Issue with openssl-fips-provider during migration from RHEL 9

I have the same issue, but it is definitely not solved for me.

The core issue is that openssl-fips-provider and openssl-libs both provided /usr/lib64/ossl-modules/fips.so, at least until openssl-libs-1:3.0.7-27 (based on this; see conflicts section). Using rpm -ql, it doesn’t seem like there is a conflict now but migrate2rocky9.sh still reports a problem.

With the output, I can see openssl-libs-3.0.7-27 and openssl-fips-provider-3.0.7-2 getting pulled down, but still see the “file /usr/lib64/ossl-modules/fips.so conflicts between attempted installs of openssl-fips-provider-3.0.7-2.el9.x86_64 and openssl-libs-1:3.0.7-27.el9.x86_64” error.

Removing openssl-fips-provider just flagged a different error saying openssl-libs depends on it (ignoring the sanity of doing that), which you can see via “rpm -q --requires openssl-libs”.

Just as a followup, Rocky didn’t fix their RPMs.

[while it’s a RHEL9 box]
rpm -qa | grep -E ‘(openssl-fips-provider|openssl-libs)’
openssl-fips-provider-3.0.7-2.el9.x86_64
openssl-libs-3.0.7-27.el9.x86_64

[fips.so should only be a part of openssl-fips-provider, not openssl-libs]
rpm -ql openssl-fips-provider | grep fips.so
/usr/lib64/ossl-modules/fips.so
rpm -ql openssl-libs | grep fips.so

[looking at cached files after failed migrate]
(cd /var/cache/dnf/baseos-522ed8e2b2f761ff/packages && ls -1 openssl-fips-provider-.rpm openssl-libs-.rpm)
openssl-fips-provider-3.0.7-2.el9.x86_64.rpm
openssl-libs-3.0.7-27.el9.x86_64.rpm

[fips.so is in both RPMs]
rpm -ql /var/cache/dnf/baseos-522ed8e2b2f761ff/packages/openssl-fips-provider-.rpm | grep fips.so
/usr/lib64/ossl-modules/fips.so
rpm -ql /var/cache/dnf/baseos-522ed8e2b2f761ff/packages/openssl-libs-
.rpm | grep fips.so
/usr/lib64/ossl-modules/fips.so

Doing a little kludge to the script worked around this issue. Until Rocky fixes openssl-libs, we can just exclude it in the distro-sync and leave it with the stock RHEL version for a while.

--- migrate2rocky9.sh.ORIG      2024-07-31 13:38:02.764114561 -0700
+++ migrate2rocky9.sh   2024-07-31 13:40:04.334335470 -0700
@@ -1100,7 +1100,7 @@
     fi

     infomsg $'\nSyncing packages\n\n'
-    dnf -y --allowerasing distro-sync ||
+    dnf -y --allowerasing distro-sync -x openssl-libs ||
         exit_message "Error during distro-sync."

     # Disable Stream repos.

While I understand that it appears to be a “Rocky problem”, this problem is only occurring in a very specific case with these conditions:

It is rather unhelpful to point fingers and cast blame while neither bringing forth a solution that we can take to resolve the issue nor taking the initiative to ask how you can help. In fact, the initial investigation from more than 21 days ago could’ve been in a bug report. That would have created an initiative from my team to investigate and work on a solution.

If in the future a similar issue occurs, we ask that you open a bug report at our bug tracker, providing all relevant information and if applicable, an initial solution that we can try.

[label@sani CFG]$ dnf --repofrompath=pb_base_8,https://yumrepofs.build.resf.org/v1/projects/df5bcbfc-ba83-4da8-84d6-ae0168921b4d/repo/BaseOS/x86_64 --disablerepo=*  --enablerepo=pb_base_8 repoquery -q --whatprovides openssl-fips-provider
openssl-libs-1:3.0.7-27.el9.0.1.i686
openssl-libs-1:3.0.7-27.el9.0.1.x86_64
1 Like

Or perhaps even easier, disable FIPS on the RHEL9 box before migrating to Rocky. Then enable FIPS again afterwards. The most likely cause of the problem here is the migration.

1 Like

Wasn’t the “core issue” that Rocky has/had one package, openssl-libs, while RHEL builds openssl-libs and openssl-fips-provider, splitting some of the content into the latter?

I’m new to Rocky, previous experience being lots of OEL and RHEL. I put the initial work here because google found relevant matches here (vs bug tracker), but I started on the bug-tracker last night, just haven’t submitted the two issues I’ve found.

I didn’t know who was at fault ~21 days ago, just had figured out that it was originally something RHEL had an issue with and fixed. I’m guessing that this is sorta fallout from RHEL keeping all their contributions much closer to their chest.

I’ve never contributed to CentOS or now Rocky at the level of SRPMs. It’ll be new.

This topic was automatically closed 60 days after the last reply. New replies are no longer allowed.