Gitlab Omnibus reconfigure with FIPS mode

Cheetah · August 31, 2016, 7:41pm

I updated my Gitlab CE to 8.11 from 8.10 and when i try to reconfigure i get the following error:

/opt/gitlab/embedded/lib/ruby/gems/2.3.0/gems/chef-config-12.12.15/lib/chef-config/config.rb:1012:in `fips_mode=’: This version of OpenSSL does not support FIPS mode (OpenSSL::OpenSSLError)

Omnibus is running OpenSSL 1.0.2h. I am not very familiar with FIPS other than it is required on this system. Is there anything I can do to gte Gitlab omnibus to use a FIPS compliant OpenSSL?

Or any other solution?

Thank you,

R

Cheetah · September 1, 2016, 2:08pm

I tried replacing /opt/gitlab/embededed/openssl with a link to /user/bin/openssl but that did not work.

Just to get the thing running again i commented out the line:

           !ENV("CHEF_FIPS"}.nil? || chefconfig.fips

In the Ruby 2.3 config.rb file.

bzilla · March 29, 2019, 3:28pm

I’m affected by the same FIPS-related issue here. I can run “CHEF_FIPS= gitlab-ctl reconfigure” and have it complete successfully, but I’m trying to get a configuration in place so that the omnibus package can be updated non-interactively.

I’ve tried adding the following to /etc/gitlab/gitlab.rb:

gitlab_rails['env'] = {
  "CHEF_FIPS" => "",
}

reconfiguring and restarting gitlab prior to the package update, but it has no affect, the same openssl error as the original poster (updated):

/opt/gitlab/embedded/lib/ruby/gems/2.5.0/gems/chef-config-13.6.4/lib/chef-config/config.rb:1079:in `fips_mode=': This version of OpenSSL does not support FIPS mode (OpenSSL::OpenSSLError)

Are there any other methods than can be applied here to enable unattended upgrades?

GitlabUser1 · July 17, 2019, 2:34am

Anyone have any clues? Been almost 3 years and I am having the same issues upon reconfiguring.

I had it working many months ago but I don’t recall what I did.

cveto · January 30, 2020, 2:39pm

This happens to me after system hardening.

Before running gitlab-reconfigure do:
export $CHEF_FIPS=""

Worked for me.

mntbighker · December 17, 2021, 6:02am

Are there any changes on this situation. I just had to disable fips after enabling last week. The git push/pull had stopped working. There are comments from Gitlab devs that they are “committed to FIPS compliance”.

Also…

iwalker · December 17, 2021, 7:06am

See here: FIPS compliance | GitLab

Also check the Epic links as well that might hint at progress. What you will also see from the Epic that since Gitlab is reliant on components like Ruby, which also has FIPS issues, then Gitlab have their hands tied until the devs of the included components also fix FIPS support. Runners will also be an issue, since it says golang have said “no plans, basically zero chance”. Of course if you won’t be using runners, then that will be one less problem for you with FIPS.

The remainder of the Epic will explain more detail, as there are lots of comments there relating to it all and too much for me to go through and list everything out. You’ll see when you read it.