Re: Apache, Open-ssl "PRNG not seeded" when making certificate, (290 Views)
Reply
Occasional Advisor
Jim Loucks
Posts: 7
Registered: ‎03-06-2002
Message 1 of 9 (290 Views)
Accepted Solution

Apache, Open-ssl "PRNG not seeded" when making certificate,

In trying to get Apache and open-ssl running, one of the last steps is to "make certificate" in the ...apache/src directory. The make returns the following error:

13909:error:24064064:random number generator:SSLEAY_RAND_BYTES:PRNG not seeded:md_rand.c:501:You need to read the OpenSSL FAQ, http://www.openssl.org/support/faq.html
13909:error:04069003:rsa routines:RSA_generate_key:BN lib:rsa_gen.c:182:

In looking at the above URL in the error message, I was led to this page:

http://www.apache-ssl.org/docs.html#SSLRandomFile

Which gives this example:

SSLRandomFile file /dev/urandom 1024

I can't figure out what that means or what I'm supposed to do with it. I've changed a line in the Configuration file from:

Rule DEV_RANDOM=default

to
Rule DEV_RANDOM=truerand

But still cannot make the certificate. The /dev/urandom device (nor /dev/random) exist on this box.

Occasional Advisor
Jim Loucks
Posts: 7
Registered: ‎03-06-2002
Message 2 of 9 (290 Views)

Re: Apache, Open-ssl "PRNG not seeded" when making certificate,

Whoops. Got a typo in my first post. The /dev/random and /dev/urandom devices do NOT exist on this system.
Honored Contributor
Jeff Schussele
Posts: 6,795
Registered: ‎02-18-2002
Message 3 of 9 (290 Views)

Re: Apache, Open-ssl "PRNG not seeded" when making certificate,

Jim,

This earlier thread might help:

http://forums.itrc.hp.com/cm/QuestionAnswer/1,,0x05c50bce6f33d6118fff0090279cd0f9,00.html

HTH,
Jeff
PERSEVERANCE -- Remember, whatever does not kill you only makes you stronger!
Occasional Advisor
Jim Loucks
Posts: 7
Registered: ‎03-06-2002
Message 4 of 9 (290 Views)

Re: Apache, Open-ssl "PRNG not seeded" when making certificate,

Thanks, Jeff. I tried something similar before posting to no avail. Then I tried what was recommended in the thread you pointed me to, only to get the same error.
Honored Contributor
Sridhar Bhaskarla
Posts: 6,350
Registered: ‎08-15-2001
Message 5 of 9 (290 Views)

Re: Apache, Open-ssl "PRNG not seeded" when making certificate,

Hi Jim,

I created my own certicate using the following process.

#cd /opt/apache/ssl
#./openssl req -new -keyout myprivate.key -out mypublic.csr
Answer few questions here...
#./openssl rsa -in myprivate.key -out my.cert.key
#./openssl x509 -in mypublic.csr -out my.cert.cert -req -signkey my.cert.key -d
ays 365

This worked for me.

-Sri

You may be disappointed if you fail, but you are doomed if you don't try
Honored Contributor
Jeff Schussele
Posts: 6,795
Registered: ‎02-18-2002
Message 6 of 9 (290 Views)

Re: Apache, Open-ssl "PRNG not seeded" when making certificate,

Jim,

Well, w/o /dev/random ( as almost all other flavors have) we HPers are stuck with random(3m) which of course is ueseless cryptographically.
Good luck - I suggest you call/write the Apache folks & gently remind them you're installing on HP-UX & ask them what the heck you're supposed to do w/o a /dev/random?

Rgds,
Jeff
PERSEVERANCE -- Remember, whatever does not kill you only makes you stronger!
Occasional Advisor
Jim Loucks
Posts: 7
Registered: ‎03-06-2002
Message 7 of 9 (290 Views)

Re: Apache, Open-ssl "PRNG not seeded" when making certificate,

Jeff - I'll probably have to do that. Thanks.

Sri,

When I try what was successful for you I get the same error:

./openssl req -new -keyout myprivate.key -out mypublic.csr
Using configuration from /usr/local/ssl/openssl.cnf
unable to load 'random state'
This means that the random number generator has not been seeded
with much random data.
Generating a 1024 bit RSA private key
14805:error:24064064:random number generator:SSLEAY_RAND_BYTES:PRNG not seeded:md_rand.c:501:You need to read the OpenSSL FAQ, http://www.openssl.org/support/faq.html
14805:error:04069003:rsa routines:RSA_generate_key:BN lib:rsa_gen.c:182:


Honored Contributor
Sridhar Bhaskarla
Posts: 6,350
Registered: ‎08-15-2001
Message 8 of 9 (290 Views)

Re: Apache, Open-ssl "PRNG not seeded" when making certificate,

Hi Jim,

Sorry I didn't read your message clearly. I knew I had this problem as on HP you don't have /dev/random. There is a work around for it if I remember correctly, it will initialize a .rnd file in root's home.

Take three more test files and compress them. You can use files like /var/adm/sw/swagent.log etc.,

Use the command

#openssl genrsa -des3 -rand file1.Z:file2.Z:file3.Z -out my.key 1024.

After generating the key, verify if you have the file .rnd in your home directory. You should not get this error from then onwards.

-Sri
You may be disappointed if you fail, but you are doomed if you don't try
Occasional Advisor
Jim Loucks
Posts: 7
Registered: ‎03-06-2002
Message 9 of 9 (290 Views)

Re: Apache, Open-ssl "PRNG not seeded" when making certificate,

Thanks, Sri. That did it. I was working on a similar idea but didn't know about the .rnd file. Is this documented somewhere?
The opinions expressed above are the personal opinions of the authors, not of HP. By using this site, you accept the Terms of Use and Rules of Participation.