Reputation: 123
Random Number Error with Self-Signed Certificate
I have been trying to create a self-signed certificate but I keep getting an error related to the random number generator. I entered this in the terminal:
openssl req -x509 -days 365 -sha256 -newkey rsa:4096 -keyout mycert.pem -out mycert.pem
I then get the prompt to enter my information. I get through that just fine but when I press enter, I get the following error:
Cannot write random bytes:
139680915939776:error:2407007A:random number generator:RAND_write_file:Not a regular file:crypto/rand/randfile.c:163:Filename=/home/user/.rnd
Upvotes: 6
Views: 4363
Answers (3)
Reputation: 10261
openssl needs a file which stores 256 bytes of seed data; it has to both read and write this file. The default name of this file is .rnd, but its location varies by system. In your case, it's /home/user/.rnd, which presumably doesn't exist.
Instead of relying on the default name, you can set the location in the RANDFILE environment variable, or assign it to RANDFILE in an openssl configuration file.
Before running openssl, write 256 bytes of random data to this file:
dd if=/dev/urandom of=randfile bs=256 count=1
This creates file 'randfile', so put this file name in your config file, or assign it to the RANDFILE envvar, or change it to .rnd.
@Maleka: The issue with Dovecot is that RANDFILE is set incorrectly in dovecot-openssl.conf. The original is:
RANDFILE = /dev/urandom
This won't work, since /dev/urandom is a special file and you can't write to it. Create 'randfile' as above, and change this line to
RANDFILE = randfile
See also this answer.
Upvotes: 1
Reputation: 508
It might be that you are not allowed to write /home/user/.rnd with the user running the command.
You might want to check your access rights or if /home/user exists.
Upvotes: 0
Reputation: 90
The issue was solved by using the following code as a replacement for /usr/share/dovecot/dovecot-openssl.cnf content:
[ req ]
default_bits = 2048
encrypt_key = yes
distinguished_name = req_dn
x509_extensions = cert_type
prompt = no
[ req_dn ]
# country (2 letter code)
#C=FI
# State or Province Name (full name)
#ST=
# Locality Name (eg. city)
#L=Helsinki
# Organization (eg. company)
#O=Dovecot
# Organizational Unit Name (eg. section)
OU=IMAP server
# Common Name (*.example.com is also possible)
CN=imap.example.com
# E-mail contact
[email protected]
[ cert_type ]
nsCertType = server
Upvotes: 0
Related Questions
- Openssl : error "self signed certificate in certificate chain"
- Error during creation self-signed SSL with openSSL
- OpenSSL Error in Req when generating self-signed certificate
- Issue with self-signed certified SSL certificate
- OpenSSL: first num too large - what does it mean and how to have it fixed?
- Unable To Trust Self-Signed SSL Certificate
- Self-signed certificates and HTTPS Error
- Error while creating self-signed SSL certificate
- SSL Self Signed Certificate Error
- Error when creating a self-signed SSL Certificate