biosehnsucht Posted October 5, 2018 Posted October 5, 2018 /proc/sys/crypto doesn't exist, so anything checking the status of /proc/sys/crypto/fips_enabled fails terribly. (Specifically trying to bring up a FreeIPA server which includes tomcat-based Dogtag CA, it checks for FIPS during setup, dies). I see there is an rk_crypto kernel module available, so I don't know why /proc/sys/crypto itself is missing. I tried 'modprobe rk_crypto' and it loaded (appears in output of 'lsmod'), but /proc/sys/crypto still doesn't exist.
jmandawg Posted October 5, 2018 Posted October 5, 2018 try: mkdir /proc/sys/crypto echo "0" > /proc/sys/crypto/fips_enabled then start it.
biosehnsucht Posted October 5, 2018 Author Posted October 5, 2018 2 hours ago, jmandawg said: try: mkdir /proc/sys/crypto echo "0" > /proc/sys/crypto/fips_enabled then start it. Can't create directories under /proc, since it's not a normal fileystem. # mkdir /proc/sys/crypto mkdir: cannot create directory ‘/proc/sys/crypto’: No such file or directory
jmandawg Posted October 6, 2018 Posted October 6, 2018 There is a patch here: https://www.mail-archive.com/freeipa-users@lists.fedorahosted.org/msg03711.html I would suggest asking on freeIpa forum.
biosehnsucht Posted October 8, 2018 Author Posted October 8, 2018 That's one approach, but shouldn't /proc/sys/crypto exist anyways ? Why doesn't it? And it's easier to build a custom kernel if that's what it takes than to wait on a FreeIPA patch to make its way to the relevant repository, much less build FreeIPA myself.
jmandawg Posted October 8, 2018 Posted October 8, 2018 I do not have /proc/sys/crypto on my x86 box (running debian) or my renegade (running armbian) or my rpi (running raspian). My guess is it's installed with the FIPS module, which i believe is not free.
biosehnsucht Posted October 8, 2018 Author Posted October 8, 2018 Ah, well, then I guess I'm just going to have to wait for FreeIPA to patch things. But I didn't have this issue installing on a Pi, which also wouldn't have the module, so ... :shrug: Though perhaps that was because I was running Fedora there, maybe it's RHEL relationship gets the FIPS stuff?
biosehnsucht Posted October 8, 2018 Author Posted October 8, 2018 Well, the FreeIPA release just updated on Friday (2018/10/05) it looks like to solve the issue... now I just have to wait for it to make its way into debian/ubuntu/armbian's repos (or get Fedora working on Rock64 but so far that's been a fail - I expect the repos will update before I get Fedora booting on the Rock64)
Recommended Posts