Fluentd plugin generated server key is not FIPS compliant

gravitational / teleport

The easiest, and most secure way to access and protect all of your infrastructure.

https://goteleport.com

GNU Affero General Public License v3.0

17.29k stars 1.73k forks source link

Fluentd plugin generated server key is not FIPS compliant #42449

Open stevenGravy opened 2 years ago

stevenGravy commented 2 years ago

The server.key generated from the configure command isn't supported with FIPS environments.

./teleport-event-handler configure . teleport.example.com:443

/usr/lib64/ruby/gems/2.5.0/gems/fluentd-1.15.2/lib/fluent/plugin_helper/cert_option.rb:89:in `read': Could not parse PKey: no start line (OpenSSL::PKey::PKeyError)

stevenGravy commented 2 years ago

Converting to a compatible format on a non-FIPS machine should allow the key to work.

P=<pass from fluent.conf> openssl pkcs8 -topk8 -in server.key -passin env:P -v2 aes-256-cbc -out server.key.pkcs8 -passout env:P