Thursday, 12 November 2020

Random weirdness with OpenSSL on Ubuntu 18.04.5

 I hit an interesting problem today, whilst trying to create a public/private key pair: -

openssl req -subj '/C=GB/O=IBM/CN=david_hay.uk.ibm.com' -new -newkey rsa:4096 -x509 -sha256 -days 365 -nodes -out ~/nginx/nginx.crt -keyout ~/nginx/nginx.key

Can't load /root/.rnd into RNG

4396464178976:error:2406F079:random number generator:RAND_load_file:Cannot open file:../crypto/rand/randfile.c:88:Filename=/root/.rnd

Generating a RSA private key

........................++++

........................++++

writing new private key to '/root/nginx/nginx.key'

-----

on an Ubuntu box: -

lsb_release -a

No LSB modules are available.
Distributor ID: Ubuntu
Description: Ubuntu 18.04.5 LTS
Release: 18.04
Codename: bionic

( actually it's an Ubuntu container running on an IBM Z box, via the Secure Service Container technology,  but that's not the point of the story here ! )

I'd not seen that before ... but I noticed that the missing file was .rnd in my user's home directory - /root.

Taking a punt, I tried creating that file: -

touch ~/.rnd

and re-ran the openssl command: -

openssl req -subj '/C=GB/O=IBM/CN=david_hay.uk.ibm.com' -new -newkey rsa:4096 -x509 -sha256 -days 365 -nodes -out ~/nginx/nginx.crt -keyout ~/nginx/nginx.key

Generating a RSA private key
....................................................................++++
..++++
writing new private key to '/root/nginx/nginx.key'
-----

I'd previously run the same command on a different Ubuntu container: -

lsb_release -a

No LSB modules are available.
Distributor ID: Ubuntu
Description: Ubuntu 18.04 LTS
Release: 18.04
Codename: bionic

without similar issues.

Both are running the same version of openssl namely: -

openssl version

OpenSSL 1.1.1  11 Sep 2018

Using this as a source: -


I used openssl to generate the .rnd file: -

openssl rand -out /root/.rnd -hex 256

and validated that I could still generate the key pair: -

openssl req -subj '/C=GB/O=IBM/CN=david_hay.uk.ibm.com' -new -newkey rsa:4096 -x509 -sha256 -days 365 -nodes -out ~/nginx/nginx.crt -keyout ~/nginx/nginx.key

Generating a RSA private key
.....................................................................++++
..................++++
writing new private key to '/root/nginx/nginx.key'
-----

Weird !

No comments:

Yay, VMware Fusion and macOS Big Sur - no longer "NAT good friends" - forgive the double negative and the terrible pun ...

After macOS 11 Big Sur was released in 2020, VMware updated their Fusion product to v12 and, sadly, managed to break Network Address Trans...