cfnbootstrap - error:060800A3:digital envelope routines:EVP_DigestInit_ex:disabled for fips on Amazon Linux V2

[alrf]

File from S3 can't be written by cfnbootstrap on Amazon Linux V2:

2019-12-04 15:51:27,668 [ERROR] -----------------------BUILD FAILED!------------------------
Traceback (most recent call last):
  File "/opt/aws/bin/cfn-init", line 171, in <module>
    worklog.build(metadata, configSets)
  File "/usr/lib/python2.7/site-packages/cfnbootstrap/construction.py", line 129, in build
    Contractor(metadata).build(configSets, self)
  File "/usr/lib/python2.7/site-packages/cfnbootstrap/construction.py", line 530, in build
    self.run_config(config, worklog)
  File "/usr/lib/python2.7/site-packages/cfnbootstrap/construction.py", line 542, in run_config
    CloudFormationCarpenter(config, self._auth_config).build(worklog)
  File "/usr/lib/python2.7/site-packages/cfnbootstrap/construction.py", line 251, in build
    changes['files'] = FileTool().apply(self._config.files, self._auth_config)
  File "/usr/lib/python2.7/site-packages/cfnbootstrap/file_tool.py", line 138, in apply
    self._write_file(f, attribs, auth_config)
  File "/usr/lib/python2.7/site-packages/cfnbootstrap/file_tool.py", line 225, in _write_file
    raise ToolError("Failed to retrieve %s: %s" % (source, e.strerror))
ToolError: Failed to retrieve https://bucket.s3-us-west-1.amazonaws.com/dir/infrastructure/install_agents.sh:  error:060800A3:digital envelope routines:EVP_DigestInit_ex:disabled for fips

Debug info, fips enabled:

[root@ip-10-64-9-223:/var/log]# pip list |grep cfn
aws-cfn-bootstrap            1.4     
[root@ip-10-64-9-223:/var/log]#
[root@ip-10-64-9-223:/home/ec2-user]# cat /etc/os-release 
NAME="Amazon Linux"
VERSION="2"
ID="amzn"
ID_LIKE="centos rhel fedora"
VERSION_ID="2"
PRETTY_NAME="Amazon Linux 2"
ANSI_COLOR="0;33"
CPE_NAME="cpe:2.3:o:amazon:amazon_linux:2"
HOME_URL="https://amazonlinux.com/ "
[root@ip-10-64-9-223:/home/ec2-user]# getenforce 
Permissive
[root@ip-10-64-9-223:/home/ec2-user]#
[root@ip-10-64-9-223:/usr/lib/python2.7/site-packages/cfnbootstrap]# cat /proc/sys/crypto/fips_enabled
1
[root@ip-10-64-9-223:/usr/lib/python2.7/site-packages/cfnbootstrap]# 

Everything worked before on Amazon Linux v1, it looks like cfnbootstrap doesn't support fips.

Additional log:

2019-12-05 08:30:51,400 [ERROR] Unexpected Exception
Traceback (most recent call last):
  File "/usr/lib/python2.7/site-packages/cfnbootstrap/util.py", line 162, in _retry
    return f(*args, **kwargs)
  File "/usr/lib/python2.7/site-packages/cfnbootstrap/file_tool.py", line 240, in _write_remote_file
    remote_contents = util.EtagCheckedResponse(requests.get(source, **opts))
  File "/usr/lib/python2.7/site-packages/cfnbootstrap/util.py", line 89, in __init__
    self._digest = hashlib.md5() if self._etag else NoOpDigest()
ValueError: error:060800A3:digital envelope routines:EVP_DigestInit_ex:disabled for fips

So, /usr/lib/python2.7/site-packages/cfnbootstrap/util.py file should be fixed.

I was able to fix this issue:
File /usr/lib/python2.7/site-packages/cfnbootstrap/util.py, line 89:
self._digest = hashlib.md5() if self._etag else NoOpDigest()
should be replaced to:

        if self._etag:
          try:
            self._digest = hashlib.md5()
          except ValueError:
            # md5 isn't available in FIPS mode
            self._digest = hashlib.md5(usedforsecurity=False)
        else:
          self._digest = NoOpDigest()

Similar issues:
https://bugzilla.redhat.com/show_bug.cgi?id=1466047
https://code.djangoproject.com/ticket/28401