Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

enable fips mode with chef-server-fips-core package #1024

Closed
sclark007 opened this issue Nov 23, 2016 · 1 comment
Closed

enable fips mode with chef-server-fips-core package #1024

sclark007 opened this issue Nov 23, 2016 · 1 comment

Comments

@sclark007
Copy link

attempting to get the chef-server-fips-core package to run a complete chef-server-ctl reconfigure after a fresh install. is there some additional chef-server.rb setting that is missing?

[root@dev-chefserver-001 ~]# chef-server-ctl reconfigure
Starting Chef Client, version 12.17.23
OpenSSL FIPS 140 mode enabled
resolving cookbooks for run list: ["private-chef::fips", "private-chef::default"]
Synchronizing Cookbooks:

  • private-chef (0.1.0)
  • enterprise (0.10.1)
  • apt (2.9.2)
  • yum (3.13.0)
  • openssl (6.0.0)
  • runit (1.6.0)
  • packagecloud (0.2.5)
    Installing Cookbook Gems:
    Compiling Cookbooks...
    [2016-11-23T20:39:10+00:00] WARN: Chef::Provider::AptRepository already exists! Cannot create deprecation class for LWRP provider apt_repository from cookbook apt
    [2016-11-23T20:39:10+00:00] WARN: AptRepository already exists! Deprecation class overwrites Custom resource apt_repository from cookbook apt
    [2016-11-23T20:39:10+00:00] WARN: Chef::Provider::YumRepository already exists! Cannot create deprecation class for LWRP provider yum_repository from cookbook yum
    [2016-11-23T20:39:10+00:00] WARN: YumRepository already exists! Deprecation class overwrites Custom resource yum_repository from cookbook yum
    Recipe: private-chef::default
  • directory[/etc/opscode] action create (up to date)
  • directory[/etc/opscode/logrotate.d] action create
    • create new directory /etc/opscode/logrotate.d
    • change mode from '' to '0755'
    • change owner from '' to 'root'
    • change group from '' to 'root'
    • restore selinux security context
      sha512.c(81): OpenSSL internal error, assertion failed: Low level API call to digest SHA512 forbidden in FIPS mode!

Using package
wget https://chef.bintray.com/current-yum/el/6/x86_64/chef-server-fips-core-12.11.2+20161123121032-1.el6.x86_64.rpm
@stevendanna
Copy link
Contributor

Apologies for the delay. The chef-server-core-fips build is a currently an unsupported development branch. There's work in-flight now to integrate some of the features in that branch into the Chef Server. We hope to release that work in early 2017. Apologies for the confusion this build may have caused. I'm going to close this issue for now.

btm added a commit that referenced this issue Dec 15, 2016
@btm
Use OpenSSL::Digest instead of Digest for FIPS
44e0dd6 
Low level API calls to encryption algorithms are not allowed when using the
OpenSSL FIPS 140-2 module. When FIPS mode is enabled, all calls must go through
the FIPS module.

Fixes #1024

Signed-off-by: Bryan McLellan <[email protected]>
@btm btm mentioned this issue Dec 15, 2016
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@stevendanna @sclark007