Error deploying Foreman and Katello on FIPS enabled system

Support
,
1

Problem:
When running the foreman installer using the katello scenario, we are encountering the following error when trying to run the installer.

2022-02-13 14:41:10 [ERROR ] [configure] /Stage[main]/Certs::Ca/Ca[katello-default-ca]/ensure: change from 'absent' to 'present' failed: Execution of '/bin/katello-ssl-tool --gen-ca --dir /root/ssl-build -p file:/etc/pki/katello/private/katello-default-ca.pwd --force --ca-cert-dir /etc/pki/katello-certs-tools/certs --set-common-name foreman.mgmt.ccslabs.xyz --ca-cert katello-default-ca.crt --ca-key katello-default-ca.key --ca-cert-rpm katello-default-ca --set-country US --set-state North Carolina --set-city Raleigh --set-org Katello --set-org-unit SomeOrgUnit --set-email  --cert-expiration 36500' returned 10: ERROR: Certificate Authority private SSL key generation failed:

I looked for any installer options that could indicate a way to specify a cipher suite, but I am unable to find an installer option.

Expected outcome:
Installer to generate certificates on a FIPS enabled system.

Foreman and Proxy versions:
foreman and foreman-proxy 3.0.1

Foreman and Proxy plugin versions:
katello 4.22

Distribution and version:
Rocky Linux 8.5

2

Interestingly, I just experience the exact same on a CentOS 8-Stream, using Foreman 3.1 and katello 4.3.

I narrowed it down to it failing on the katello-ssl-tool calling openssl genrsa -aes256... which fails when FIPS mode is enabled. I’m not used to working with FIPS enabled nodes, so it kind of stumbles me, as AES256 should be an allowed algorithm as far as I can see.
Removing the -aes256 argument makes openssl run and generate the files without any issues. I am not sure what algorithm it defaults to without the explicit algorithm argument though (didn’t have time to investigate further).

The little i found, was that the katello-ssl-tool script uses a global variable CRYPTO defined in sslToolConfig.py which is hardcoded to -aes256.

3

This is a currently known issue and @ehelms and myself have been working on this recently.

There are currently two patches open, which should, when applied make it work on EL8/FIPS: