[go: up one dir, main page]
Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Chef client under FIPS mode now broken in RHEL 9.4/Rocky Linux 9.4 #14376

Open
breisig opened this issue May 15, 2024 · 1 comment
Open

Chef client under FIPS mode now broken in RHEL 9.4/Rocky Linux 9.4 #14376

breisig opened this issue May 15, 2024 · 1 comment
Assignees
@tpowell-progress
Labels
Status: Untriaged An issue that has yet to be triaged.

Comments

@breisig
Copy link
breisig commented May 15, 2024

Description

We have Rocky Linux/RHEL 9.3 servers running in FIPS mode using Chef Client 18.4.12. Everything is fine. Rocky Linux/RHEL 9.4 has been released and upgraded to the Latest 9.4 version. Now when doing a chef-client, the following output appears

/opt/chef/embedded/lib/ruby/gems/3.1.0/gems/chef-config-18.4.12/lib/chef-config/config.rb:1292:in `fips_mode=': This version of OpenSSL does not support FIPS mode (OpenSSL::OpenSSLError)
        from /opt/chef/embedded/lib/ruby/gems/3.1.0/gems/chef-config-18.4.12/lib/chef-config/config.rb:1292:in `enable_fips_mode'
        from /opt/chef/embedded/lib/ruby/gems/3.1.0/gems/chef-config-18.4.12/lib/chef-config/config.rb:737:in `init_openssl'
        from /opt/chef/embedded/lib/ruby/gems/3.1.0/gems/chef-18.4.12/lib/chef/application.rb:104:in `configure_chef'
        from /opt/chef/embedded/lib/ruby/gems/3.1.0/gems/chef-18.4.12/lib/chef/application.rb:55:in `reconfigure'
        from /opt/chef/embedded/lib/ruby/gems/3.1.0/gems/chef-18.4.12/lib/chef/application/client.rb:76:in `reconfigure'
        from /opt/chef/embedded/lib/ruby/gems/3.1.0/gems/chef-18.4.12/lib/chef/application.rb:64:in `run'
        from /opt/chef/embedded/lib/ruby/gems/3.1.0/gems/chef-bin-18.4.12/bin/chef-client:25:in `<top (required)>'
        from /usr/bin/chef-client:183:in `load'
        from /usr/bin/chef-client:183:in `<main>'

It seems all of a sudden the chef-client won't work anymore. Servers are in fact running in FIPS mode and working so something is up with chef-client. The only workaround is running 'chef-client --no-fips' but that's such a pain. I even tried with a fresh install of 9.4 and the same error exists.

Chef Version

Chef Client 18.4.12

Platform Version

Rocky Linux 9.4/RHEL 9.4

Client Output

/opt/chef/embedded/lib/ruby/gems/3.1.0/gems/chef-config-18.4.12/lib/chef-config/config.rb:1292:in `fips_mode=': This version of OpenSSL does not support FIPS mode (OpenSSL::OpenSSLError)
        from /opt/chef/embedded/lib/ruby/gems/3.1.0/gems/chef-config-18.4.12/lib/chef-config/config.rb:1292:in `enable_fips_mode'
        from /opt/chef/embedded/lib/ruby/gems/3.1.0/gems/chef-config-18.4.12/lib/chef-config/config.rb:737:in `init_openssl'
        from /opt/chef/embedded/lib/ruby/gems/3.1.0/gems/chef-18.4.12/lib/chef/application.rb:104:in `configure_chef'
        from /opt/chef/embedded/lib/ruby/gems/3.1.0/gems/chef-18.4.12/lib/chef/application.rb:55:in `reconfigure'
        from /opt/chef/embedded/lib/ruby/gems/3.1.0/gems/chef-18.4.12/lib/chef/application/client.rb:76:in `reconfigure'
        from /opt/chef/embedded/lib/ruby/gems/3.1.0/gems/chef-18.4.12/lib/chef/application.rb:64:in `run'
        from /opt/chef/embedded/lib/ruby/gems/3.1.0/gems/chef-bin-18.4.12/bin/chef-client:25:in `<top (required)>'
        from /usr/bin/chef-client:183:in `load'
        from /usr/bin/chef-client:183:in `<main>'
@breisig breisig added the Status: Untriaged An issue that has yet to be triaged. label May 15, 2024
@tpowell-progress
Copy link
Contributor
tpowell-progress commented May 21, 2024
edited
Loading

@breisig can you confirm the URL and/or package that was used to install Chef 18.4.12. I'm looking at the builder image for EL9 and the Ruby installed on it has FIPS mode compiled.

Also, are you able to confirm the following on the system running chef-client errors out? Want to ensure that it's not a problem with a stray ruby version.

/opt/chef/embedded/bin/ruby -e "require 'openssl'; puts OpenSSL::OPENSSL_VERSION_NUMBER.to_s(16); puts OpenSSL::OPENSSL_LIBRARY_VERSION; OpenSSL.fips_mode = 1; puts 'FIPS mode successfully activated for Ruby' + RUBY_VERSION"

@tpowell-progress tpowell-progress self-assigned this May 21, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@tpowell-progress tpowell-progress

Labels
Status: Untriaged An issue that has yet to be triaged.
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@breisig @tpowell-progress