From a342eb55469f8b92bc9550e4474ba04a2fd3dd58 Mon Sep 17 00:00:00 2001
From: Josh McCullough <JoshMcCullough@users.noreply.github.com>
Date: Thu, 23 Jan 2020 13:58:36 -0500
Subject: [PATCH] fixes #1948 -- MD5 on FIPS systems (#7708)

* use MD5 in non-security mode to get around FIPS issue

* update CHANGELOG

* add myself to AUTHORS

* ignore hashlib params
---
 AUTHORS.md                           |  1 +
 certbot/CHANGELOG.md                 |  1 +
 certbot/certbot/_internal/account.py | 17 ++++++++++++-----
 3 files changed, 14 insertions(+), 5 deletions(-)

diff --git a/AUTHORS.md b/AUTHORS.md
index d24c5be1d..e89cd9d57 100644
--- a/AUTHORS.md
+++ b/AUTHORS.md
@@ -124,6 +124,7 @@ Authors
 * [Jonathan Herlin](https://github.com/Jonher937)
 * [Jon Walsh](https://github.com/code-tree)
 * [Joona Hoikkala](https://github.com/joohoi)
+* [Josh McCullough](https://github.com/JoshMcCullough)
 * [Josh Soref](https://github.com/jsoref)
 * [Joubin Jabbari](https://github.com/joubin)
 * [Juho Juopperi](https://github.com/jkjuopperi)
diff --git a/certbot/CHANGELOG.md b/certbot/CHANGELOG.md
index 84de0bfe5..7d824d714 100644
--- a/certbot/CHANGELOG.md
+++ b/certbot/CHANGELOG.md
@@ -11,6 +11,7 @@ Certbot adheres to [Semantic Versioning](https://semver.org/).
 ### Changed
 
 * Add directory field to error message when field is missing.
+* If MD5 hasher is not available, try it in non-security mode (fix for FIPS systems) -- [#1948](https://github.com/certbot/certbot/issues/1948)
 
 ### Fixed
 
diff --git a/certbot/certbot/_internal/account.py b/certbot/certbot/_internal/account.py
index c4ea6ef35..61f63bda6 100644
--- a/certbot/certbot/_internal/account.py
+++ b/certbot/certbot/_internal/account.py
@@ -56,11 +56,18 @@ class Account(object):
                 tz=pytz.UTC).replace(microsecond=0),
             creation_host=socket.getfqdn()) if meta is None else meta
 
-        self.id = hashlib.md5(
-            self.key.key.public_key().public_bytes(
-                encoding=serialization.Encoding.PEM,
-                format=serialization.PublicFormat.SubjectPublicKeyInfo)
-        ).hexdigest()
+        # try MD5, else use MD5 in non-security mode (e.g. for FIPS systems / RHEL)
+        try:
+            hasher = hashlib.md5()
+        except ValueError:
+            hasher = hashlib.new('md5', usedforsecurity=False) # type: ignore
+
+        hasher.update(self.key.key.public_key().public_bytes(
+            encoding=serialization.Encoding.PEM,
+            format=serialization.PublicFormat.SubjectPublicKeyInfo)
+        )
+
+        self.id = hasher.hexdigest()
         # Implementation note: Email? Multiple accounts can have the
         # same email address. Registration URI? Assigned by the
         # server, not guaranteed to be stable over time, nor