBRZ8zj9X3ilbON9PLC40GDNAlcwqYQqxvvhHtwCzHHmcQ5AA4HY_nYzZSxJLchQLrE-97P8IORJe_A7TwkS15LEEt3W468RUnHfU9m03l6h1hC4I3_bux5laYC9UWPc8GA69s5bIbxtIAvTdeIlvsIcTuO4MMRtLyTn4clqIGOfQV0zwEN_k-l4kFYxoP4MmDsXWQivJuce7a8A2HvuZZftdE5WEKHq1BahhOCOoqNoUTEdAmDOzZ1FY1_Pnya-tXepy3mV3HYxk5N6Is-mmoeSGYnWTgN4_6GvInJUc51-AfS8jpc3st11v_NB3ToHl3AobfMuhDnCgdg7vtjivAOLbA7sU3kWEj0f8rXiVFI5oiC6FQP5NXQgh-TQLCU_aeYkmSmOeCPflFHfj52ltK-Jx3ZUY8elYlFC03aV3nMbgfDOVOkVCSPQt-b8xkQ1aqTdYyvTvbi6WdZlDP-z5M35tV_zwHVwFmeGK.mwlQ8L0Vhx5AbdCwUiGY7Fbvir-5FPRkZTThMVD69RA
Your system may be partly configured.
Run /usr/sbin/ipa-server-install --uninstall to clean up.

404 Client Error: Not Found for url: https://server.ipa.test/ipa/keys/ra/ipaCert?type=kem&value=eyJhbGciOiJSU0EtT0FFUCIsImVuYyI6IkEyNTZDQkMtSFM1MTIiLCJraWQiOm51bGx9.bUYNngtMWVoeqgCa-NaTxE2BCxfPDF2eBvqZfpsA9RlbEmdRYgnhrImcUkE5krlzXRh3v-Q9W3pzaHgfcqIcNLSLYVP5ZTnSYXs3B900UFJdlMLH9JZ4Xjat050mhF8A3fzRkQEPNVaRK8682G_-iVisR5lZ4lI0IVVPphJT-WzRdlRyiQfFrYWXByW6zrsSjDN61XlaASzPyPEBuXJX4J--59jRMZcAFD2kD-GtnHPO2GRE4fg99sJ99czIM2s_ZGELIBjIYVX6uNUfNIPYCejZ_jj_7gcRinJkVPwTGM8VIyJOZ1SRvYBqLeICwt0xnecaY7nD6PdAR52vOVvqFA.n5w-X7f4d38OerqCSR7fgg.PlrqgWjMbkvEXEVbdXhoW5RzkAvsyK-bdveYtCDBydL_6b1CXEQOJ5vZqlnZeKQDGb4-_WlSjGmyw7U-Gk8XhCFy0TlkvDalYCokhHhaSpwjOU6VJr4cww_EmKegKH6BgMcxTI4pYwCl8hraJmgLdlg_3ToJBRZ8zj9X3ilbON9PLC40GDNAlcwqYQqxvvhHtwCzHHmcQ5AA4HY_nYzZSxJLchQLrE-97P8IORJe_A7TwkS15LEEt3W468RUnHfU9m03l6h1hC4I3_bux5laYC9UWPc8GA69s5bIbxtIAvTdeIlvsIcTuO4MMRtLyTn4clqIGOfQV0zwEN_k-l4kFYxoP4MmDsXWQivJuce7a8A2HvuZZftdE5WEKHq1BahhOCOoqNoUTEdAmDOzZ1FY1_Pnya-tXepy3mV3HYxk5N6Is-mmoeSGYnWTgN4_6GvInJUc51-AfS8jpc3st11v_NB3ToHl3AobfMuhDnCgdg7vtjivAOLbA7sU3kWEj0f8rXiVFI5oiC6FQP5NXQgh-TQLCU_aeYkmSmOeCPflFHfj52ltK-Jx3ZUY8elYlFC03aV3nMbgfDOVOkVCSPQt-b8xkQ1aqTdYyvTvbi6WdZlDP-z5M35tV_zwHVwFmeGK.mwlQ8L0Vhx5AbdCwUiGY7Fbvir-5FPRkZTThMVD69RA
The ipa-replica-install command failed. See /var/log/ipareplica-install.log for more information

On the server side, the journal shows:

Sep 09 05:19:08 server.ipa.test ipa-custodia[8848]: Error retrieving key "keys/ra/ipaCert": CalledProcessError(Command ['/usr/libexec/ipa/custodia/ipa-custodia-ra-agent', '--export', '-'] returned non-zero exit status 1: 'Traceback (mos
t recent call last):\n  File "/usr/libexec/ipa/custodia/ipa-custodia-ra-agent", line 8, in <module>\n    main(ra_agent_parser())\n    ~~~~^^^^^^^^^^^^^^^^^^^\n  File "/usr/lib/python3.13/site-packages/ipaserver/secrets/handlers/pemfile.
py", line 117, in main\n    common.main(parser, export_key, import_key)\n    ~~~~~~~~~~~^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^\n  File "/usr/lib/python3.13/site-packages/ipaserver/secrets/handlers/common.py", line 73, in main\n    func(args, 
tmpdir, **kwargs)\n    ~~~~^^^^^^^^^^^^^^^^^^^^^^^^\n  File "/usr/lib/python3.13/site-packages/ipaserver/secrets/handlers/pemfile.py", line 28, in export_key\n    ipautil.run([\n    ~~~~~~~~~~~^^\n        paths.OPENSSL, \'pkcs12\', \'-e
xport\',\n        ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^\n    ...<6 lines>...\n        \'-macalg\', \'sha384\',\n        ^^^^^^^^^^^^^^^^^^^^\n    ])\n    ^^\n  File "/usr/lib/python3.13/site-packages/ipapython/ipautil.py", line 594, in ru
n\n    raise CalledProcessError(\n        p.returncode, arg_string, output_log, error_log\n    )\nipapython.ipautil.CalledProcessError: CalledProcessError(Command [\'/usr/bin/openssl\', \'pkcs12\', \'-export\', \'-in\', \'/var/lib/ipa/r
a-agent.pem\', \'-out\', \'/tmp/tmp8a03ptr8/export.p12\', \'-inkey\', \'/var/lib/ipa/ra-agent.key\', \'-password\', \'file:/tmp/tmp8a03ptr8/passwd\', \'-keypbe\', \'AES-256-CBC\', \'-certpbe\', \'AES-256-CBC\', \'-macalg\', \'sha384\'] 
returned non-zero exit status 1: \'Error creating PKCS12 MAC; no PKCS12KDF support?\\nUse -nomac if MAC not required and PKCS12KDF support not available.\\n8032BB5DF47F0000:error:0308010C:digital envelope routines:inner_evp_generic_fetc
h:unsupported:crypto/evp/evp_fetch.c:355:Global default library context, Algorithm (PKCS12KDF : 192), Properties (<null>)\\n8032BB5DF47F0000:error:1180006B:PKCS12 routines:pkcs12_gen_mac:key gen error:crypto/pkcs12/p12_mutl.c:157:\\n803
2BB5DF47F0000:error:1180006D:PKCS12 routines:PKCS12_set_mac:mac generation error:crypto/pkcs12/p12_mutl.c:230:\\n\')\n')
Sep 09 05:19:08 server.ipa.test ipa-custodia[8848]: 2024-09-09 05:19:08 - Secrets-[/keys]                  - DENIED: '(null)' requested key 'ra/ipaCert'
Sep 09 05:19:08 server.ipa.test ipa-custodia[8848]: 2024-09-09 05:19:08 - server                           - code 404, message Not Found
Sep 09 05:19:08 server.ipa.test ipa-custodia[8848]: 127.0.0.1 - - [09/Sep/2024 05:19:08] "GET /keys/ra/ipaCert?type=kem&value=eyJhbGciOiJSU0EtT0FFUCIsImVuYyI6IkEyNTZDQkMtSFM1MTIiLCJraWQiOm51bGx9.bUYNngtMWVoeqgCa-NaTxE2BCxfPDF2eBvqZfpsA9
RlbEmdRYgnhrImcUkE5krlzXRh3v-Q9W3pzaHgfcqIcNLSLYVP5ZTnSYXs3B900UFJdlMLH9JZ4Xjat050mhF8A3fzRkQEPNVaRK8682G_-iVisR5lZ4lI0IVVPphJT-WzRdlRyiQfFrYWXByW6zrsSjDN61XlaASzPyPEBuXJX4J--59jRMZcAFD2kD-GtnHPO2GRE4fg99sJ99czIM2s_ZGELIBjIYVX6uNUfNIPYC
ejZ_jj_7gcRinJkVPwTGM8VIyJOZ1SRvYBqLeICwt0xnecaY7nD6PdAR52vOVvqFA.n5w-X7f4d38OerqCSR7fgg.PlrqgWjMbkvEXEVbdXhoW5RzkAvsyK-bdveYtCDBydL_6b1CXEQOJ5vZqlnZeKQDGb4-_WlSjGmyw7U-Gk8XhCFy0TlkvDalYCokhHhaSpwjOU6VJr4cww_EmKegKH6BgMcxTI4pYwCl8hraJmg
Ldlg_3ToJBRZ8zj9X3ilbON9PLC40GDNAlcwqYQqxvvhHtwCzHHmcQ5AA4HY_nYzZSxJLchQLrE-97P8IORJe_A7TwkS15LEEt3W468RUnHfU9m03l6h1hC4I3_bux5laYC9UWPc8GA69s5bIbxtIAvTdeIlvsIcTuO4MMRtLyTn4clqIGOfQV0zwEN_k-l4kFYxoP4MmDsXWQivJuce7a8A2HvuZZftdE5WEKHq1Bah
hOCOoqNoUTEdAmDOzZ1FY1_Pnya-tXepy3mV3HYxk5N6Is-mmoeSGYnWTgN4_6GvInJUc51-AfS8jpc3st11v_NB3ToHl3AobfMuhDnCgdg7vtjivAOLbA7sU3kWEj0f8rXiVFI5oiC6FQP5NXQgh-TQLCU_aeYkmSmOeCPflFHfj52ltK-Jx3ZUY8elYlFC03aV3nMbgfDOVOkVCSPQt-b8xkQ1aqTdYyvTvbi6WdZl
DP-z5M35tV_zwHVwFmeGK.mwlQ8L0Vhx5AbdCwUiGY7Fbvir-5FPRkZTThMVD69RA HTTP/1.1" 404 -

Notice the error message: Use -nomac if MAC not required and PKCS12KDF support not available returned by openssk pkcs12 -export command

Metadata Update from @frenaud:
- Issue assigned to frenaud
9 months ago

Metadata Update from @frenaud:
- Custom field on_review adjusted to https://github.com/freeipa/freeipa/pull/7531
9 months ago

master:

  • ce67321 Custodia: in fips mode add -nomac or -nomacver to openssl pkcs12

Metadata Update from @frenaud:
- Custom field rhbz adjusted to https://issues.redhat.com/browse/RHEL-40210, https://issues.redhat.com/browse/RHEL-58067 (was: https://issues.redhat.com/browse/RHEL-40210)
9 months ago

ipa-4-12:

  • c96d172 Custodia: in fips mode add -nomac or -nomacver to openssl pkcs12

Metadata Update from @frenaud:
- Issue close_status updated to: fixed
- Issue status updated to: Closed (was: Open)
9 months ago

Log in to comment on this ticket.

Metadata

tracker test-failure

None
None
None
None
None
None
None
None
None
None
None
None
None
https://github.com/freeipa/freeipa/pull/7531
None
None
None
None
None
None
None
Powered by Pagure 5.14.1
DocumentationFile an IssueAboutSSH Hostkey/Fingerprint
© Red Hat, Inc. and others.