Can't load /root/.rnd into RNG : where can I find it, or how to create it?

random-number-generator openssl

I'm trying to setup a VPN server with OpenVPN, on an Ubuntu Server 18.04, and I want to use EasyRSA to build my PKI CA.

So, while connected as root, I launch the EasyRSA scripts which I copied to /etc/openvpn/easy-rsa. Everything works fine with ./clean-alland ./build-dh, but when I try to launch ./pkitool --initca, I get this error :

Can't load /root/.rnd into RNG
140171234709952:error:2406F079:random number generator:RAND_load_file:Cannot open file:../crypto/rand/randfile.c:88:Filename=/root/.rnd

In the openssl confing file (/etc/openvpn/easy-rsa/openssl-1.0.0.cnf), I find this line which indicates why it tries to reach /root/.rnd :

RANDFILE    = $ENV::HOME/.rnd

From what I read and understood online, .rnd is a seed that openssl uses to generate random numbers. The strange thing is : even though I get this error, the RSA private key IS generated by the script. I just fear that it is not random, since it lacks a seed.

So my problem is : this file doesn't exist on my system, it is not in /root/, not in /home/user/ which is my only other user, and find / -name ".rnd" returns nothing. Even find / -iname "*.rnd" returns nothing.

And I don't even know how I can create it, or if I understood this all wrong.


even though I get this error, the RSA private key IS generated by the script

The file doesn't need to exist; OpenSSL creates it on its own after the first time.

I just fear that it is not random, since it lacks a seed.

The OS provides the seed using its own RNG through /dev/urandom or through system calls such as getentropy() or CryptGenRandom(). There's no need for you to provide anything extra.

I would guess that the .rnd file is more or less a leftover from the days when the OS lacked a good CSPRNG, possibly when the Linux /dev/urandom was considered poor-quality (and /dev/random produced data very slowly due to "entropy accounting"). Now it is no longer the case, and relying entirely on a seed stored on some file in your homedir would actually be less secure.


Create one in expected path

cd ~/; openssl rand -writerand .rnd

OpenSSL creates it on its own after the first time.

Actually, it doesn't, no matter how many times I launch the script or if I just try to use the openssl rand command directly, it is never created.

But you were right : I generated two keys to check if they were different and they were.

Thank you for your help.


Remark the RANDFILE line in /etc/ssl/openssl.conf more

Related

How to disable the screen (Linux without X)
How do I recursively remove subdirectories and files, but not the first parent directory?
Is there a way to make a persistent IRC account that I can read missed / old messages with?
Anyone know how to modify settings for the Apple Magic Trackpad on Windows (without Boot Camp)?
In linux, why are folders for configuration files always named *.d
why does Windows 7 x64 Explorer.exe suddenly gobble up all available RAM and slow my system to a crawl?
Better GUI for vim?
What is the difference between a link local address and an IP address in the private address space?
How do I uninstall a Windows service using a PowerShell script?
List file range with UNIX wildcards
Why is gzip slow despite CPU and hard drive performance not being maxed out?
Could I access a blocked website via a virtual machine if the host OS has the web address blocked in its hosts file?