Skip to Content
Troubleshooting

Troubleshooting

FIPS Enablement Issues

dracut failures during enablement

Symptom: When running fips-mode-setup --enable, the command fails with errors similar to:

dracut: installkernel failed in module kernel-modules-extra
dracut: Can't write to /boot/efi/...

Cause: This issue typically occurs if the currently running kernel was updated via a package manager but lacks the corresponding Boot Loader Specification (BLS) entries in /boot/loader/entries/. This prevents dracut from correctly locating the kernel images to regenerate the FIPS-compliant initramfs.

Resolution:

  1. Check for stuck processes: Ensure no other dnf or yum processes are running or stuck.
  2. Reinstall Kernel Core: Reinstalling the kernel core package often triggers the scripts to regenerate the missing boot entries. 
    dnf reinstall kernel-core-$(uname -r)
  3. Manual Entry Creation: if reinstalling fails, use kernel-install to manually add the entry: 
    kernel-install add $(uname -r) /lib/modules/$(uname -r)/vmlinuz

Application Issues in FIPS Mode

"Digital envelope routines: unsupported" (MD5 Errors)

Symptom: Applications failures or error messages containing:

Error: error:0308010C:digital envelope routines:inner_evp_generic_fetch:unsupported

Cause: FIPS mode disables cryptographic algorithms that are considered weak or non-compliant, such as MD5. Applications attempting to use MD5 for cryptographic purposes (signatures, hashing passwords) will be blocked by the OpenSSL FIPS provider.

Resolution:

  • Update the Application: Configure the application to use FIPS-compliant algorithms like SHA-256 or SHA-512.
  • Context-Specific Exceptions: Some applications allow configuring exceptions for non-cryptographic use of MD5, but this is generally discouraged in a FIPS-compliant environment.

SSH Connectivity Issues

Ed25519 Keys Rejected

Symptom: After enabling FIPS mode, SSH connections using Ed25519 keys fail, or the sshd service logs errors about ignoring host keys.

sshd: Ed25519 keys are not allowed in FIPS mode

Cause: The Ed25519 algorithm is not currently FIPS 140-3 validated (or FIPS 140-2 validated in older profiles) and is therefore disabled by the system-wide cryptographic policies in FIPS mode.

Resolution: Switch to FIPS-compliant key types, such as:

  • RSA (3072 bits or larger)
  • ECDSA (P-256, P-384, or P-521)

Example of generating a compliant key:

ssh-keygen -t ecdsa -b 384

For additional assistance, consult the component-specific guides or contact CIQ Support.

See Also

RLC Pro Hardened 9.7-20260131 Release NotesFAQs