Upgrading a FIPS enabled Red Hat Satellite 6.14 to 6.15 fails with error 'java.io.IOException: keystore password was incorrect'
Issue
-
When upgrading a Red Hat Satellite 6.14 to 6.15.0 that has FIPS mode enabled, The installer execution fails with the following set of errors:
2024-04-25 15:29:16 [NOTICE] [configure] 1500 configuration steps out of 1622 steps complete. 2024-04-25 15:29:35 [NOTICE] [configure] System configuration has finished. Error 1: Puppet Truststore_certificate resource '/etc/candlepin/certs/truststore:artemis-client' failed. Logs: ... ... Starting to evaluate the resource (661 of 1613) Evaluated in 0.52 seconds /Stage[main]/Certs::Candlepin/Truststore_certificate[/etc/candlepin/certs/truststore:artemis-client]/ensure change from 'absent' to 'present' failed: Execution of '/bin/keytool -import -v -noprompt -storetype pkcs12-keystore /etc/candlepin/certs/truststore -alias artemis-client -file /etc/foreman/client_cert.pem -storepass:file /etc/pki/katello/truststore_password-file -J-Dcom.redhat.fips=false' returned 1: keytool error: java.io.IOException: keystore password was incorrect .. .. Caused by: java.security.UnrecoverableKeyException: failed to decrypt safe contents entry: javax.crypto.BadPaddingException: Given final block not properly padded. Such issues can arise if a bad key is used during decryption. ... 5 more Error 2: Puppet Truststore_certificate resource '/etc/candlepin/certs/truststore:candlepin-ca' failed. Logs: /Stage[main]/Certs::Candlepin/Truststore_certificate[/etc/candlepin/certs/truststore:candlepin-ca] .. .. /Stage[main]/Certs::Candlepin/Truststore_certificate[/etc/candlepin/certs/truststore:candlepin-ca]/ensure change from 'absent' to 'present' failed: Execution of '/bin/keytool -import -v -noprompt -storetype pkcs12 -keystore /etc/candlepin/certs/truststore -alias candlepin-ca -file /etc/candlepin/certs/candlepin-ca.crt -storepass:file /etc/pki/katello/truststore_password-file -J-Dcom.redhat.fips=false' returned 1: keytool error: java.io.IOException: keystore password was incorrect .. .. Caused by: java.security.UnrecoverableKeyException: failed to decrypt safe contents entry: javax.crypto.BadPaddingException: Given final block not properly padded. Such issues can arise if a bad key is used during decryption. ... 5 more 2 errors were detected. Please address the errors and re-run the installer to ensure the system is properly configured. Failing to do so is likely to result in broken functionality. The full log is at /var/log/foreman-installer/satellite.log Package versions are being locked. [FAIL] Failed executing satellite-installer, exit status 6.
Environment
- Red Hat Satellite 6.15.0 ( being upgraded from Red Hat Satellite 6.14.z )
- FIPS enabled
Subscriber exclusive content
A Red Hat subscription provides unlimited access to our knowledgebase, tools, and much more.