Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Agent continuously logs error on FIPS compliant server #668

Closed
linuxelf001 opened this issue Apr 13, 2017 · 4 comments
Closed

Agent continuously logs error on FIPS compliant server #668

linuxelf001 opened this issue Apr 13, 2017 · 4 comments
Milestone
v2.2.11

Comments

@linuxelf001
Copy link

linuxelf001 commented Apr 13, 2017
edited
Loading

Issue is reproduced on RHEL 6.8 test server {Dated: 04/12/2017}. Initially, FIPS mode is disabled

cat /proc/sys/crypto/fips_enabled
0

then enabled FIPS

cat /proc/sys/crypto/fips_enabled
1

Rebooted the server. After the agent restart, below messages are repeated in /var/log/waagent.log

2017/04/12 20:45:37.445520 ERROR run cmd '/usr/bin/openssl cms -decrypt -in /var/lib/waagent/Certificates.p7m -inkey /var/lib/waagent/TransportPrivate.pem -recip /var/lib/waagent/TransportCert.pem | /usr/bin/openssl pkcs12 -nodes -password pass: -out /var/lib/waagent/Certificates.pem' failed

2017/04/12 20:45:37.487112 ERROR Error Code:1
2017/04/12 20:45:37.493113 ERROR Result:MAC verified OK
Error outputting keys and certificates
140499593189192:error:060740A0:digital envelope routines:EVP_PBE_CipherInit:unknown cipher:evp_pbe.c:186:
140499593189192:error:23077073:PKCS12 routines:PKCS12_pbe_crypt:pkcs12 algor cipherinit error:p12_decr.c:83:
140499593189192:error:2306A075:PKCS12 routines:PKCS12_item_decrypt_d2i:pkcs12 pbe crypt error:p12_decr.c:130:
@linuxelf001 linuxelf001 changed the title Agent continously logs error on FIPS compliant server Agent continuously logs error on FIPS compliant server Apr 14, 2017
@linuxelf001 linuxelf001 changed the title Agent continuously logs error on FIPS compliant server Agent continuously logs error on RHEL 6.x FIPS compliant server Apr 14, 2017
@linuxelf001 linuxelf001 changed the title Agent continuously logs error on RHEL 6.x FIPS compliant server Agent continuously logs error on FIPS compliant server Apr 14, 2017
@hglkrijger
Copy link
Member

@linuxelf001 this is expected since the agent does not support FIPS today.

@brendandixon
Copy link
Contributor

Reopening to trace investigation / implementation.

@brendandixon brendandixon reopened this Apr 21, 2017
@brendandixon brendandixon added this to the v2.2.11 milestone Apr 21, 2017
@brendandixon brendandixon mentioned this issue May 1, 2017
Merged
brendandixon added a commit that referenced this issue May 1, 2017
@brendandixon
Merge pull request #690 from brendandixon/master
955b532 
Enabled FIPS support and address #668.
Support mixed case hostnames on RedHat #686.
@brendandixon
Copy link
Contributor

Addressed by #690

@yuxisun1217 yuxisun1217 mentioned this issue Jun 13, 2017
Closed
@johanburati
Copy link
Contributor

johanburati commented Sep 21, 2017
edited
Loading

I have enabled FIPS on the Marketplace RHEL 7.4 image (kernel 3.10.0-693.el7.x86_64) and I can see the same error messages in waagent.log

version

waagent -version
WALinuxAgent-2.2.14 running on redhat 7.4
Python: 2.7.5
Goal state agent: 2.2.17

log

2017/09/21 04:29:49.386418 ERROR Command: '/usr/bin/openssl cms -decrypt -in /var/lib/waagent/Certificates.p7m -inkey /var/lib/waagent/TransportPrivate.pem -recip /var/lib/waagent/TransportCert.pem | /usr/bin/openssl pkcs12 -nodes -passw
ord pass: -out /var/lib/waagent/Certificates.pem'
2017/09/21 04:29:49.413085 ERROR Return code: 1
2017/09/21 04:29:49.418465 ERROR Result: MAC verified OK
Error outputting keys and certificates
140528231827360:error:060740A0:digital envelope routines:EVP_PBE_CipherInit:unknown cipher:evp_pbe.c:181:
140528231827360:error:23077073:PKCS12 routines:PKCS12_pbe_crypt:pkcs12 algor cipherinit error:p12_decr.c:87:
140528231827360:error:2306A075:PKCS12 routines:PKCS12_item_decrypt_d2i:pkcs12 pbe crypt error:p12_decr.c:139:

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
v2.2.11
Development

No branches or pull requests
4 participants
@johanburati @linuxelf001 @brendandixon @hglkrijger