Uploaded image for project: 'Puppet Agent'
  1. Puppet Agent
  2. PA-3223

OpenSSL errors on AWS FIPS

    XMLWordPrintable

    Details

    • Type: Bug
    • Status: Resolved
    • Priority: Major
    • Resolution: Fixed
    • Affects Version/s: puppet-agent 6.13.0, puppet-agent 6.14.0, puppet-agent 6.15.0
    • Fix Version/s: puppet-agent 6.16.0
    • Component/s: None
    • Template:
    • Team:
      Night's Watch
    • Sprint:
      NW - 2020-05-13
    • Method Found:
      Needs Assessment
    • Zendesk Ticket IDs:
      39013,39423
    • Zendesk Ticket Count:
      2
    • Release Notes:
      Bug Fix
    • Release Notes Summary:
      Hide
      Before this change, interleaving ruby/leatherman OpenSSL usage on RehHat7 FIPS leads to OpenSSL module errors when ruby http client is reused.

      The fix was to adapt openssl.cnf and configure FIPS algorithms by setting `evp_setting` to `fips_mode = true`
      Show
      Before this change, interleaving ruby/leatherman OpenSSL usage on RehHat7 FIPS leads to OpenSSL module errors when ruby http client is reused. The fix was to adapt openssl.cnf and configure FIPS algorithms by setting `evp_setting` to `fips_mode = true`
    • QA Risk Assessment:
      Needs Assessment

      Description

      On AWS fips imagesm the fips puppet agent package throws an exception if an http call is made after facter is executed:

      HTTP 405
      2020-05-07 08:21:08.057828 WARN  puppetlabs.facter - locale environment variables were bad; continuing with LANG=C LC_ALL=C
      Using facter 3.14.10
      Traceback (most recent call last):
              13: from ./example.rb:24:in `<main>'
              12: from /opt/puppetlabs/puppet/lib/ruby/2.5.0/net/http.rb:1269:in `post'
              11: from /opt/puppetlabs/puppet/lib/ruby/2.5.0/net/http.rb:1481:in `send_entity'
              10: from /opt/puppetlabs/puppet/lib/ruby/2.5.0/net/http.rb:1467:in `request'
               9: from /opt/puppetlabs/puppet/lib/ruby/2.5.0/net/http.rb:1494:in `transport_request'
               8: from /opt/puppetlabs/puppet/lib/ruby/2.5.0/net/http.rb:1494:in `catch'
               7: from /opt/puppetlabs/puppet/lib/ruby/2.5.0/net/http.rb:1497:in `block in transport_request'
               6: from /opt/puppetlabs/puppet/lib/ruby/2.5.0/net/http/response.rb:29:in `read_new'
               5: from /opt/puppetlabs/puppet/lib/ruby/2.5.0/net/http/response.rb:40:in `read_status_line'
               4: from /opt/puppetlabs/puppet/lib/ruby/2.5.0/net/protocol.rb:167:in `readline'
               3: from /opt/puppetlabs/puppet/lib/ruby/2.5.0/net/protocol.rb:157:in `readuntil'
               2: from /opt/puppetlabs/puppet/lib/ruby/2.5.0/net/protocol.rb:175:in `rbuf_fill'
               1: from /opt/puppetlabs/puppet/lib/ruby/2.5.0/openssl/buffering.rb:182:in `read_nonblock'
      /opt/puppetlabs/puppet/lib/ruby/2.5.0/openssl/buffering.rb:182:in `sysread_nonblock': SSL_read: module initialization error (OpenSSL::SSL::SSLError)
      

        Attachments

          Issue Links

            Activity

              People

              Assignee:
              ciprian.badescu Ciprian Badescu
              Reporter:
              gheorghe.popescu Gheorghe Popescu
              Votes:
              0 Vote for this issue
              Watchers:
              4 Start watching this issue

                Dates

                Created:
                Updated:
                Resolved:

                  Zendesk Support