OpenSSL in FIPS Mode does not have MD5 Hash Functionality Required by Certbot

virshu · December 25, 2017, 8:40pm

I ran this command:
certbot --apache or certbot --apache certonly (same result)

It produced this output:
An unexpected error occurred:
ValueError: error:060800A3:digital envelope routines:EVP_DigestInit_ex:disabled for fips

My web server is (include version):
Apache/2.4.6 (CentOS) OpenSSL/1.0.2k-fips PHP/7.1.11

The operating system my web server runs on is (include version):
Centos 7

My hosting provider, if applicable, is:
Amazon Web Services (for the server)

I can login to a root shell on my machine (yes or no, or I don’t know): yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel): no.

May or may not be relevant: I installed certificate yesterday on another instance that was running AWS Linux. But my application framework (ASP.NET Core) is not compatible with Amazon Linux; so I launched Centos 7 instance.

Log file doesn’t seem to add much, but here is the tail:
2017-12-25 20:21:30,017:DEBUG:certbot.log:Exiting abnormally:
Traceback (most recent call last):
File “/bin/certbot”, line 9, in
load_entry_point(‘certbot==0.19.0’, ‘console_scripts’, ‘certbot’)()
File “/usr/lib/python2.7/site-packages/certbot/main.py”, line 861, in main
return config.func(config, plugins)
File “/usr/lib/python2.7/site-packages/certbot/main.py”, line 770, in certonly
le_client = _init_le_client(config, auth, installer)
File “/usr/lib/python2.7/site-packages/certbot/main.py”, line 479, in _init_le_client
acc, acme = _determine_account(config)
File “/usr/lib/python2.7/site-packages/certbot/main.py”, line 378, in _determine_account
config, account_storage, tos_cb=_tos_cb)
File “/usr/lib/python2.7/site-packages/certbot/client.py”, line 174, in register
acc = account.Account(regr, key)
File “/usr/lib/python2.7/site-packages/certbot/account.py”, line 62, in init
format=serialization.PublicFormat.SubjectPublicKeyInfo)
ValueError: error:060800A3:digital envelope routines:EVP_DigestInit_ex:disabled for fips
2017-12-25 20:21:30,018:ERROR:certbot.log:An unexpected error occurred:

_az · December 25, 2017, 10:42pm

Based on this issue it looks like Certbot isn’t compatible with OpenSSL running in FIPS mode.

If you wish to continue operating in FIPS mode, perhaps you can use an alternate client like acmetool, which is not affected.

ahaw021 · December 26, 2017, 7:57am

i have made the title a bit clearer in case anyone else runs in to the same problem

system · January 25, 2018, 7:57am

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
LetsEncrypt (Certbot) FIPS Mode Client dev	5	2128	June 10, 2018
Certbot 1.2.0 Release Client dev	5	1255	March 29, 2020
Did OpenSSL 3.0 break Certbot? Client dev	37	2406	December 14, 2023
Issues with certbot and centos 6 Help	4	2174	November 2, 2016
Error when use command certbot Help	3	989	November 21, 2021

OpenSSL in FIPS Mode does not have MD5 Hash Functionality Required by Certbot

Related topics