OpenSSL backend is unavailable error in oc commands in OpenShift 4 with FIPS enabled
Environment
- Red Hat OpenShift Container Platform (RHOCP)
- 4.14 with FIPS enabled
- 4.15 with FIPS enabled
- Red Hat Enterprise Server (RHEL) 8 with FIPS enabled
- Red Hat Enterprise Server (RHEL) 9 with FIPS enabled
- FIPS
Issue
-
When a cluster is installed with FIPS enabled, the
occommand errors when used on a RHEL 8 or 9 system with FIPS enabled. The error is:FIPS mode is enabled, but the required OpenSSL backend is unavailable
Resolution
This is a known issue and has been reported to Red Hat engineering and tracked in the following bugs:
| Target Minor Release | Bug | Fixed Version | Errata |
|---|---|---|---|
| 4.16 | OCPBUGS-23386 | 4.16.0 | RHSA-2024:0041 |
| 4.15 | OCPBUGS-28204 | WIP | WIP |
Workaround
Until the fix for 4.15 is available, it should be possible to use the oc binary from 4.16 to connect to the cluster. Please, refer to the oc binary versioning policy for additional information about the compatibility between versions.
Root Cause
The oc binary provided is checking for an older OpenSSL version, which was part of RHEL 8.
rpm -qf /lib64/libcrypto.so.3
openssl-libs-3.0.7-24.el9.x86_64 <--- RHEL9
rpm -qf /usr/lib64/libcrypto.so.1.1
openssl-libs-1.1.1k-9.el8_6.x86_64 <--- RHEL8
Diagnostic Steps
- Install an OpenShift cluster with FIPS enabled.
- Enable FIPS on RHEL 8 or 9. This can be done during installation or after installation with:
sudo fips-mode-setup --enable. - Use the
occommand to log in or use anyoccommand against the FIPS cluster from a RHEL 8 or 9 system. - The result is an error:
Error: FIPS mode is enabled, but the required OpenSSL backend is unavailableand none of theoccommands will work.
This solution is part of Red Hat’s fast-track publication program, providing a huge library of solutions that Red Hat engineers have created while supporting our customers. To give you the knowledge you need the instant it becomes available, these articles may be presented in a raw and unedited form.
Comments