430

I'm generating a self-signed SSL certificate to protect my server's admin section, and I keep getting this message from OpenSSL:

unable to write 'random state'

What does this mean?

This is on an Ubuntu server. I have upgraded libssl to fix the recent security vulnerability.

Mark Amery
  • 143,130
  • 81
  • 406
  • 459
Luke Francl
  • 31,028
  • 18
  • 69
  • 91
  • I am seeing that even though this error is thrown, it wont stop by generating the intended certificate format file, i was using a different openssl command to convert the .crt to .pfx, it indeed output the pfx though this error is printed – rinilnath Dec 16 '22 at 13:22

9 Answers9

569

In practice, the most common reason for this happening seems to be that the .rnd file in your home directory is owned by root rather than your account. The quick fix:

sudo rm ~/.rnd

For more information, here's the entry from the OpenSSL FAQ:

Sometimes the openssl command line utility does not abort with a "PRNG not seeded" error message, but complains that it is "unable to write 'random state'". This message refers to the default seeding file (see previous answer). A possible reason is that no default filename is known because neither RANDFILE nor HOME is set. (Versions up to 0.9.6 used file ".rnd" in the current directory in this case, but this has changed with 0.9.6a.)

So I would check RANDFILE, HOME, and permissions to write to those places in the filesystem.

If everything seems to be in order, you could try running with strace and see what exactly is going on.

Ville Laurikari
  • 28,380
  • 7
  • 60
  • 55
  • 44
    My system was giving me this issue because the ".rnd" file was owned by root rather than my user. A quick `sudo chown user:user ~/.rnd` made everything work out. – HalfBrian Jun 04 '10 at 16:19
  • 1
    I had the same problem as OP. I did the `sudo` thing and it worked. But why do I still have a `.rnd` directory iwned by root in my $HOME after I create a self-signed certificate ? – Luc M Jul 09 '12 at 02:36
  • 3
    Yes, if you run from php web server, the user is www-data, and you should add "export" before every openssl: shell_exec('export RANDFILE=".rnd";openssl ecparam -genkey -name secp256k1')) – diyism Jun 21 '13 at 09:04
  • 2
    If you are using a scripting language like PHP to call openssl as www-data, you can solve this by creating `/var/www/.rnd` and chowning it to `www-data`. (Assuming that `/var/www` is `www-data`'s home folder, which it is on most systems. You can check `www-data`'s home folder with `cat /etc/passwd | grep www-data`) – Nick Feb 15 '17 at 14:28
  • when I run strace I can see that openssl is trying to access /dev/arandom on ubuntu 14.04 lts. Unfortunately this device does not exist. – gadeynebram Mar 10 '17 at 07:25
  • @gadeynebram OpenSSL is probably just checking to see if `/dev/arandom` (see https://stackoverflow.com/questions/12886646/what-is-dev-arandom) exists before moving on to `/dev/random` or `/dev/urandom`. I imagine that if OpenSSL really couldn't find a random device to open, it would throw a different (critical) error. Look for something else that would cause this; do `touch ~/.rnd` and see if you get an error. For me I had done `sudo -su [username]` to start a shell as a different user, but the $HOME variable was still set to my own user's home directory, which the other user couldn't access. – Hitechcomputergeek Jun 06 '17 at 15:13
  • 1
    I was using Windows - of course, I needed to run the CMD prompt as an Administrator! Doing so, got round this problem. – NickBeaugié Mar 25 '18 at 18:48
  • so simple. I never would have figure this out on my own. thanks #SOF and @ville-laurikari – JoshYates1980 Apr 08 '18 at 12:22
291

I know this question is on Linux, but on windows I had the same issue. Turns out you have to start the command prompt in "Run As Administrator" mode for it to work. Otherwise you get the same: unable to write 'random state' error.

Beachhouse
  • 4,972
  • 3
  • 25
  • 39
  • 13
    I am running on windows as administrator but still get the error – Smalcat Jun 14 '12 at 08:24
  • 6
    Being an administrator on the machine and using "Run As Administrator" are different. "Run As Administrator" forces the program to run as an Administrator, otherwise even when you are an administrator, the prompt will run with a non-administrator security clearance. – Beachhouse Aug 28 '12 at 21:46
  • 75
    If you are running in administrator mode and you are _still_ receiving "Unable to write 'random state'", another solution is to [`set RANDFILE=.rnd`](http://stackoverflow.com/questions/2229723/how-do-i-make-openssl-write-the-randfile-on-windows-vista) before executing `openssl`. – jevon Apr 16 '13 at 04:08
  • 5
    In Powershell this is ```$env:RANDFILE=".rnd"``` rather than ```set RANDFILE=.rnd```. – x5657 Sep 17 '18 at 09:51
  • What's the downside of NOT doing that? – StanTastic Feb 26 '19 at 14:26
  • Your answer Helped me 11 yrs later..Whew – Pythonista Jul 12 '22 at 15:32
46

One other issue on the Windows platform, make sure you are running your command prompt as an Administrative User!

I don't know how many times this has bitten me...

joel
  • 501
  • 4
  • 2
18

Apparently, I needed to run OpenSSL as root in order for it to have permission to the seeding file.

nbanic
  • 1,270
  • 1
  • 8
  • 11
Luke Francl
  • 31,028
  • 18
  • 69
  • 91
  • 16
    It is more likely that you once *ran* it as root whereupon the .rnd file in your home-directory was created with permissions set for root only. This happened to me a while back. Deletion of .rnd solved the issue. – fotNelton Sep 29 '10 at 09:03
13

I had the same thing on windows server. Then I figured out by changing the vars.bat which is:

set HOME=C:\Program Files (x86)\OpenVPN\easy-rsa

then redo from beginning and everything should be fine.

Jusuf
  • 131
  • 1
  • 2
  • that was it! thanks. i made this change right in-between the "init-config" and "vars" commands, from the instructions (here: https://openvpn.net/index.php/open-source/documentation/howto.html#pki). must be because i installed the 32-bit version (which i prefer). – symbiont May 13 '14 at 02:15
  • 4
    That did the trick, and I did not have to run as admin. Thanks! In fact, I simply used `set HOME=.` – Synetech May 26 '14 at 20:36
9

I have come accross this problem today on AWS Lambda. I created an environment variable RANDFILE = /tmp/.random

That did the trick.

Guilherme Mussi
  • 956
  • 7
  • 14
8

You should set the $RANDFILE environment variable and/or create $HOME/.rnd file. (OpenSSL FAQ). (Of course, you should have rights to that file. Others answers here are about that. But first you should have the file and a reference to it.)

Up to version 0.9.6 OpenSSL wrote the seeding file in the current directory in the file ".rnd". At version 0.9.6a you have no default seeding file. OpenSSL 0.9.6b and later will behave similarly to 0.9.6a, but will use a default of "C:\" for HOME on Windows systems if the environment variable has not been set.

If the default seeding file does not exist or is too short, the "PRNG not seeded" error message may occur.

The $RANDFILE environment variable and $HOME/.rnd are only used by the OpenSSL command line tools. Applications using the OpenSSL library provide their own configuration options to specify the entropy source, please check out the documentation coming the with application.

Gangnus
  • 24,044
  • 16
  • 90
  • 149
6

The problem for me was that I had .rnd in my home directory but it was owned by root. Deleting it and reissuing the openssl command fixed this.

Zds
  • 4,311
  • 2
  • 24
  • 28
1

For anyone who is unable to open the cmd with "run as admin" option. I had the same issue. Running set RANDFILE=.rnd in the cmd worked for me.

Om Prakash N
  • 79
  • 4