Upgrading a FIPS enabled Red Hat Satellite 6.14 to 6.15 fails with error 'java.io.IOException: keystore password was incorrect'

Solution Verified - Updated -

Issue

  • When upgrading a Red Hat Satellite 6.14 to 6.15.0 that has FIPS mode enabled, The installer execution fails with the following set of errors:

    2024-04-25 15:29:16 [NOTICE] [configure] 1500 configuration steps out of 1622 steps complete.
    2024-04-25 15:29:35 [NOTICE] [configure] System configuration has finished.
    
    Error 1: Puppet Truststore_certificate resource '/etc/candlepin/certs/truststore:artemis-client' failed. Logs:
    ...
    ...
       Starting to evaluate the resource (661 of 1613)
       Evaluated in 0.52 seconds
     /Stage[main]/Certs::Candlepin/Truststore_certificate[/etc/candlepin/certs/truststore:artemis-client]/ensure
    change from 'absent' to 'present' failed: Execution of '/bin/keytool -import -v -noprompt -storetype pkcs12-keystore /etc/candlepin/certs/truststore -alias artemis-client -file /etc/foreman/client_cert.pem -storepass:file /etc/pki/katello/truststore_password-file -J-Dcom.redhat.fips=false' returned 1: keytool error: java.io.IOException: keystore password was incorrect
    
    ..
    ..
    Caused by: java.security.UnrecoverableKeyException: failed to decrypt safe contents entry: javax.crypto.BadPaddingException: Given final block not properly padded. Such issues can arise if a bad key is used during decryption.
       ... 5 more
    Error 2: Puppet Truststore_certificate resource '/etc/candlepin/certs/truststore:candlepin-ca' failed. Logs:
    /Stage[main]/Certs::Candlepin/Truststore_certificate[/etc/candlepin/certs/truststore:candlepin-ca]
    ..
    ..
     /Stage[main]/Certs::Candlepin/Truststore_certificate[/etc/candlepin/certs/truststore:candlepin-ca]/ensure
    change from 'absent' to 'present' failed: Execution of '/bin/keytool -import -v -noprompt -storetype pkcs12 -keystore /etc/candlepin/certs/truststore -alias candlepin-ca -file /etc/candlepin/certs/candlepin-ca.crt -storepass:file /etc/pki/katello/truststore_password-file -J-Dcom.redhat.fips=false' returned 1: keytool error: java.io.IOException: keystore password was incorrect
    ..
    ..
    Caused by: java.security.UnrecoverableKeyException: failed to decrypt safe contents entry: javax.crypto.BadPaddingException: Given final block not properly padded. Such issues can arise if a bad key is used during decryption.
       ... 5 more
    
    2 errors were detected.
    Please address the errors and re-run the installer to ensure the system is properly configured.
    Failing to do so is likely to result in broken functionality.
    
    The full log is at /var/log/foreman-installer/satellite.log
    Package versions are being locked.
                                         [FAIL]
    Failed executing satellite-installer, exit status 6.
    

Environment

  • Red Hat Satellite 6.15.0 ( being upgraded from Red Hat Satellite 6.14.z )
  • FIPS enabled

Subscriber exclusive content

A Red Hat subscription provides unlimited access to our knowledgebase, tools, and much more.

Current Customers and Partners

Log in for full access

Log In

New to Red Hat?

Learn more about Red Hat subscriptions

Using a Red Hat product through a public cloud?

How to access this content