enable-fips doesn't work on bionic

Status changed to 'Confirmed' because the bug affects multiple users.

For reference, the correct instructions are at https://security-certs.docs.ubuntu.com/en/fips#manual-installation

I'm escalating this to field high as this is impacting deployment on 4 customer clouds.
We can do this manually but it is a much more involved process and with the large number of nodes we need to deploy this will be prone to error and risk.

It is my understanding that FIPS for bionic is through the NIST certification process, but in addition to this we simply want to work on the compliant track which does not need this certification anyway.

Sorry for the resubmit but wanted to get this to the field-high users...

I'm escalating this to field high as this is impacting deployment on 4 customer clouds.
We can do this manually but it is a much more involved process and with the large number of nodes we need to deploy this will be prone to error and risk.

It is my understanding that FIPS for bionic is through the NIST certification process, but in addition to this we simply want to work on the compliant track which does not need this certification anyway.

Thanks for poking at the packaging bug. We've got a tracking bug on the upstream source here:

https://github.com/canonical/ubuntu-advantage-client/issues/1300

We release a beta of the v26 client to the staging PPA yesterday:
https://launchpad.net/~ua-client/+archive/ubuntu/staging

This v26 enables FIPS support for users in the ua client. I've tested it on bionic.

Once we complete the beta testing of the various features in the v26 we'll release it to the stable PPA here:

https://launchpad.net/~ua-client/+archive/ubuntu/stable

Using this PPA will be upgradable when the ua client is SRU'd fully into xenial and bionic at some point in the future.

Having some trouble adding this repository.

sudo add-apt-repository -m ppa:ua-client/staging

Cannot add PPA: 'ppa:~ua-client/ubuntu/staging'.
ERROR: '~ua-client' user or team does not exist.

---

We can curl the address so it does not seem like a proxy issue.

curl http://ppa.launchpad.net/ua-client/staging/ubuntu/
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2 Final//EN">
<html>
 <head>
  <title>Index of /ua-client/staging/ubuntu</title>
 </head>
 <body>
<h1>Index of /ua-client/staging/ubuntu</h1>
  <table>
   <tr><th valign="top"><img src="/icons/blank.gif" alt="[ICO]"></th><th><a href="?C=N;O=D">Name</a></th><th><a href="?C=M;O=A">Last modified</a></th><th><a href="?C=S;O=A">Size</a></th><th><a href="?C=D;O=A">Description</a></th></tr>
   <tr><th colspan="5"><hr></th></tr>
<tr><td valign="top"><img src="/icons/back.gif" alt="[PARENTDIR]"></td><td><a href="/ua-client/staging/">Parent Directory</a></td><td>&nbsp;</td><td align="right"> - </td><td>&nbsp;</td></tr>
<tr><td valign="top"><img src="/icons/folder.gif" alt="[DIR]"></td><td><a href="dists/">dists/</a></td><td align="right">2020-12-07 20:33 </td><td align="right"> - </td><td>&nbsp;</td></tr>
<tr><td valign="top"><img src="/icons/folder.gif" alt="[DIR]"></td><td><a href="pool/">pool/</a></td><td align="right">2020-10-26 19:09 </td><td align="right"> - </td><td>&nbsp;</td></tr>
   <tr><th colspan="5"><hr></th></tr>
</table>
<address>Apache/2.4.18 (Ubuntu) Server at ppa.launchpad.net Port 80</address>
</body></html>

Any guidance would be appreciated,

Thanks,
  Steven

Ok that looks like a client environment problem. Never mind.

Steven

This was fully resolved by an official SRU of the new ubuntu-advantage-tools version 27.0 to Xenial and Bionic on 2021-04-29.

The new UA client requires obtaining a contract token from https://ubuntu.com/advantage and using that global contract token on the commandline

   sudo ua attach <contract_token>
   # to enable fips if not auto-enabled by your contract
   sudo ua enable fips

The security documentation referenced has been updated since the SRU to reflect these steps if needed.
https://security-certs.docs.ubuntu.com/en/fips#manual-installation