On 02/07/2023 12.21, Entrepreneur AJ via FreeIPA-users wrote:
I today spun up a fresh Fedora 38 VPS on Vultr and started the FreeIPA Server
install.
This VPS has been switched to FIPs enabled.
I have then tried to install the latest FreeIPA server from DNF without the DNS
package.
All was going well until it got to step 17 of 30 and outputted the following:
[17/30]: requesting RA certificate from CA
[error] CalledProcessError: CalledProcessError(Command ['/usr/bin/openssl',
'pkcs12', '-nokeys', '-clcerts', '-in', '/root/ca-agent.p12', '-out',
'/var/lib/ipa/tmpfufotvvx', '-passin', 'file:/tmp/tmpwdlfgkkt'] returned
non-zero exit status 1: 'Error verifying PKCS12 MAC; no PKCS12KDF support.\nUse
-nomacver if MAC verification is not required.\n')
CalledProcessError(Command ['/usr/bin/openssl', 'pkcs12', '-nokeys',
'-clcerts', '-in', '/root/ca-agent.p12', '-out', '/var/lib/ipa/tmpfufotvvx',
'-passin', 'file:/tmp/tmpwdlfgkkt'] returned non-zero exit status 1: 'Error
verifying PKCS12 MAC; no PKCS12KDF support.\nUse -nomacver if MAC verification
is not required.\n')
The ipa-server-install command failed. See /var/log/ipaserver-install.log for
more information
Any pointers on how to get passed this bit?
Could you please report the problem at https://pagure.io/freeipa/issues
? The problem is probably to related to this PKCS#12 bug
https://github.com/openssl/openssl/issues/19997
I recommend against installing FreeIPA in FIPS mode. Fedora is neither
FIPS compliant nor FIPS certified. Fedora's FIPS mode doesn't give you
any benefits, just more pain and trouble. In some cases it's also *less*
secure, because some algorithms and features are disabled in FIPS mode.
Further more there is very limited testing of FreeIPA in FIPS mode. A
FreeIPA installation FIPS mode can break any time. You'll have more luck
with CentOS Stream or a free developer license of RHEL. They'll get you
closer to FIPS compliance. (IIRC even RHEL 9 isn't FIPS 140-3 certified,
yet.)
Christian
--
Christian Heimes
Principal Software Engineer, Identity Management and Platform Security
Red Hat GmbH, https://de.redhat.com/ , Registered seat: Grasbrunn,
Commercial register: Amtsgericht Muenchen, HRB 153243,
Managing Directors: Charles Cachera, Brian Klemm, Laurie Krebs, Michael
O'Neill
_______________________________________________
FreeIPA-users mailing list -- [email protected]
To unsubscribe send an email to [email protected]
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/[email protected]
Do not reply to spam, report it:
https://pagure.io/fedora-infrastructure/new_issue
