Puppet cannot build module on RHEL 7 in FIPS mode (Puppet Guide)
From the Puppet Guide last step, 2.10 - Finalizing the Module one cannot build the puppet module named "mymodule" into a package on a current RHEL 7 system running in FIPS mode (i.e. DISA STIG for RHEL 7 security profile selected during installation):
# cd /etc/puppet/modules
# puppet module build mymodule
md5_dgst.c(82): OpenSSL internal error, assertion failed: Digest MD5 forbidden in FIPS mode!
Aborted (core dumped)
Even with "sha256" designated within puppet.conf:
# cat /etc/puppet/puppet.conf | grep -v ^$ | grep -v '#'
[main]
logdir = /var/log/puppet
rundir = /var/run/puppet
ssldir = $vardir/ssl
digest_algorithm = sha256
disable_warnings = deprecations
[agent]
classfile = $vardir/classes.txt
localconfig = $vardir/localconfig
This does not work on a current RHEL 7.4 system with FIPS (FIPS-140-2) enabled and puppet 3.8.6, because even if "digest_algorithm = sha256" is set within the "[main]" section of puppet.conf, the puppet build/install/uninstall/upgrade actions currently require using an MD5 digest. Note that PUP-4963 "puppet module build" fails on FIPS-enabled system issue was resolved (on 2018-02-15) in Puppet 5.4.0+ by simply failing gracefully to not build or uninstall puppet modules when FIPS is enabled. The process to disable FIPS on RHEL6 or RHEL7 is quite involved.
Responses
I have had to disable fips on occasion; it wasn't too bad:
From https://access.redhat.com/solutions/2422061
yum remove dracut-fips* mv -v /boot/initramfs-$(uname -r).img{,.FIPS-bak} dracut grubby --update-kernel=ALL --remove-args=fips=1 [[ -f /etc/default/grub ]] && sed -i 's/ fips=1//' /etc/default/grub
reboot sysctl crypto.fips_enabled # should return 0
There's a number of issues with gnupg under FIPS on ealier releases of RHEL7. Last relevant bug I opened, they were evaluating a fix for 7.4 (but it got moved to 7.5). Haven't looked at the bug since then - as I was able to work around it (by using a de-FIPSed RHEL 7 host for signing of created packages). Can't find the bug-ID on my dashboard any more, though
Welcome! Check out the Getting Started with Red Hat page for quick tours and guides for common tasks.
