Configuring OS default cryptography policy to be compatible with CloudBees licenses.

2 minute readKnowledge base

Issue

After upgrading the operating system on your controller you may encounter a problem where the controller will try to request or will repeat a request for a valid license even though the license configured with the instance is still valid.

Before May 24th, 2023 the product license used a SHA1 signature algorithm, after May 24th, 2023 due to SDP-2648 it started using SHA256.

Recent releases of operating systems are hardening their requirements with regards to encryption and security.

The error output for this may look similar to these errors below.

ERROR: Invalid Operations Center CA in the license key
Algorithm constraints check failed on signature algorithm: SHA1withRSA

Resolution

Contact CloudBees Customer Success csm-help@cloudbees.com or https://support.cloudbees.com/ for an updated license that uses SHA256.

Workaround

If you want to work around this without requesting a new license, this section will explain how to resolve this problem for different operating systems, this list will be updated as new issues are found.

RedHat (9.1)

For controllers and operation centers on RedHat instances, in this example version 9.1, this issue can be mitigated by changing the cryptography policy on the operating system.

More details on the different levels for RedHat 9.1 can be found here.

The RedHat 9.1 cryptography policy uses SHA1 by default, which should work correctly with the previous version of the license. However, if the default policy is changed to a different one, the checking will fail. To mitigate this issue this will need to change to the legacy setting. To change the policy execute the following commands on the operating system.

update-crypto-policies --show
update-crypto-policies --set LEGACY

After updating the policy, restart the machine where the instance is deployed.

After this the license should be compatible with the operating system.

openSUSE (15.4)

For controllers and operation centers on openSUSE instances, in this example version 15.4, this issue can be mitigated by changing the cryptography policy on the operating system.

More details on the different levels for openSUSE 15.4 can be found here.

By default the openSUSE 15.4 cryptography policy uses SHA256. To mitigate this issue this will need to change to the legacy setting. To change the policy execute the following commands on the operating system.

update-crypto-policy --show
update-crypto-policy --set LEGACY

After updating the policy, restart the machine where the instance is deployed.

After this the license should be compatible with the operating system.