Using OpenSSL what does "unable to write 'random state'" mean?

Question

I'm generating a self-signed SSL certificate to protect my server's admin section, and I keep getting this message from OpenSSL:

unable to write 'random state'

What does this mean?

This is on an Ubuntu server. I have upgraded libssl to fix the recent security vulnerability.

Answer 1

I have come across this problem today on AWS Lambda. I created an environment variable:

export RANDFILE = "/tmp/.random"

That did the trick.

Answer 2

For anyone who is unable to open the cmd with "run as admin" option. I had the same issue. Running set RANDFILE=.rnd in the cmd worked for me.

Answer 3

You should set the $RANDFILE environment variable and/or create $HOME/.rnd file. (OpenSSL FAQ). (Of course, you should have rights to that file. Others answers here are about that. But first you should have the file and a reference to it.)

Up to version 0.9.6 OpenSSL wrote the seeding file in the current directory in the file ".rnd". At version 0.9.6a you have no default seeding file. OpenSSL 0.9.6b and later will behave similarly to 0.9.6a, but will use a default of "C:\" for HOME on Windows systems if the environment variable has not been set.

If the default seeding file does not exist or is too short, the "PRNG not seeded" error message may occur.

The $RANDFILE environment variable and $HOME/.rnd are only used by the OpenSSL command line tools. Applications using the OpenSSL library provide their own configuration options to specify the entropy source, please check out the documentation coming the with application.

Answer 4

Apparently, I needed to run OpenSSL as root in order for it to have permission to the seeding file.

Answer 5

One other issue on the Windows platform, make sure you are running your command prompt as an Administrative User!

I don't know how many times this has bitten me...

Answer 6

I had the same thing on windows server. Then I figured out by changing the vars.bat which is:

set HOME=C:\Program Files (x86)\OpenVPN\easy-rsa

then redo from beginning and everything should be fine.

Answer 7

I know this question is on Linux, but on windows I had the same issue. Turns out you have to start the command prompt in "Run As Administrator" mode for it to work. Otherwise you get the same: unable to write 'random state' error.

Answer 8

In practice, the most common reason for this happening seems to be that the .rnd file in your home directory is owned by root rather than your account. The quick fix:

sudo rm ~/.rnd

For more information, here's the entry from the OpenSSL FAQ:

Sometimes the openssl command line utility does not abort with a "PRNG not seeded" error message, but complains that it is "unable to write 'random state'". This message refers to the default seeding file (see previous answer). A possible reason is that no default filename is known because neither RANDFILE nor HOME is set. (Versions up to 0.9.6 used file ".rnd" in the current directory in this case, but this has changed with 0.9.6a.)

So I would check RANDFILE, HOME, and permissions to write to those places in the filesystem.

If everything seems to be in order, you could try running with strace and see what exactly is going on.

Answer 9

The problem for me was that I had .rnd in my home directory but it was owned by root. Deleting it and reissuing the openssl command fixed this.