Thank you for the response Christian.
I would rather not use FIPs at all but looks like it's going to become a requirement with me going into the financial industry.
I will submit it on Pagure
2 Jul 2023 18:04:52 Entrepreneur AJ aj@eajglobal.com:
Thank you for the response Christian.
I would rather not use FIPs at all but looks like it's going to become a requirement with me going into the financial industry.
I will submit it on Pagure
2 Jul 2023 17:59:20 Christian Heimes via FreeIPA-users freeipa-users@lists.fedorahosted.org:
On 02/07/2023 12.21, Entrepreneur AJ via FreeIPA-users wrote:
I today spun up a fresh Fedora 38 VPS on Vultr and started the FreeIPA Server install. This VPS has been switched to FIPs enabled. I have then tried to install the latest FreeIPA server from DNF without the DNS package. All was going well until it got to step 17 of 30 and outputted the following: [17/30]: requesting RA certificate from CA [error] CalledProcessError: CalledProcessError(Command ['/usr/bin/openssl', 'pkcs12', '-nokeys', '-clcerts', '-in', '/root/ca-agent.p12', '-out', '/var/lib/ipa/tmpfufotvvx', '-passin', 'file:/tmp/tmpwdlfgkkt'] returned non-zero exit status 1: 'Error verifying PKCS12 MAC; no PKCS12KDF support.\nUse -nomacver if MAC verification is not required.\n') CalledProcessError(Command ['/usr/bin/openssl', 'pkcs12', '-nokeys', '-clcerts', '-in', '/root/ca-agent.p12', '-out', '/var/lib/ipa/tmpfufotvvx', '-passin', 'file:/tmp/tmpwdlfgkkt'] returned non-zero exit status 1: 'Error verifying PKCS12 MAC; no PKCS12KDF support.\nUse -nomacver if MAC verification is not required.\n') The ipa-server-install command failed. See /var/log/ipaserver-install.log for more information Any pointers on how to get passed this bit?
Could you please report the problem at https://pagure.io/freeipa/issues ? The problem is probably to related to this PKCS#12 bug https://github.com/openssl/openssl/issues/19997
I recommend against installing FreeIPA in FIPS mode. Fedora is neither FIPS compliant nor FIPS certified. Fedora's FIPS mode doesn't give you any benefits, just more pain and trouble. In some cases it's also *less* secure, because some algorithms and features are disabled in FIPS mode.
Further more there is very limited testing of FreeIPA in FIPS mode. A FreeIPA installation FIPS mode can break any time. You'll have more luck with CentOS Stream or a free developer license of RHEL. They'll get you closer to FIPS compliance. (IIRC even RHEL 9 isn't FIPS 140-3 certified, yet.)
Christian
-- Christian Heimes Principal Software Engineer, Identity Management and Platform Security
Red Hat GmbH, https://de.redhat.com/ , Registered seat: Grasbrunn, Commercial register: Amtsgericht Muenchen, HRB 153243, Managing Directors: Charles Cachera, Brian Klemm, Laurie Krebs, Michael O'Neill _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahoste... Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
On 02/07/2023 19.19, Entrepreneur AJ via FreeIPA-users wrote:
Thank you for the response Christian.
I would rather not use FIPs at all but looks like it's going to become a requirement with me going into the financial industry.
I will submit it on Pagure
If certified FIPS compliance is a hard requirement, then you have to use RHEL 8 with RHEL IdM (aka IPA, the downstream version of FreeIPA). AFAIK it is the only FIPS 140-2 certified Linux distro with FreeIPA support.
Christian
freeipa-users@lists.fedorahosted.org