I today spun up a fresh Fedora 38 VPS on Vultr and started the FreeIPA Server install.
This VPS has been switched to FIPs enabled.
I have then tried to install the latest FreeIPA server from DNF without the DNS package. All was going well until it got to step 17 of 30 and outputted the following:
[17/30]: requesting RA certificate from CA [error] CalledProcessError: CalledProcessError(Command ['/usr/bin/openssl', 'pkcs12', '-nokeys', '-clcerts', '-in', '/root/ca-agent.p12', '-out', '/var/lib/ipa/tmpfufotvvx', '-passin', 'file:/tmp/tmpwdlfgkkt'] returned non-zero exit status 1: 'Error verifying PKCS12 MAC; no PKCS12KDF support.\nUse -nomacver if MAC verification is not required.\n') CalledProcessError(Command ['/usr/bin/openssl', 'pkcs12', '-nokeys', '-clcerts', '-in', '/root/ca-agent.p12', '-out', '/var/lib/ipa/tmpfufotvvx', '-passin', 'file:/tmp/tmpwdlfgkkt'] returned non-zero exit status 1: 'Error verifying PKCS12 MAC; no PKCS12KDF support.\nUse -nomacver if MAC verification is not required.\n') The ipa-server-install command failed. See /var/log/ipaserver-install.log for more information
Any pointers on how to get passed this bit?
On 02/07/2023 12.21, Entrepreneur AJ via FreeIPA-users wrote:
I today spun up a fresh Fedora 38 VPS on Vultr and started the FreeIPA Server install.
This VPS has been switched to FIPs enabled.
I have then tried to install the latest FreeIPA server from DNF without the DNS package. All was going well until it got to step 17 of 30 and outputted the following:
[17/30]: requesting RA certificate from CA [error] CalledProcessError: CalledProcessError(Command ['/usr/bin/openssl', 'pkcs12', '-nokeys', '-clcerts', '-in', '/root/ca-agent.p12', '-out', '/var/lib/ipa/tmpfufotvvx', '-passin', 'file:/tmp/tmpwdlfgkkt'] returned non-zero exit status 1: 'Error verifying PKCS12 MAC; no PKCS12KDF support.\nUse -nomacver if MAC verification is not required.\n') CalledProcessError(Command ['/usr/bin/openssl', 'pkcs12', '-nokeys', '-clcerts', '-in', '/root/ca-agent.p12', '-out', '/var/lib/ipa/tmpfufotvvx', '-passin', 'file:/tmp/tmpwdlfgkkt'] returned non-zero exit status 1: 'Error verifying PKCS12 MAC; no PKCS12KDF support.\nUse -nomacver if MAC verification is not required.\n') The ipa-server-install command failed. See /var/log/ipaserver-install.log for more information
Any pointers on how to get passed this bit?
Could you please report the problem at https://pagure.io/freeipa/issues ? The problem is probably to related to this PKCS#12 bug https://github.com/openssl/openssl/issues/19997
I recommend against installing FreeIPA in FIPS mode. Fedora is neither FIPS compliant nor FIPS certified. Fedora's FIPS mode doesn't give you any benefits, just more pain and trouble. In some cases it's also *less* secure, because some algorithms and features are disabled in FIPS mode.
Further more there is very limited testing of FreeIPA in FIPS mode. A FreeIPA installation FIPS mode can break any time. You'll have more luck with CentOS Stream or a free developer license of RHEL. They'll get you closer to FIPS compliance. (IIRC even RHEL 9 isn't FIPS 140-3 certified, yet.)
Christian
freeipa-users@lists.fedorahosted.org