One thing I didn’t realize was that FIPS was being inherited form the host so just disabling it may not be as trivial. Ultimately I didn’t want to disable it permanently.
When building a stream9 EE I was able to get past the openssl s_client test with the following
prepend_base:
- RUN update-crypto-policies --set FIPS:NO-ENFORCE-EMS
sourced from: Reddit thread: RHEL9 and FIPS breaking SSSD
Though after that I was experiencing some other ssl related issues so I moved on to testing on el8.
In the end I was able to source a ‘ee-minimal-rhel8’ image that I was able to extend with the collections and python modules I needed and that worked perfectly.
I want to revisit building a full image from scratch but for now this has gotten me up and running again. Ultimately the issue was with el9 - fips and support for TLS 1.2 without EMS.
I feel like I learned a lot in the process so that’s always good…
Appreciate the guidance provided. Cheers!