The nightly test test_integration/test_acme.py::TestACMEPrune is fialing in FIPS mode in fedora 39, in the step calling ipa-acme-manage pruning --run.
test_integration/test_acme.py::TestACMEPrune
ipa-acme-manage pruning --run
ipa-server-install --domain ipa.test --realm IPA.TEST -a Secret123 -p Secret123 -U --random-serial-numbers --setup-dns --auto-forwarders
ipa-acme-manage pruning --enable; ipactl restart
ipa-ace-manage pruning --run
The command fails with
ipa: ERROR: stderr: No matching certificate found for private key from /var/lib/ipa/ra-agent.key The ipa-acme-manage command failed.
Pruning should execute successfully
Fedora 39, freeipa from the master branch openssl-3.1.1-4.fc39.x86_64 nss-tools-3.99.0-1.fc39.x86_64
The command fails in a call to openssl pkcs12 -export, trying to create a PKCS12 file from the content of the IPA RA cert/key:
# /usr/sbin/ipa-acme-manage -v -d pruning --run ... ipapython.ipautil: DEBUG: Starting external process ipapython.ipautil: DEBUG: args=['/usr/bin/openssl', 'pkcs12', '-export', '-in', '/tmp/tmp2s9ffu6s', '-out', '/tmp/tmp2pmla_ec', '-passin', 'file:/tmp/tmphevu2l3s/pwdfile.txt', '-passout', 'file:/tmp/tmpamylfusn', '-certpbe', 'aes-128-cbc', '-keypbe', 'aes-128-cbc'] ipapython.ipautil: DEBUG: Process finished, return code=1 ipapython.ipautil: DEBUG: stdout= ipapython.ipautil: DEBUG: stderr=Error creating PKCS12 MAC; no PKCS12KDF support? Use -nomac if MAC not required and PKCS12KDF support not available. 00EEA877137F0000:error:0308010C:digital envelope routines:inner_evp_generic_fetch:unsupported:crypto/evp/evp_fetch.c:341:Global default library context, Algorithm (PKCS12KDF : 179), Properties (<null>) 00EEA877137F0000:error:1180006B:PKCS12 routines:pkcs12_gen_mac:key gen error:crypto/pkcs12/p12_mutl.c:147: 00EEA877137F0000:error:1180006D:PKCS12 routines:PKCS12_set_mac:mac generation error:crypto/pkcs12/p12_mutl.c:220: ipapython.dogtag: DEBUG: request POST https://master.ufreeipa.test:8443/acme/logout ipapython.dogtag: DEBUG: request body '' ipapython.dogtag: DEBUG: response status 204 ipapython.dogtag: DEBUG: response headers Date: Wed, 17 Jul 2024 18:12:25 GMT ipapython.dogtag: DEBUG: response body (decoded): b'' ipapython.admintool: DEBUG: File "/usr/lib/python3.12/site-packages/ipapython/admintool.py", line 180, in execute return_value = self.run() ^^^^^^^^^^ File "/usr/lib/python3.12/site-packages/ipaserver/install/ipa_acme_manage.py", line 413, in run self.pruning() File "/usr/lib/python3.12/site-packages/ipaserver/install/ipa_acme_manage.py", line 344, in pruning run_pruning() File "/usr/lib/python3.12/site-packages/ipaserver/install/ipa_acme_manage.py", line 311, in run_pruning tmpdb.import_files((paths.RA_AGENT_PEM, paths.RA_AGENT_KEY), File "/usr/lib/python3.12/site-packages/ipapython/certdb.py", line 835, in import_files raise RuntimeError( ipapython.admintool: DEBUG: The ipa-acme-manage command failed, exception: RuntimeError: No matching certificate found for private key from /var/lib/ipa/ra-agent.key ipapython.admintool: ERROR: No matching certificate found for private key from /var/lib/ipa/ra-agent.key ipapython.admintool: ERROR: The ipa-acme-manage command failed.
According to https://github.com/openssl/openssl/issues/19997 the PKCS12KDF provider is not supported in FIPS. It looks like there may be a workaround in OpenSSL 3.3.0 but that isn't in Fedora yet to even try to test it.
So it looks like pruning does not work in FIPS mode because we use the RA agent for auth and we only have that as discrete PEM files which can't be imported into NSS to be used by the pki command.
Metadata Update from @frenaud: - Issue tagged with: fips
Log in to comment on this ticket.