Attempting to install Vault on RHEL based distributions making use of the rpm packaging format can fail to install Vault if running in FIPS mode.
Prerequisites (if applicable)
- Vault (OSS) or Vault Enterprise
- RHEL or similar RPM based Linux distribution
- RPM packages for Vault created by HashiCorp utilise MD5 to create the digest, however this is not supported when running in FIPS mode. This can be validated by confirming the output of sysctl crypto.fips_enabled is '1'.
- As a result when attempting to install Vault the package manager transaction log may show the following:
Running transaction Preparing : 1/1 Running scriptlet: vault-1.8.4-1.x86_64 1/1 Installing : vault-1.8.4-1.x86_64 1/1 Error unpacking rpm package vault-1.8.4-1.x86_64 Verifying : vault-1.8.4-1.x86_64 1/1 Installed products updated. Failed: vault-1.8.4-1.x86_64 Error: Transaction failed
Overview of possible solutions (if applicable)
You can still continue to use the HashiCorp repo and Vault RPM's however they will need to be downloaded and then installed in two separate steps in order to make use of the --nofiledigest parameter provided by the rpm tool.
Step 1: Download the Vault RPM, making note of the rpm name included in the output, i.e. vault-1.8.4-1.x86_64.rpm
dnf install --downloadonly vault --downloaddir=.
Step 2: Install the downloaded Vault RPM making use of the --nofiledigest option
rpm --nofiledigest -i vault-1.8.4-1.x86_64.rpm
Using this method offers a workaround of avoiding manually building Vault and making use of pre-built binaries that include default configurations and systemd unit files.
The HashiCorp engineering team are aware of this issue and aiming to fix this shortly.