Thank you for the response Christian. I would rather not use FIPs at all but looks like it's going to become a requirement with me going into the financial industry.
I will submit it on Pagure 2 Jul 2023 18:04:52 Entrepreneur AJ <[email protected]>: > Thank you for the response Christian. > > I would rather not use FIPs at all but looks like it's going to become a > requirement with me going into the financial industry. > > I will submit it on Pagure > > 2 Jul 2023 17:59:20 Christian Heimes via FreeIPA-users > <[email protected]>: > >> On 02/07/2023 12.21, Entrepreneur AJ via FreeIPA-users wrote: >>> I today spun up a fresh Fedora 38 VPS on Vultr and started the FreeIPA >>> Server install. >>> This VPS has been switched to FIPs enabled. >>> I have then tried to install the latest FreeIPA server from DNF without the >>> DNS package. >>> All was going well until it got to step 17 of 30 and outputted the >>> following: >>> [17/30]: requesting RA certificate from CA >>> [error] CalledProcessError: CalledProcessError(Command >>> ['/usr/bin/openssl', 'pkcs12', '-nokeys', '-clcerts', '-in', >>> '/root/ca-agent.p12', '-out', '/var/lib/ipa/tmpfufotvvx', '-passin', >>> 'file:/tmp/tmpwdlfgkkt'] returned non-zero exit status 1: 'Error verifying >>> PKCS12 MAC; no PKCS12KDF support.\nUse -nomacver if MAC verification is not >>> required.\n') >>> CalledProcessError(Command ['/usr/bin/openssl', 'pkcs12', '-nokeys', >>> '-clcerts', '-in', '/root/ca-agent.p12', '-out', >>> '/var/lib/ipa/tmpfufotvvx', '-passin', 'file:/tmp/tmpwdlfgkkt'] returned >>> non-zero exit status 1: 'Error verifying PKCS12 MAC; no PKCS12KDF >>> support.\nUse -nomacver if MAC verification is not required.\n') >>> The ipa-server-install command failed. See /var/log/ipaserver-install.log >>> for more information >>> Any pointers on how to get passed this bit? >> >> Could you please report the problem at https://pagure.io/freeipa/issues ? >> The problem is probably to related to this PKCS#12 bug >> https://github.com/openssl/openssl/issues/19997 >> >> I recommend against installing FreeIPA in FIPS mode. Fedora is neither FIPS >> compliant nor FIPS certified. Fedora's FIPS mode doesn't give you any >> benefits, just more pain and trouble. In some cases it's also *less* secure, >> because some algorithms and features are disabled in FIPS mode. >> >> Further more there is very limited testing of FreeIPA in FIPS mode. A >> FreeIPA installation FIPS mode can break any time. You'll have more luck >> with CentOS Stream or a free developer license of RHEL. They'll get you >> closer to FIPS compliance. (IIRC even RHEL 9 isn't FIPS 140-3 certified, >> yet.) >> >> Christian >> >> -- >> Christian Heimes >> Principal Software Engineer, Identity Management and Platform Security >> >> Red Hat GmbH, https://de.redhat.com/ , Registered seat: Grasbrunn, >> Commercial register: Amtsgericht Muenchen, HRB 153243, >> Managing Directors: Charles Cachera, Brian Klemm, Laurie Krebs, Michael >> O'Neill >> _______________________________________________ >> FreeIPA-users mailing list -- [email protected] >> To unsubscribe send an email to [email protected] >> Fedora Code of Conduct: >> https://docs.fedoraproject.org/en-US/project/code-of-conduct/ >> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines >> List Archives: >> https://lists.fedorahosted.org/archives/list/[email protected] >> Do not reply to spam, report it: >> https://pagure.io/fedora-infrastructure/new_issue
_______________________________________________ FreeIPA-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected] Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
