On 2021-06-23 14:46:37 [+0200], Andreas Beckmann wrote: > Writing new private key to '/etc/ssl/private/ssl-cert-snakeoil.key' > ----- > Warning: No -copy_extensions given; ignoring any extensions in the request > Cannot write random bytes: > 8022CB35777F0000:error:1200007A:random number generator:RAND_write_file:Not > a regular file:../crypto/rand/randfile.c:190:Filename=/dev/urandom … > Hmm, well, yes, /dev/urandom is not a regular file. It's a character device > node.
This is from -config $file -> RANDFILE = /dev/urandom The reject of file nodes is new in the 3.0.0 release. In the past openssl used to have its .rnd where it keept track of a random state. So it read the RANDFILE to seed and wrote it back to avoid having the state on the next invocation. This is gone since 1.1.0 (I think) and openssl uses getrandom() to initialize its random generator. It is no longer needed to specify /dev/urandom as RANDFILE to seed it initially. In this case it will read urandom and use additionally getrandom() and both provide pseude-random data from exactly the same pool. And then after the operation, openssl will write it back… I would argue to remove RANDFILE from the template. On the other hand there is nothing wrong with writting it back to a device node file. Kurt? > > cheers, > > Andreas Sebastian