Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

openssl_privatekey breaks in FIPS mode #67213

Closed
chris-kiick-sp opened this issue Feb 7, 2020 · 6 comments · Fixed by #67515
Closed

openssl_privatekey breaks in FIPS mode #67213

chris-kiick-sp opened this issue Feb 7, 2020 · 6 comments · Fixed by #67515
Labels
affects_2.9 This issue/PR affects Ansible v2.9 bug This issue/PR relates to a bug. crypto Crypto community (ACME, openssl, letsencrypt) has_pr This issue has an associated PR. module This issue/PR relates to a module. performance python3 support:community This issue/PR relates to code supported by the Ansible community. traceback This issue/PR includes a traceback.

Comments

@chris-kiick-sp
Copy link
Contributor

SUMMARY

When attempting to create an openssl key on a system in FIPS mode, the module crashes with error:

ValueError: error:060800A3:digital envelope routines:EVP_DigestInit_ex:disabled for fips

Module attempts to fingerprint key using all listed algorithms, even though some of them are forbidden by FIPS. In particular, md5 does not work.

ISSUE TYPE
  • Bug Report
COMPONENT NAME
ANSIBLE VERSION
ansible 2.9.4
  config file = /home/chris.kiick/services-performance-lab-master/ansible.cfg
  configured module search path = [u'/home/chris.kiick/.ansible/plugins/modules', u'/usr/share/ansible/plugins/modules']
  ansible python module location = /usr/lib/python2.7/site-packages/ansible
  executable location = /usr/bin/ansible
  python version = 2.7.16 (default, Dec 12 2019, 23:58:22) [GCC 7.3.1 20180712 (Red Hat 7.3.1-6)]
CONFIGURATION

ANSIBLE_SSH_RETRIES(/home/chris.kiick/services-performance-lab-master/ansible.cf
DEFAULT_FORKS(/home/chris.kiick/services-performance-lab-master/ansible.cfg) = 1
DEFAULT_GATHERING(/home/chris.kiick/services-performance-lab-master/ansible.cfg)
DEFAULT_HOST_LIST(/home/chris.kiick/services-performance-lab-master/ansible.cfg)
DISPLAY_SKIPPED_HOSTS(/home/chris.kiick/services-performance-lab-master/ansible.
HOST_KEY_CHECKING(/home/chris.kiick/services-performance-lab-master/ansible.cfg)
RETRY_FILES_ENABLED(/home/chris.kiick/services-performance-lab-master/ansible.cf)
OS / ENVIRONMENT
STEPS TO REPRODUCE

Target system was RHEL 7 with FIPS mode enabled.

Playbook:

--
- hosts: host-with-FIPS-enabled
  name: create SSL cert key
  tasks:
    - openssl_privatekey:
        backup: true
        path: "/tmp/foo"
        state: present
      become: true
EXPECTED RESULTS

changed: true
failed: false
File /tmp/foo exists and contains a private key in PEM format.

ACTUAL RESULTS

Module crashes with FIPS specific error.

> ansible-playbook -vvv bug.yml
ansible-playbook 2.9.4
  config file = /home/chris.kiick/services-performance-lab-master/ansible.cfg
  configured module search path = [u'/home/chris.kiick/.ansible/plugins/modules', u'/usr/share/ansible/plugins/modules']
  ansible python module location = /usr/lib/python2.7/site-packages/ansible
  executable location = /usr/bin/ansible-playbook
  python version = 2.7.16 (default, Dec 12 2019, 23:58:22) [GCC 7.3.1 20180712 (Red Hat 7.3.1-6)]
Using /home/chris.kiick/services-performance-lab-master/ansible.cfg as config file
host_list declined parsing /home/chris.kiick/services-performance-lab-master/inventory/dynamic.py as it did not pass its verify_file() method
Parsed /home/chris.kiick/services-performance-lab-master/inventory/dynamic.py inventory source with script plugin

PLAYBOOK: bug.yml **************************************************************
1 plays in bug.yml

PLAY [create SSL cert key] *****************************************************
<100.64.12.7> ESTABLISH SSH CONNECTION FOR USER: ec2-user
<100.64.12.7> SSH: EXEC ssh -C -o ControlMaster=auto -o ControlPersist=60s -o StrictHostKeyChecking=no -o 'IdentityFile="iiq-key.pem"' -o KbdInteractiveAuthentication=no -o PreferredAuthentications=gssapi-with-mic,gssapi-keyex,hostbased,publickey -o PasswordAuthentication=no -o 'User="ec2-user"' -o ConnectTimeout=10 -o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null -o ControlPath=/home/chris.kiick/.ansible/cp/3f67b8c86f 100.64.12.7 '/bin/sh -c '"'"'echo ~ec2-user && sleep 0'"'"''
<100.64.12.7> (0, '/home/ec2-user\n', "Warning: Permanently added '100.64.12.7' (ECDSA) to the list of known hosts.\r\nAuthorized uses only. All activity may be monitored and reported.\n")
<100.64.12.7> ESTABLISH SSH CONNECTION FOR USER: ec2-user
<100.64.12.7> SSH: EXEC ssh -C -o ControlMaster=auto -o ControlPersist=60s -o StrictHostKeyChecking=no -o 'IdentityFile="iiq-key.pem"' -o KbdInteractiveAuthentication=no -o PreferredAuthentications=gssapi-with-mic,gssapi-keyex,hostbased,publickey -o PasswordAuthentication=no -o 'User="ec2-user"' -o ConnectTimeout=10 -o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null -o ControlPath=/home/chris.kiick/.ansible/cp/3f67b8c86f 100.64.12.7 '/bin/sh -c '"'"'( umask 77 && mkdir -p "` echo /home/ec2-user/.ansible/tmp/ansible-tmp-1581102287.88-194846480658070 `" && echo ansible-tmp-1581102287.88-194846480658070="` echo /home/ec2-user/.ansible/tmp/ansible-tmp-1581102287.88-194846480658070 `" ) && sleep 0'"'"''
<100.64.12.7> (0, 'ansible-tmp-1581102287.88-194846480658070=/home/ec2-user/.ansible/tmp/ansible-tmp-1581102287.88-194846480658070\n', '')
<prod-task1> Attempting python interpreter discovery
<100.64.12.7> ESTABLISH SSH CONNECTION FOR USER: ec2-user
<100.64.12.7> SSH: EXEC ssh -C -o ControlMaster=auto -o ControlPersist=60s -o StrictHostKeyChecking=no -o 'IdentityFile="iiq-key.pem"' -o KbdInteractiveAuthentication=no -o PreferredAuthentications=gssapi-with-mic,gssapi-keyex,hostbased,publickey -o PasswordAuthentication=no -o 'User="ec2-user"' -o ConnectTimeout=10 -o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null -o ControlPath=/home/chris.kiick/.ansible/cp/3f67b8c86f 100.64.12.7 '/bin/sh -c '"'"'echo PLATFORM; uname; echo FOUND; command -v '"'"'"'"'"'"'"'"'/usr/bin/python'"'"'"'"'"'"'"'"'; command -v '"'"'"'"'"'"'"'"'python3.7'"'"'"'"'"'"'"'"'; command -v '"'"'"'"'"'"'"'"'python3.6'"'"'"'"'"'"'"'"'; command -v '"'"'"'"'"'"'"'"'python3.5'"'"'"'"'"'"'"'"'; command -v '"'"'"'"'"'"'"'"'python2.7'"'"'"'"'"'"'"'"'; command -v '"'"'"'"'"'"'"'"'python2.6'"'"'"'"'"'"'"'"'; command -v '"'"'"'"'"'"'"'"'/usr/libexec/platform-python'"'"'"'"'"'"'"'"'; command -v '"'"'"'"'"'"'"'"'/usr/bin/python3'"'"'"'"'"'"'"'"'; command -v '"'"'"'"'"'"'"'"'python'"'"'"'"'"'"'"'"'; echo ENDFOUND && sleep 0'"'"''
<100.64.12.7> (0, 'PLATFORM\nLinux\nFOUND\n/usr/bin/python\n/usr/bin/python3.6\n/usr/bin/python2.7\n/usr/libexec/platform-python\n/usr/bin/python3\n/usr/bin/python\nENDFOUND\n', '')
<100.64.12.7> ESTABLISH SSH CONNECTION FOR USER: ec2-user
<100.64.12.7> SSH: EXEC ssh -C -o ControlMaster=auto -o ControlPersist=60s -o StrictHostKeyChecking=no -o 'IdentityFile="iiq-key.pem"' -o KbdInteractiveAuthentication=no -o PreferredAuthentications=gssapi-with-mic,gssapi-keyex,hostbased,publickey -o PasswordAuthentication=no -o 'User="ec2-user"' -o ConnectTimeout=10 -o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null -o ControlPath=/home/chris.kiick/.ansible/cp/3f67b8c86f 100.64.12.7 '/bin/sh -c '"'"'/usr/bin/python && sleep 0'"'"''
<100.64.12.7> (0, '{"osrelease_content": "NAME=\\"Red Hat Enterprise Linux Server\\"\\nVERSION=\\"7.7 (Maipo)\\"\\nID=\\"rhel\\"\\nID_LIKE=\\"fedora\\"\\nVARIANT=\\"Server\\"\\nVARIANT_ID=\\"server\\"\\nVERSION_ID=\\"7.7\\"\\nPRETTY_NAME=\\"Red Hat Enterprise Linux Server 7.7 (Maipo)\\"\\nANSI_COLOR=\\"0;31\\"\\nCPE_NAME=\\"cpe:/o:redhat:enterprise_linux:7.7:GA:server\\"\\nHOME_URL=\\"https://www.redhat.com/\\"\\nBUG_REPORT_URL=\\"https://bugzilla.redhat.com/\\"\\n\\nREDHAT_BUGZILLA_PRODUCT=\\"Red Hat Enterprise Linux 7\\"\\nREDHAT_BUGZILLA_PRODUCT_VERSION=7.7\\nREDHAT_SUPPORT_PRODUCT=\\"Red Hat Enterprise Linux\\"\\nREDHAT_SUPPORT_PRODUCT_VERSION=\\"7.7\\"\\n", "platform_dist_result": ["redhat", "7.7", "Maipo"]}\n', '')
Using module file /usr/lib/python2.7/site-packages/ansible/modules/system/setup.py
<100.64.12.7> PUT /home/chris.kiick/.ansible/tmp/ansible-local-16723ohhUk2/tmpzbPAGm TO /home/ec2-user/.ansible/tmp/ansible-tmp-1581102287.88-194846480658070/AnsiballZ_setup.py
<100.64.12.7> SSH: EXEC sftp -b - -C -o ControlMaster=auto -o ControlPersist=60s -o StrictHostKeyChecking=no -o 'IdentityFile="iiq-key.pem"' -o KbdInteractiveAuthentication=no -o PreferredAuthentications=gssapi-with-mic,gssapi-keyex,hostbased,publickey -o PasswordAuthentication=no -o 'User="ec2-user"' -o ConnectTimeout=10 -o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null -o ControlPath=/home/chris.kiick/.ansible/cp/3f67b8c86f '[100.64.12.7]'
<100.64.12.7> (0, 'sftp> put /home/chris.kiick/.ansible/tmp/ansible-local-16723ohhUk2/tmpzbPAGm /home/ec2-user/.ansible/tmp/ansible-tmp-1581102287.88-194846480658070/AnsiballZ_setup.py\n', '')
<100.64.12.7> ESTABLISH SSH CONNECTION FOR USER: ec2-user
<100.64.12.7> SSH: EXEC ssh -C -o ControlMaster=auto -o ControlPersist=60s -o StrictHostKeyChecking=no -o 'IdentityFile="iiq-key.pem"' -o KbdInteractiveAuthentication=no -o PreferredAuthentications=gssapi-with-mic,gssapi-keyex,hostbased,publickey -o PasswordAuthentication=no -o 'User="ec2-user"' -o ConnectTimeout=10 -o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null -o ControlPath=/home/chris.kiick/.ansible/cp/3f67b8c86f 100.64.12.7 '/bin/sh -c '"'"'chmod u+x /home/ec2-user/.ansible/tmp/ansible-tmp-1581102287.88-194846480658070/ /home/ec2-user/.ansible/tmp/ansible-tmp-1581102287.88-194846480658070/AnsiballZ_setup.py && sleep 0'"'"''
<100.64.12.7> (0, '', '')
<100.64.12.7> ESTABLISH SSH CONNECTION FOR USER: ec2-user
<100.64.12.7> SSH: EXEC ssh -C -o ControlMaster=auto -o ControlPersist=60s -o StrictHostKeyChecking=no -o 'IdentityFile="iiq-key.pem"' -o KbdInteractiveAuthentication=no -o PreferredAuthentications=gssapi-with-mic,gssapi-keyex,hostbased,publickey -o PasswordAuthentication=no -o 'User="ec2-user"' -o ConnectTimeout=10 -o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null -o ControlPath=/home/chris.kiick/.ansible/cp/3f67b8c86f -tt 100.64.12.7 '/bin/sh -c '"'"'/usr/bin/python /home/ec2-user/.ansible/tmp/ansible-tmp-1581102287.88-194846480658070/AnsiballZ_setup.py && sleep 0'"'"''
<100.64.12.7> (0, '\r\n{"invocation": {"module_args": {"filter": "*", "gather_subset": ["all"], "fact_path": "/etc/ansible/facts.d", "gather_timeout": 10}}, "ansible_facts": {"ansible_fibre_channel_wwn": [], "module_setup": true, "ansible_distribution_version": "7.7", "ansible_distribution_file_variety": "RedHat", "ansible_env": {"LANG": "en_US.UTF-8", "TERM": "xterm-256color", "SHELL": "/bin/bash", "XDG_RUNTIME_DIR": "/run/user/1000", "SHLVL": "2", "SSH_TTY": "/dev/pts/0", "_": "/usr/bin/python", "LESSOPEN": "||/usr/bin/lesspipe.sh %s", "PWD": "/home/ec2-user", "SELINUX_LEVEL_REQUESTED": "", "PATH": "/usr/local/bin:/usr/bin", "SELINUX_ROLE_REQUESTED": "", "SELINUX_USE_CURRENT_RANGE": "", "LOGNAME": "ec2-user", "USER": "ec2-user", "HOME": "/home/ec2-user", "MAIL": "/var/mail/ec2-user", "LS_COLORS": "rs=0:di=38;5;27:ln=38;5;51:mh=44;38;5;15:pi=40;38;5;11:so=38;5;13:do=38;5;5:bd=48;5;232;38;5;11:cd=48;5;232;38;5;3:or=48;5;232;38;5;9:mi=05;48;5;232;38;5;15:su=48;5;196;38;5;15:sg=48;5;11;38;5;16:ca=48;5;196;38;5;226:tw=48;5;10;38;5;16:ow=48;5;10;38;5;21:st=48;5;21;38;5;15:ex=38;5;34:*.tar=38;5;9:*.tgz=38;5;9:*.arc=38;5;9:*.arj=38;5;9:*.taz=38;5;9:*.lha=38;5;9:*.lz4=38;5;9:*.lzh=38;5;9:*.lzma=38;5;9:*.tlz=38;5;9:*.txz=38;5;9:*.tzo=38;5;9:*.t7z=38;5;9:*.zip=38;5;9:*.z=38;5;9:*.Z=38;5;9:*.dz=38;5;9:*.gz=38;5;9:*.lrz=38;5;9:*.lz=38;5;9:*.lzo=38;5;9:*.xz=38;5;9:*.bz2=38;5;9:*.bz=38;5;9:*.tbz=38;5;9:*.tbz2=38;5;9:*.tz=38;5;9:*.deb=38;5;9:*.rpm=38;5;9:*.jar=38;5;9:*.war=38;5;9:*.ear=38;5;9:*.sar=38;5;9:*.rar=38;5;9:*.alz=38;5;9:*.ace=38;5;9:*.zoo=38;5;9:*.cpio=38;5;9:*.7z=38;5;9:*.rz=38;5;9:*.cab=38;5;9:*.jpg=38;5;13:*.jpeg=38;5;13:*.gif=38;5;13:*.bmp=38;5;13:*.pbm=38;5;13:*.pgm=38;5;13:*.ppm=38;5;13:*.tga=38;5;13:*.xbm=38;5;13:*.xpm=38;5;13:*.tif=38;5;13:*.tiff=38;5;13:*.png=38;5;13:*.svg=38;5;13:*.svgz=38;5;13:*.mng=38;5;13:*.pcx=38;5;13:*.mov=38;5;13:*.mpg=38;5;13:*.mpeg=38;5;13:*.m2v=38;5;13:*.mkv=38;5;13:*.webm=38;5;13:*.ogm=38;5;13:*.mp4=38;5;13:*.m4v=38;5;13:*.mp4v=38;5;13:*.vob=38;5;13:*.qt=38;5;13:*.nuv=38;5;13:*.wmv=38;5;13:*.asf=38;5;13:*.rm=38;5;13:*.rmvb=38;5;13:*.flc=38;5;13:*.avi=38;5;13:*.fli=38;5;13:*.flv=38;5;13:*.gl=38;5;13:*.dl=38;5;13:*.xcf=38;5;13:*.xwd=38;5;13:*.yuv=38;5;13:*.cgm=38;5;13:*.emf=38;5;13:*.axv=38;5;13:*.anx=38;5;13:*.ogv=38;5;13:*.ogx=38;5;13:*.aac=38;5;45:*.au=38;5;45:*.flac=38;5;45:*.mid=38;5;45:*.midi=38;5;45:*.mka=38;5;45:*.mp3=38;5;45:*.mpc=38;5;45:*.ogg=38;5;45:*.ra=38;5;45:*.wav=38;5;45:*.axa=38;5;45:*.oga=38;5;45:*.spx=38;5;45:*.xspf=38;5;45:", "XDG_SESSION_ID": "486", "SSH_CLIENT": "100.64.4.47 39200 22", "SSH_CONNECTION": "100.64.4.47 39200 100.64.12.7 22"}, "ansible_userspace_bits": "64", "ansible_architecture": "x86_64", "ansible_default_ipv4": {"macaddress": "06:9c:05:33:da:3a", "network": "100.64.12.0", "mtu": 9001, "broadcast": "100.64.12.15", "alias": "eth0", "netmask": "255.255.255.240", "address": "100.64.12.7", "interface": "eth0", "type": "ether", "gateway": "100.64.12.1"}, "ansible_swapfree_mb": 0, "ansible_default_ipv6": {}, "ansible_cmdline": {"LANG": "en_US.UTF-8", "BOOT_IMAGE": "/boot/vmlinuz-3.10.0-1062.9.1.el7.x86_64", "rd.blacklist": "nouveau", "net.ifnames": "0", "fips": "1", "crashkernel": "auto", "console": "tty0", "ro": true, "root": "UUID=1698b607-b2a7-455f-b2ee-ed7f6e17ed9f"}, "ansible_selinux": {"status": "enabled", "policyvers": 31, "type": "targeted", "mode": "enforcing", "config_mode": "enforcing"}, "ansible_userspace_architecture": "x86_64", "ansible_product_uuid": "NA", "ansible_pkg_mgr": "yum", "ansible_distribution": "RedHat", "ansible_iscsi_iqn": "", "ansible_all_ipv6_addresses": ["fe80::447:87ff:fe7a:b5e", "fe80::49c:5ff:fe33:da3a"], "ansible_uptime_seconds": 691103, "ansible_kernel": "3.10.0-1062.9.1.el7.x86_64", "ansible_system_capabilities_enforced": "True", "ansible_python": {"executable": "/usr/bin/python", "version": {"micro": 5, "major": 2, "releaselevel": "final", "serial": 0, "minor": 7}, "type": "CPython", "has_sslcontext": true, "version_info": [2, 7, 5, "final", 0]}, "ansible_is_chroot": true, "ansible_hostnqn": "", "ansible_user_shell": "/bin/bash", "ansible_product_serial": "NA", "ansible_form_factor": "Other", "ansible_distribution_file_parsed": true, "ansible_fips": true, "ansible_user_id": "ec2-user", "ansible_selinux_python_present": true, "ansible_kernel_version": "#1 SMP Mon Dec 2 08:31:54 EST 2019", "ansible_local": {}, "ansible_processor_vcpus": 2, "ansible_processor": ["0", "AuthenticAMD", "AMD EPYC 7571", "1", "AuthenticAMD", "AMD EPYC 7571"], "ansible_ssh_host_key_ecdsa_public": "AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBBbDFjCVSkQFuLO6i5YjJ6zoHvgcPeJb1MhEZHtiL3st1ylLxKUWzWY6TmAWtDA26RnM4iPdpcZtRy+x/Ff20eo=", "ansible_user_gid": 1000, "ansible_system_vendor": "Amazon EC2", "ansible_swaptotal_mb": 0, "ansible_distribution_major_version": "7", "ansible_real_group_id": 1000, "ansible_lsb": {}, "ansible_machine": "x86_64", "ansible_ssh_host_key_rsa_public": "AAAAB3NzaC1yc2EAAAADAQABAAABAQDFkd7ihqpFXEkX0prdeX/9AXeNHxeMwJvC9dp4ZpVqZC9qYV6spo7xPxNgSaHu0JN+NsI30UE4HL3gBTJyMKVDLwpvVQ9VfGU0zzeBAV8rOGhom9qjpP1OIy2n5FMy9J5tNyQ9WLfYXQH+jS5/JtrSdax8c1E7IFJRrZmJXV2hsIFbBKqgWN4a8xdSADGgg3C24upJbtb+VFa8RWoLsbglPYUTS7P+Zwf5cmozEFQK+zy2idD51D0Rsyk+QTujlGpsOqmE1h/tETi/ezq4JccVE+5010BIQ3uqh2vGT3ABDcWabKav9yT9LDotWzvVWmvlSil1HC1NfyRbYFnq0sLp", "ansible_user_gecos": "Cloud User", "ansible_processor_threads_per_core": 2, "ansible_eth0": {"macaddress": "06:9c:05:33:da:3a", "features": {"tx_checksum_ipv4": "on", "generic_receive_offload": "on", "tx_checksum_ipv6": "off [fixed]", "tx_scatter_gather_fraglist": "off [fixed]", "rx_all": "off [fixed]", "highdma": "on", "rx_fcs": "off [fixed]", "tx_lockless": "off [fixed]", "tx_tcp_ecn_segmentation": "off [fixed]", "rx_udp_tunnel_port_offload": "off [fixed]", "tx_tcp6_segmentation": "off [fixed]", "tx_gso_robust": "off [fixed]", "tx_ipip_segmentation": "off [fixed]", "tx_tcp_mangleid_segmentation": "off [fixed]", "tx_checksumming": "on", "vlan_challenged": "off [fixed]", "loopback": "off [fixed]", "fcoe_mtu": "off [fixed]", "scatter_gather": "on", "tx_checksum_sctp": "off [fixed]", "tx_vlan_stag_hw_insert": "off [fixed]", "rx_vlan_stag_hw_parse": "off [fixed]", "tx_gso_partial": "off [fixed]", "rx_gro_hw": "off [fixed]", "rx_vlan_stag_filter": "off [fixed]", "large_receive_offload": "off [fixed]", "tx_scatter_gather": "on", "rx_checksumming": "on", "tx_tcp_segmentation": "off [fixed]", "netns_local": "off [fixed]", "busy_poll": "off [fixed]", "generic_segmentation_offload": "on", "tx_udp_tnl_segmentation": "off [fixed]", "tcp_segmentation_offload": "off", "l2_fwd_offload": "off [fixed]", "rx_vlan_offload": "off [fixed]", "ntuple_filters": "off [fixed]", "tx_gre_csum_segmentation": "off [fixed]", "tx_nocache_copy": "off", "tx_udp_tnl_csum_segmentation": "off [fixed]", "udp_fragmentation_offload": "off [fixed]", "tx_sctp_segmentation": "off [fixed]", "tx_sit_segmentation": "off [fixed]", "tx_checksum_fcoe_crc": "off [fixed]", "hw_tc_offload": "off [fixed]", "tx_checksum_ip_generic": "off [fixed]", "tx_fcoe_segmentation": "off [fixed]", "rx_vlan_filter": "off [fixed]", "tx_vlan_offload": "off [fixed]", "receive_hashing": "on", "tx_gre_segmentation": "off [fixed]"}, "pciid": "0000:00:05.0", "module": "ena", "mtu": 9001, "device": "eth0", "promisc": false, "timestamping": ["rx_software", "software"], "ipv4": {"broadcast": "100.64.12.15", "netmask": "255.255.255.240", "network": "100.64.12.0", "address": "100.64.12.7"}, "ipv6": [{"scope": "link", "prefix": "64", "address": "fe80::49c:5ff:fe33:da3a"}], "active": true, "type": "ether", "hw_timestamp_filters": []}, "ansible_eth1": {"macaddress": "06:47:87:7a:0b:5e", "features": {"tx_checksum_ipv4": "on", "generic_receive_offload": "on", "tx_checksum_ipv6": "off [fixed]", "tx_scatter_gather_fraglist": "off [fixed]", "rx_all": "off [fixed]", "highdma": "on", "rx_fcs": "off [fixed]", "tx_lockless": "off [fixed]", "tx_tcp_ecn_segmentation": "off [fixed]", "rx_udp_tunnel_port_offload": "off [fixed]", "tx_tcp6_segmentation": "off [fixed]", "tx_gso_robust": "off [fixed]", "tx_ipip_segmentation": "off [fixed]", "tx_tcp_mangleid_segmentation": "off [fixed]", "tx_checksumming": "on", "vlan_challenged": "off [fixed]", "loopback": "off [fixed]", "fcoe_mtu": "off [fixed]", "scatter_gather": "on", "tx_checksum_sctp": "off [fixed]", "tx_vlan_stag_hw_insert": "off [fixed]", "rx_vlan_stag_hw_parse": "off [fixed]", "tx_gso_partial": "off [fixed]", "rx_gro_hw": "off [fixed]", "rx_vlan_stag_filter": "off [fixed]", "large_receive_offload": "off [fixed]", "tx_scatter_gather": "on", "rx_checksumming": "on", "tx_tcp_segmentation": "off [fixed]", "netns_local": "off [fixed]", "busy_poll": "off [fixed]", "generic_segmentation_offload": "on", "tx_udp_tnl_segmentation": "off [fixed]", "tcp_segmentation_offload": "off", "l2_fwd_offload": "off [fixed]", "rx_vlan_offload": "off [fixed]", "ntuple_filters": "off [fixed]", "tx_gre_csum_segmentation": "off [fixed]", "tx_nocache_copy": "off", "tx_udp_tnl_csum_segmentation": "off [fixed]", "udp_fragmentation_offload": "off [fixed]", "tx_sctp_segmentation": "off [fixed]", "tx_sit_segmentation": "off [fixed]", "tx_checksum_fcoe_crc": "off [fixed]", "hw_tc_offload": "off [fixed]", "tx_checksum_ip_generic": "off [fixed]", "tx_fcoe_segmentation": "off [fixed]", "rx_vlan_filter": "off [fixed]", "tx_vlan_offload": "off [fixed]", "receive_hashing": "on", "tx_gre_segmentation": "off [fixed]"}, "pciid": "0000:00:06.0", "module": "ena", "mtu": 9001, "device": "eth1", "promisc": false, "timestamping": ["rx_software", "software"], "ipv4": {"broadcast": "10.0.0.31", "netmask": "255.255.255.224", "network": "10.0.0.0", "address": "10.0.0.30"}, "ipv6": [{"scope": "link", "prefix": "64", "address": "fe80::447:87ff:fe7a:b5e"}], "active": true, "type": "ether", "hw_timestamp_filters": []}, "ansible_product_name": "m5a.large", "ansible_all_ipv4_addresses": ["10.0.0.30", "100.64.12.7"], "ansible_python_version": "2.7.5", "ansible_product_version": "NA", "ansible_service_mgr": "systemd", "ansible_memory_mb": {"real": {"total": 7569, "used": 6081, "free": 1488}, "swap": {"cached": 0, "total": 0, "free": 0, "used": 0}, "nocache": {"used": 4044, "free": 3525}}, "ansible_user_dir": "/home/ec2-user", "gather_subset": ["all"], "ansible_real_user_id": 1000, "ansible_virtualization_role": "guest", "ansible_dns": {"nameservers": ["100.64.0.5", "100.64.0.45"], "search": ["fed.sailpoint.loc"]}, "ansible_effective_group_id": 1000, "ansible_lo": {"features": {"tx_checksum_ipv4": "off [fixed]", "generic_receive_offload": "on", "tx_checksum_ipv6": "off [fixed]", "tx_scatter_gather_fraglist": "on [fixed]", "rx_all": "off [fixed]", "highdma": "on [fixed]", "rx_fcs": "off [fixed]", "tx_lockless": "on [fixed]", "tx_tcp_ecn_segmentation": "on", "rx_udp_tunnel_port_offload": "off [fixed]", "tx_tcp6_segmentation": "on", "tx_gso_robust": "off [fixed]", "tx_ipip_segmentation": "off [fixed]", "tx_tcp_mangleid_segmentation": "on", "tx_checksumming": "on", "vlan_challenged": "on [fixed]", "loopback": "on [fixed]", "fcoe_mtu": "off [fixed]", "scatter_gather": "on", "tx_checksum_sctp": "on [fixed]", "tx_vlan_stag_hw_insert": "off [fixed]", "rx_vlan_stag_hw_parse": "off [fixed]", "tx_gso_partial": "off [fixed]", "rx_gro_hw": "off [fixed]", "rx_vlan_stag_filter": "off [fixed]", "large_receive_offload": "off [fixed]", "tx_scatter_gather": "on [fixed]", "rx_checksumming": "on [fixed]", "tx_tcp_segmentation": "on", "netns_local": "on [fixed]", "busy_poll": "off [fixed]", "generic_segmentation_offload": "on", "tx_udp_tnl_segmentation": "off [fixed]", "tcp_segmentation_offload": "on", "l2_fwd_offload": "off [fixed]", "rx_vlan_offload": "off [fixed]", "ntuple_filters": "off [fixed]", "tx_gre_csum_segmentation": "off [fixed]", "tx_nocache_copy": "off [fixed]", "tx_udp_tnl_csum_segmentation": "off [fixed]", "udp_fragmentation_offload": "on", "tx_sctp_segmentation": "on", "tx_sit_segmentation": "off [fixed]", "tx_checksum_fcoe_crc": "off [fixed]", "hw_tc_offload": "off [fixed]", "tx_checksum_ip_generic": "on [fixed]", "tx_fcoe_segmentation": "off [fixed]", "rx_vlan_filter": "off [fixed]", "tx_vlan_offload": "off [fixed]", "receive_hashing": "off [fixed]", "tx_gre_segmentation": "off [fixed]"}, "hw_timestamp_filters": [], "mtu": 65536, "device": "lo", "promisc": false, "timestamping": ["rx_software", "software"], "ipv4": {"broadcast": "host", "netmask": "255.0.0.0", "network": "127.0.0.0", "address": "127.0.0.1"}, "ipv6": [{"scope": "host", "prefix": "128", "address": "::1"}], "active": true, "type": "loopback"}, "ansible_memtotal_mb": 7569, "ansible_device_links": {"masters": {}, "labels": {}, "ids": {"nvme0n1p1": ["nvme-Amazon_Elastic_Block_Store_vol0c7628dcf19c306f1-part1", "nvme-nvme.1d0f-766f6c3063373632386463663139633330366631-416d617a6f6e20456c617374696320426c6f636b2053746f7265-00000001-part1"], "nvme0n1p2": ["nvme-Amazon_Elastic_Block_Store_vol0c7628dcf19c306f1-part2", "nvme-nvme.1d0f-766f6c3063373632386463663139633330366631-416d617a6f6e20456c617374696320426c6f636b2053746f7265-00000001-part2"], "nvme0n1": ["nvme-Amazon_Elastic_Block_Store_vol0c7628dcf19c306f1", "nvme-nvme.1d0f-766f6c3063373632386463663139633330366631-416d617a6f6e20456c617374696320426c6f636b2053746f7265-00000001"]}, "uuids": {"nvme0n1p2": ["1698b607-b2a7-455f-b2ee-ed7f6e17ed9f"]}}, "ansible_apparmor": {"status": "disabled"}, "ansible_proc_cmdline": {"LANG": "en_US.UTF-8", "BOOT_IMAGE": "/boot/vmlinuz-3.10.0-1062.9.1.el7.x86_64", "rd.blacklist": "nouveau", "net.ifnames": "0", "fips": "1", "crashkernel": "auto", "console": ["ttyS0,115200n8", "tty0"], "ro": true, "root": "UUID=1698b607-b2a7-455f-b2ee-ed7f6e17ed9f"}, "ansible_memfree_mb": 1488, "ansible_processor_count": 1, "ansible_hostname": "prod-task0", "ansible_interfaces": ["lo", "eth1", "eth0"], "ansible_machine_id": "ec2e9527ba63e63e1f4f148a6b533b0b", "ansible_fqdn": "prod-task0.fed.sailpoint.loc", "ansible_mounts": [{"block_used": 1003765, "uuid": "1698b607-b2a7-455f-b2ee-ed7f6e17ed9f", "size_total": 214735761408, "block_total": 52425723, "mount": "/", "block_available": 51421958, "size_available": 210624339968, "fstype": "xfs", "inode_total": 104856560, "options": "rw,seclabel,relatime,attr2,inode64,noquota", "device": "/dev/nvme0n1p2", "inode_used": 59777, "block_size": 4096, "inode_available": 104796783}], "ansible_nodename": "prod-task0.fed.sailpoint.loc", "ansible_distribution_file_search_string": "Red Hat", "ansible_domain": "fed.sailpoint.loc", "ansible_distribution_file_path": "/etc/redhat-release", "ansible_virtualization_type": "kvm", "ansible_processor_cores": 1, "ansible_bios_version": "1.0", "ansible_date_time": {"weekday_number": "5", "iso8601_basic_short": "20200207T190449", "tz": "UTC", "weeknumber": "05", "hour": "19", "year": "2020", "minute": "04", "tz_offset": "+0000", "month": "02", "epoch": "1581102289", "iso8601_micro": "2020-02-07T19:04:49.229373Z", "weekday": "Friday", "time": "19:04:49", "date": "2020-02-07", "iso8601": "2020-02-07T19:04:49Z", "day": "07", "iso8601_basic": "20200207T190449229284", "second": "49"}, "ansible_distribution_release": "Maipo", "ansible_os_family": "RedHat", "ansible_effective_user_id": 1000, "ansible_system": "Linux", "ansible_devices": {"nvme0n1": {"scheduler_mode": "none", "rotational": "0", "vendor": null, "sectors": "419430400", "links": {"masters": [], "labels": [], "ids": ["nvme-Amazon_Elastic_Block_Store_vol0c7628dcf19c306f1", "nvme-nvme.1d0f-766f6c3063373632386463663139633330366631-416d617a6f6e20456c617374696320426c6f636b2053746f7265-00000001"], "uuids": []}, "sas_device_handle": null, "sas_address": null, "virtual": 1, "host": "", "sectorsize": "512", "removable": "0", "support_discard": "0", "model": "Amazon Elastic Block Store", "partitions": {"nvme0n1p1": {"sectorsize": 512, "uuid": null, "links": {"masters": [], "labels": [], "ids": ["nvme-Amazon_Elastic_Block_Store_vol0c7628dcf19c306f1-part1", "nvme-nvme.1d0f-766f6c3063373632386463663139633330366631-416d617a6f6e20456c617374696320426c6f636b2053746f7265-00000001-part1"], "uuids": []}, "sectors": "2048", "start": "2048", "holders": [], "size": "1.00 MB"}, "nvme0n1p2": {"sectorsize": 512, "uuid": "1698b607-b2a7-455f-b2ee-ed7f6e17ed9f", "links": {"masters": [], "labels": [], "ids": ["nvme-Amazon_Elastic_Block_Store_vol0c7628dcf19c306f1-part2", "nvme-nvme.1d0f-766f6c3063373632386463663139633330366631-416d617a6f6e20456c617374696320426c6f636b2053746f7265-00000001-part2"], "uuids": ["1698b607-b2a7-455f-b2ee-ed7f6e17ed9f"]}, "sectors": "419426270", "start": "4096", "holders": [], "size": "200.00 GB"}}, "holders": [], "size": "200.00 GB"}}, "ansible_user_uid": 1000, "ansible_bios_date": "10/16/2017", "ansible_system_capabilities": [""]}}\r\n', 'Shared connection to 100.64.12.7 closed.\r\n')
<100.64.12.7> ESTABLISH SSH CONNECTION FOR USER: ec2-user
<100.64.12.7> SSH: EXEC ssh -C -o ControlMaster=auto -o ControlPersist=60s -o StrictHostKeyChecking=no -o 'IdentityFile="iiq-key.pem"' -o KbdInteractiveAuthentication=no -o PreferredAuthentications=gssapi-with-mic,gssapi-keyex,hostbased,publickey -o PasswordAuthentication=no -o 'User="ec2-user"' -o ConnectTimeout=10 -o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null -o ControlPath=/home/chris.kiick/.ansible/cp/3f67b8c86f 100.64.12.7 '/bin/sh -c '"'"'rm -f -r /home/ec2-user/.ansible/tmp/ansible-tmp-1581102287.88-194846480658070/ > /dev/null 2>&1 && sleep 0'"'"''
<100.64.12.7> (0, '', '')

TASK [Gathering Facts] *********************************************************
task path: /home/chris.kiick/services-performance-lab-master/bug.yml:4
ok: [prod-task1]
META: ran handlers
<100.64.12.7> ESTABLISH SSH CONNECTION FOR USER: ec2-user
<100.64.12.7> SSH: EXEC ssh -C -o ControlMaster=auto -o ControlPersist=60s -o StrictHostKeyChecking=no -o 'IdentityFile="iiq-key.pem"' -o KbdInteractiveAuthentication=no -o PreferredAuthentications=gssapi-with-mic,gssapi-keyex,hostbased,publickey -o PasswordAuthentication=no -o 'User="ec2-user"' -o ConnectTimeout=10 -o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null -o ControlPath=/home/chris.kiick/.ansible/cp/3f67b8c86f 100.64.12.7 '/bin/sh -c '"'"'echo ~ec2-user && sleep 0'"'"''
<100.64.12.7> (0, '/home/ec2-user\n', '')
<100.64.12.7> ESTABLISH SSH CONNECTION FOR USER: ec2-user
<100.64.12.7> SSH: EXEC ssh -C -o ControlMaster=auto -o ControlPersist=60s -o StrictHostKeyChecking=no -o 'IdentityFile="iiq-key.pem"' -o KbdInteractiveAuthentication=no -o PreferredAuthentications=gssapi-with-mic,gssapi-keyex,hostbased,publickey -o PasswordAuthentication=no -o 'User="ec2-user"' -o ConnectTimeout=10 -o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null -o ControlPath=/home/chris.kiick/.ansible/cp/3f67b8c86f 100.64.12.7 '/bin/sh -c '"'"'( umask 77 && mkdir -p "` echo /home/ec2-user/.ansible/tmp/ansible-tmp-1581102289.37-275304619929836 `" && echo ansible-tmp-1581102289.37-275304619929836="` echo /home/ec2-user/.ansible/tmp/ansible-tmp-1581102289.37-275304619929836 `" ) && sleep 0'"'"''
<100.64.12.7> (0, 'ansible-tmp-1581102289.37-275304619929836=/home/ec2-user/.ansible/tmp/ansible-tmp-1581102289.37-275304619929836\n', '')
Using module file /usr/lib/python2.7/site-packages/ansible/modules/crypto/openssl_privatekey.py
<100.64.12.7> PUT /home/chris.kiick/.ansible/tmp/ansible-local-16723ohhUk2/tmpugGucZ TO /home/ec2-user/.ansible/tmp/ansible-tmp-1581102289.37-275304619929836/AnsiballZ_openssl_privatekey.py
<100.64.12.7> SSH: EXEC sftp -b - -C -o ControlMaster=auto -o ControlPersist=60s -o StrictHostKeyChecking=no -o 'IdentityFile="iiq-key.pem"' -o KbdInteractiveAuthentication=no -o PreferredAuthentications=gssapi-with-mic,gssapi-keyex,hostbased,publickey -o PasswordAuthentication=no -o 'User="ec2-user"' -o ConnectTimeout=10 -o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null -o ControlPath=/home/chris.kiick/.ansible/cp/3f67b8c86f '[100.64.12.7]'
<100.64.12.7> (0, 'sftp> put /home/chris.kiick/.ansible/tmp/ansible-local-16723ohhUk2/tmpugGucZ /home/ec2-user/.ansible/tmp/ansible-tmp-1581102289.37-275304619929836/AnsiballZ_openssl_privatekey.py\n', '')
<100.64.12.7> ESTABLISH SSH CONNECTION FOR USER: ec2-user
<100.64.12.7> SSH: EXEC ssh -C -o ControlMaster=auto -o ControlPersist=60s -o StrictHostKeyChecking=no -o 'IdentityFile="iiq-key.pem"' -o KbdInteractiveAuthentication=no -o PreferredAuthentications=gssapi-with-mic,gssapi-keyex,hostbased,publickey -o PasswordAuthentication=no -o 'User="ec2-user"' -o ConnectTimeout=10 -o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null -o ControlPath=/home/chris.kiick/.ansible/cp/3f67b8c86f 100.64.12.7 '/bin/sh -c '"'"'chmod u+x /home/ec2-user/.ansible/tmp/ansible-tmp-1581102289.37-275304619929836/ /home/ec2-user/.ansible/tmp/ansible-tmp-1581102289.37-275304619929836/AnsiballZ_openssl_privatekey.py && sleep 0'"'"''
<100.64.12.7> (0, '', '')
<100.64.12.7> ESTABLISH SSH CONNECTION FOR USER: ec2-user
<100.64.12.7> SSH: EXEC ssh -C -o ControlMaster=auto -o ControlPersist=60s -o StrictHostKeyChecking=no -o 'IdentityFile="iiq-key.pem"' -o KbdInteractiveAuthentication=no -o PreferredAuthentications=gssapi-with-mic,gssapi-keyex,hostbased,publickey -o PasswordAuthentication=no -o 'User="ec2-user"' -o ConnectTimeout=10 -o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null -o ControlPath=/home/chris.kiick/.ansible/cp/3f67b8c86f -tt 100.64.12.7 '/bin/sh -c '"'"'sudo -H -S -n  -u root /bin/sh -c '"'"'"'"'"'"'"'"'echo BECOME-SUCCESS-qegpjmyptpfgtqkxxglsjhfnewsepfpj ; /usr/bin/python /home/ec2-user/.ansible/tmp/ansible-tmp-1581102289.37-275304619929836/AnsiballZ_openssl_privatekey.py'"'"'"'"'"'"'"'"' && sleep 0'"'"''
Escalation succeeded
<100.64.12.7> (1, 'Traceback (most recent call last):\r\n  File "/home/ec2-user/.ansible/tmp/ansible-tmp-1581102289.37-275304619929836/AnsiballZ_openssl_privatekey.py", line 102, in <module>\r\n    _ansiballz_main()\r\n  File "/home/ec2-user/.ansible/tmp/ansible-tmp-1581102289.37-275304619929836/AnsiballZ_openssl_privatekey.py", line 94, in _ansiballz_main\r\n    invoke_module(zipped_mod, temp_path, ANSIBALLZ_PARAMS)\r\n  File "/home/ec2-user/.ansible/tmp/ansible-tmp-1581102289.37-275304619929836/AnsiballZ_openssl_privatekey.py", line 40, in invoke_module\r\n    runpy.run_module(mod_name=\'ansible.modules.crypto.openssl_privatekey\', init_globals=None, run_name=\'__main__\', alter_sys=True)\r\n  File "/usr/lib64/python2.7/runpy.py", line 176, in run_module\r\n    fname, loader, pkg_name)\r\n  File "/usr/lib64/python2.7/runpy.py", line 82, in _run_module_code\r\n    mod_name, mod_fname, mod_loader, pkg_name)\r\n  File "/usr/lib64/python2.7/runpy.py", line 72, in _run_code\r\n    exec code in run_globals\r\n  File "/tmp/ansible_openssl_privatekey_payload_bq5DCF/ansible_openssl_privatekey_payload.zip/ansible/modules/crypto/openssl_privatekey.py", line 692, in <module>\r\n  File "/tmp/ansible_openssl_privatekey_payload_bq5DCF/ansible_openssl_privatekey_payload.zip/ansible/modules/crypto/openssl_privatekey.py", line 676, in main\r\n  File "/tmp/ansible_openssl_privatekey_payload_bq5DCF/ansible_openssl_privatekey_payload.zip/ansible/modules/crypto/openssl_privatekey.py", line 303, in generate\r\n  File "/tmp/ansible_openssl_privatekey_payload_bq5DCF/ansible_openssl_privatekey_payload.zip/ansible/modules/crypto/openssl_privatekey.py", line 545, in _get_fingerprint\r\n  File "/tmp/ansible_openssl_privatekey_payload_bq5DCF/ansible_openssl_privatekey_payload.zip/ansible/module_utils/crypto.py", line 157, in get_fingerprint_of_bytes\r\nValueError: error:060800A3:digital envelope routines:EVP_DigestInit_ex:disabled for fips\r\n', 'Shared connection to 100.64.12.7 closed.\r\n')
<100.64.12.7> Failed to connect to the host via ssh: Shared connection to 100.64.12.7 closed.
<100.64.12.7> ESTABLISH SSH CONNECTION FOR USER: ec2-user
<100.64.12.7> SSH: EXEC ssh -C -o ControlMaster=auto -o ControlPersist=60s -o StrictHostKeyChecking=no -o 'IdentityFile="iiq-key.pem"' -o KbdInteractiveAuthentication=no -o PreferredAuthentications=gssapi-with-mic,gssapi-keyex,hostbased,publickey -o PasswordAuthentication=no -o 'User="ec2-user"' -o ConnectTimeout=10 -o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null -o ControlPath=/home/chris.kiick/.ansible/cp/3f67b8c86f 100.64.12.7 '/bin/sh -c '"'"'rm -f -r /home/ec2-user/.ansible/tmp/ansible-tmp-1581102289.37-275304619929836/ > /dev/null 2>&1 && sleep 0'"'"''
<100.64.12.7> (0, '', '')

TASK [openssl_privatekey] ******************************************************
task path: /home/chris.kiick/services-performance-lab-master/bug.yml:7
The full traceback is:
Traceback (most recent call last):
  File "/home/ec2-user/.ansible/tmp/ansible-tmp-1581102289.37-275304619929836/AnsiballZ_openssl_privatekey.py", line 102, in <module>
    _ansiballz_main()
  File "/home/ec2-user/.ansible/tmp/ansible-tmp-1581102289.37-275304619929836/AnsiballZ_openssl_privatekey.py", line 94, in _ansiballz_main
    invoke_module(zipped_mod, temp_path, ANSIBALLZ_PARAMS)
  File "/home/ec2-user/.ansible/tmp/ansible-tmp-1581102289.37-275304619929836/AnsiballZ_openssl_privatekey.py", line 40, in invoke_module
    runpy.run_module(mod_name='ansible.modules.crypto.openssl_privatekey', init_globals=None, run_name='__main__', alter_sys=True)
  File "/usr/lib64/python2.7/runpy.py", line 176, in run_module
    fname, loader, pkg_name)
  File "/usr/lib64/python2.7/runpy.py", line 82, in _run_module_code
    mod_name, mod_fname, mod_loader, pkg_name)
  File "/usr/lib64/python2.7/runpy.py", line 72, in _run_code
    exec code in run_globals
  File "/tmp/ansible_openssl_privatekey_payload_bq5DCF/ansible_openssl_privatekey_payload.zip/ansible/modules/crypto/openssl_privatekey.py", line 692, in <module>
  File "/tmp/ansible_openssl_privatekey_payload_bq5DCF/ansible_openssl_privatekey_payload.zip/ansible/modules/crypto/openssl_privatekey.py", line 676, in main
  File "/tmp/ansible_openssl_privatekey_payload_bq5DCF/ansible_openssl_privatekey_payload.zip/ansible/modules/crypto/openssl_privatekey.py", line 303, in generate
  File "/tmp/ansible_openssl_privatekey_payload_bq5DCF/ansible_openssl_privatekey_payload.zip/ansible/modules/crypto/openssl_privatekey.py", line 545, in _get_fingerprint
  File "/tmp/ansible_openssl_privatekey_payload_bq5DCF/ansible_openssl_privatekey_payload.zip/ansible/module_utils/crypto.py", line 157, in get_fingerprint_of_bytes
ValueError: error:060800A3:digital envelope routines:EVP_DigestInit_ex:disabled for fips

fatal: [prod-task1]: FAILED! => {
    "changed": false, 
    "module_stderr": "Shared connection to 100.64.12.7 closed.\r\n", 
    "module_stdout": "Traceback (most recent call last):\r\n  File \"/home/ec2-user/.ansible/tmp/ansible-tmp-1581102289.37-275304619929836/AnsiballZ_openssl_privatekey.py\", line 102, in <module>\r\n    _ansiballz_main()\r\n  File \"/home/ec2-user/.ansible/tmp/ansible-tmp-1581102289.37-275304619929836/AnsiballZ_openssl_privatekey.py\", line 94, in _ansiballz_main\r\n    invoke_module(zipped_mod, temp_path, ANSIBALLZ_PARAMS)\r\n  File \"/home/ec2-user/.ansible/tmp/ansible-tmp-1581102289.37-275304619929836/AnsiballZ_openssl_privatekey.py\", line 40, in invoke_module\r\n    runpy.run_module(mod_name='ansible.modules.crypto.openssl_privatekey', init_globals=None, run_name='__main__', alter_sys=True)\r\n  File \"/usr/lib64/python2.7/runpy.py\", line 176, in run_module\r\n    fname, loader, pkg_name)\r\n  File \"/usr/lib64/python2.7/runpy.py\", line 82, in _run_module_code\r\n    mod_name, mod_fname, mod_loader, pkg_name)\r\n  File \"/usr/lib64/python2.7/runpy.py\", line 72, in _run_code\r\n    exec code in run_globals\r\n  File \"/tmp/ansible_openssl_privatekey_payload_bq5DCF/ansible_openssl_privatekey_payload.zip/ansible/modules/crypto/openssl_privatekey.py\", line 692, in <module>\r\n  File \"/tmp/ansible_openssl_privatekey_payload_bq5DCF/ansible_openssl_privatekey_payload.zip/ansible/modules/crypto/openssl_privatekey.py\", line 676, in main\r\n  File \"/tmp/ansible_openssl_privatekey_payload_bq5DCF/ansible_openssl_privatekey_payload.zip/ansible/modules/crypto/openssl_privatekey.py\", line 303, in generate\r\n  File \"/tmp/ansible_openssl_privatekey_payload_bq5DCF/ansible_openssl_privatekey_payload.zip/ansible/modules/crypto/openssl_privatekey.py\", line 545, in _get_fingerprint\r\n  File \"/tmp/ansible_openssl_privatekey_payload_bq5DCF/ansible_openssl_privatekey_payload.zip/ansible/module_utils/crypto.py\", line 157, in get_fingerprint_of_bytes\r\nValueError: error:060800A3:digital envelope routines:EVP_DigestInit_ex:disabled for fips\r\n", 
    "msg": "MODULE FAILURE\nSee stdout/stderr for the exact error", 
    "rc": 1
}

PLAY RECAP *********************************************************************
prod-task1                 : ok=1    changed=0    unreachable=0    failed=1    skipped=0    rescued=0    ignored=0
@ansibot
Copy link
Contributor

ansibot commented Feb 7, 2020

Files identified in the description:
None

If these files are inaccurate, please update the component name section of the description or use the !component bot command.

click here for bot help

@ansibot ansibot added affects_2.9 This issue/PR affects Ansible v2.9 bug This issue/PR relates to a bug. needs_triage Needs a first human triage before being processed. performance python3 support:core This issue/PR relates to code supported by the Ansible Engineering Team. traceback This issue/PR includes a traceback. labels Feb 7, 2020
@chris-kiick-sp
Copy link
Contributor Author

In module_utils/crypto.c (on target host):

for algo in algorithms:
        f = getattr(hashlib, algo)
        h = f(source)

by hand:

Python 2.7.5 (default, Jun 11 2019, 14:33:56) 
[GCC 4.8.5 20150623 (Red Hat 4.8.5-39)] on linux2
Type "help", "copyright", "credits" or "license" for more information.
>>> import hashlib
>>> hashlib.algorithms
('md5', 'sha1', 'sha224', 'sha256', 'sha384', 'sha512')
>>> hashlib.md5("foo")
Traceback (most recent call last):
  File "<stdin>", line 1, in <module>
ValueError: error:060800A3:digital envelope routines:EVP_DigestInit_ex:disabled for fips

I don't know how to get a list of FIPS allowed algorithms. Perhaps the module can catch this specific exception and just skip that algorithm.
In general, if a hash algorithm fails, shouldn't it just be skipped?

@Akasurde
Copy link
Member

!component =lib/ansible/modules/crypto/openssl_privatekey.py

@ansibot
Copy link
Contributor

ansibot commented Feb 18, 2020

Files identified in the description:

If these files are inaccurate, please update the component name section of the description or use the !component bot command.

click here for bot help

@ansibot
Copy link
Contributor

ansibot commented Feb 18, 2020

cc @MarkusTeufelberger @Shaps @Spredzy @Xyon @felixfontein @puiterwijk @resmo
click here for bot help

@ansibot ansibot added crypto Crypto community (ACME, openssl, letsencrypt) module This issue/PR relates to a module. support:community This issue/PR relates to code supported by the Ansible community. and removed needs_triage Needs a first human triage before being processed. support:core This issue/PR relates to code supported by the Ansible Engineering Team. labels Feb 18, 2020
@felixfontein felixfontein mentioned this issue Feb 18, 2020
Merged
@felixfontein
Copy link
Contributor

resolved_by_pr #67515

@ansibot ansibot added the has_pr This issue has an associated PR. label Feb 18, 2020
@ansible ansible locked and limited conversation to collaborators Mar 17, 2020
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
affects_2.9 This issue/PR affects Ansible v2.9 bug This issue/PR relates to a bug. crypto Crypto community (ACME, openssl, letsencrypt) has_pr This issue has an associated PR. module This issue/PR relates to a module. performance python3 support:community This issue/PR relates to code supported by the Ansible community. traceback This issue/PR includes a traceback.
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

openssl_* modules: prevent crash on fingerprint determination in FIPS mode felixfontein/ansible
4 participants
@Akasurde @felixfontein @ansibot @chris-kiick-sp