Introduction
Problem
Attempting to install Vault on RHEL based distributions making use of the rpm packaging format can fail to install Vault if running in FIPS mode.
Prerequisites
- Vault (OSS) or Vault Enterprise
- RHEL or similar RPM based Linux distribution
Cause
- RPM packages for Vault created by HashiCorp utilise MD5 to create the digest, however this is not supported when running in FIPS mode. This can be validated by confirming the output of sysctl crypto.fips_enabled is '1'.
- As a result when attempting to install Vault the package manager transaction log may show the following:
Running transaction
Preparing : 1/1
Running scriptlet: vault-1.8.4-1.x86_64 1/1
Installing : vault-1.8.4-1.x86_64 1/1
Error unpacking rpm package vault-1.8.4-1.x86_64
Verifying : vault-1.8.4-1.x86_64 1/1
Installed products updated.
Failed:
vault-1.8.4-1.x86_64
Error: Transaction failed
Solutions:
You can continue to use the HashiCorp repo and Vault RPM's however they will need to be downloaded and then installed in two separate steps in order to make use of the --nofiledigest parameter provided by the rpm tool.
Step 1: Download the Vault RPM, making note of the rpm name included in the output, i.e. vault-1.8.4-1.x86_64.rpm
dnf install --downloadonly vault --downloaddir=.
Step 2: Install the downloaded Vault RPM making use of the --nofiledigest option
rpm --nofiledigest -i vault-1.8.4-1.x86_64.rpm
Outcome
Using this method offers a workaround of avoiding manually building Vault and making use of pre-built binaries that include default configurations and systemd unit files.
Additional Information
-
The HashiCorp engineering team are aware of this issue and aiming to fix this shortly.