See bz1495215. On FIPS enabled systems (where /proc/sys/crypto/fips_enabled == 1) Bootstrap fails to run puppet (Due to puppet's default signing algorithm being MD5, which isn't allowed in FIPS mode.
Setting digest_algorithm = sha256 in puppet.conf will allow a successful puppet run, but the signing algorithm must match on the Puppet Master. (so this only works if both are set)
Questions/Thoughts:
Do we default to setting the signing_algorithm to sha256 automatically when a FIPS enabled system is detected?
Do we make the user explicitly set 'FIPS mode' (which does the above)?
See bz1495215. On FIPS enabled systems (where
/proc/sys/crypto/fips_enabled==1) Bootstrap fails to run puppet (Due to puppet's default signing algorithm being MD5, which isn't allowed in FIPS mode.Setting
digest_algorithm = sha256in puppet.conf will allow a successful puppet run, but the signing algorithm must match on the Puppet Master. (so this only works if both are set)Questions/Thoughts: