This implementation is not part of the Windows Platform FIPS validated cryptographic algorithms.

[octogondude]

I've opened this issue over at letsencrypt-win-simple, but was told that the error comes from the ACMESharp library and to open an issue here. Anyways, here it goes:

Trying to use letsencrypt-win-simple on our security hardened Windows Server 2012 R2 to obtain a certificate for one of our IIS Site bindings i get the following error:

System.Reflection.TargetInvocationException: Exception has been thrown by the ta
rget of an invocation. ---> System.InvalidOperationException: This implementatio
n is not part of the Windows Platform FIPS validated cryptographic algorithms.
at System.Security.Cryptography.SHA256Managed..ctor()
--- End of inner exception stack trace ---
at System.RuntimeMethodHandle.InvokeMethod(Object target, Object[] arguments,
Signature sig, Boolean constructor)
at System.Reflection.RuntimeConstructorInfo.Invoke(BindingFlags invokeAttr, B
inder binder, Object[] parameters, CultureInfo culture)
at System.Security.Cryptography.CryptoConfig.CreateFromName(String name, Obje
ct[] args)
at System.Security.Cryptography.SHA256.Create()
at ACMESharp.JOSE.JwsHelper.ComputeKeyAuthorization(ISigner signer, String to
ken)
at ACMESharp.ACME.Providers.HttpChallengeDecoder.Decode(IdentifierPart ip, Ch
allengePart cp, ISigner signer)
at ACMESharp.AcmeClient.DecodeChallenge(AuthorizationState authzState, String
challengeType)
at LetsEncrypt.ACME.Simple.Program.Authorize(Target target)
at LetsEncrypt.ACME.Simple.Program.Auto(Target binding)
at LetsEncrypt.ACME.Simple.Plugin.Auto(Target target)
at LetsEncrypt.ACME.Simple.Program.Main(String[] args)
Press enter to continue.

[bseddon]

I guess you have two solutions. One will be to compile ACMESharp and change the call to SHA256.Create() to SHA256Cng.Create() on line 173 of file '.\ACMESharp\ACMESharp\JOSE\JwsHelper.cs' so the hash algorithm used is the FIPS compliant one.

The other will be to use ACMESharp on a different machine that does not use the FIPS registry setting and either use the DNS challenge or the HTTP challenge and add the challenge token to the web site on the web server manually.

[ebekker]

I'll create an enhancement request to be able to support this better natively in the future, but if you really need it now, I agree with @bseddon, those are you best immediate options.

[ebekker]

@octogondude, thanks to @bseddon for digging a little deeper into the situation in #128, you may have an alternative for your immediate case. He referenced this StackOverflow article which reminded me that I'm just invoking the default implementation of the SHA2 hashing algorithm and by default this will make use of the managed implementation, but you as the user can override what is the default implementation either a the machine level, via machine.config or even at the application level via app.config.

In the case of PowerShell, you can either modify the .config file for the whole of the PowerShell system, which may not be a bad idea in your case anyway, since it would harden the default used in other cases of PowerShell for your secure environment, or there appears to be way to do it on a script-by-script basis, based on this.

Hopefully this addresses your immediate need.

[bseddon]

@ebekker read the StackOverflow post more carefully than me. On re-reading I can see it is possible to change dynamically the default algorithm used. This command will change the default SHA256 algorithm used from SHA256 to SHA256Cng:

[System.Security.Cryptography.CryptoConfig]::AddAlgorithm([System.Security.Cryptography.SHA256Cng], "System.Security.Cryptography.SHA256")

You can test this using the command:

[System.Security.Cryptography.SHA256]::Create().GetType().Name

When you should see the name is reported as SHA256Cng not SHA256Managed as it normally would.

These changes do appear to be ephemeral. When the shell ends the next invocation of the shell does not have a changed configuration.

I've not tested to see if this configuration change is still in place when an ACMESharp command is run though I've no reason to believe it will not be.

[ebekker]

Good deal, that's even better as you don't have to mess with .config files anywhere, just make the change in your POSH script or at the start of your session.

[octogondude]

Thank you very much for all of your input!

[flennic]

A nice workaround which worked for me and may help other people coming to this issue from letsencrypt-win-simple:

If there is a .config file (mine was letsencrypt.exe.config) insert the following marked with stars:

<runtime>
    **<enforceFIPSPolicy enabled="false"/>**
    ...
</runtime>

This disables the policy for this program only and you can delete the line after you're done. Hope that helps someone.

Cheers
flennic

[ebekker]

Thanks @flennic !

[blakeduffey]

Good morning. I'm here from the Windows ACME Simple (formerly letsencrypt-win-simple) If I launch letsencrypt.exe on a Windows 2016 host with FIPS mode enabled, i receive

[EROR] InvalidOperationException: This implementation is not part of the Windows Platform FIPS validated cryptographic algorithms.

which is expected based on the above information. If i edit the letsencrypt.exe.config as described by flennic, based on my testing there is no change. Are there any other well known FIPS workarounds? Or has there been any progress on supporting such platforms?

[flennic]

I had a typo in the config (" and / swapped). Check that if you copy/pasted.

[blakeduffey]

Thanks so much! I HAVE been accused of being 'too literal' :)