openssl: Can't load ./.rnd into RNG

When you call openssl 1.1.1а command line utility ./.rnd file is created with root privileges. After that when you try to generate a certificate, the message appears: 140396229990144:error:2406F079:random number generator:RAND_load_file:Cannot open file:crypto/rand/randfile.c:98:Filename=./.rnd

About this issue

Original URL
State: closed
Created 6 years ago
Reactions: 7
Comments: 31 (11 by maintainers)

Links to this issue

openssl - Can't load /root/.rnd into RNG - Stack Overflow

Commits related to this issue

Fixing openssl client errors seen per https://github.com/openssl/openssl/issues/7754 — committed to BjoernT/kubernetes-the-hard-way by BjoernT 5 years ago
Resolving Can't load ./.rnd into RNG Fixing openssl client errors seen per https://github.com/openssl/openssl/issues/7754 — committed to BjoernT/kubernetes-the-hard-way by BjoernT 5 years ago
18248: edit provision's snakeoil cert for ubuntu-18.04 Comment RANDFILE line in /etc/ssl/openssl.cnf to fix ubuntu 18.04 testing See https://github.com/openssl/openssl/issues/7754#issuecomment-54131... — committed to arvados/arvados by deleted user 3 years ago
CH: storing rnd not longer required see https://github.com/openssl/openssl/issues/7754#issuecomment-444063355 — committed to fragfutter/puppet-openssl by deleted user 2 years ago

Most upvoted comments

@bathindahelper I had the same issue as you on Ubuntu 18.04.x. Removing (or commenting out) RANDFILE = $ENV::HOME/.rnd from /etc/ssl/openssl.cnf worked for me.

+139

matusnovak on Oct 12, 2019

@mspncp removing line with RANDFILE from config works fine. Thank you

+67

YuDudysheva on Dec 6, 2018

When you call openssl 1.1.1а command line utility ./.rnd file is created with root privileges.

@bernd-edlinger is it possible that this is a side effect of your change 1fd6afb571e85fbc37ffb522646e7ec2c6e4a11e?

@YuDudysheva If you have RANDFILE=... configuration lines in your openssl.cnf than you can safely remove them, as it was done in 1fd6afb571e85fbc37ffb522646e7ec2c6e4a11e, because saving and restoring the rng state is not necessary anymore in the openssl 1.1.1 random generator.

+22

mspncp on Dec 4, 2018

FIX this problem

into RNG 140407482536384:error:2406F079:random number generator:RAND_load_file:Cannot open file:…/crypto/rand/randfile.c:88

This is caused by the default random file is missing. The message above is a warning and can be ignored in most cases, but if you want to prevent the warning - read on. Creating a blank file called .rnd with touch may work, but it is not a random file.

Create a /home/username/.rnd file with the command below ( this is in Linux, I assume it is similar in Windows c:\users\username.rnd )

   openssl rand -out ~/.rnd -writerand ~/.rnd      
( In windows it should be    openssl rand -out c:\users\username\.rnd -writerand c:\users\username\.rnd   )

The file will be read/write by the username next time something is looking for the .rnd file it will find the file in the default location for that user and not give the error.

Since I am on Linux I cannot be sure about the Windows format, but the idea is to create a .rnd file in your home directory.

+16

2anoyu on Jul 5, 2020

Please open a new issue, don’t post a different problem to a closed issue.

@richsalz Sorry, but I (may be wrongly) thought that my issue was very much related. Sorry again.

@bathindahelper did you read this issue and try the suggestions I made? @mspncp Yes I did read all posts, but couldn’t find the solution.

@bathindahelper I had the same issue as you on Ubuntu 18.04.x. Removing (or commenting out) RANDFILE = $ENV::HOME/.rnd from /etc/ssl/openssl.cnf worked for me.

@matusnovak Thank you. I’ll try and let know.

+15

bathindahelper on Oct 12, 2019

Is there any risk to working around this just with touch ~/.rnd?

good question because modifying the openssl.cnf may not be easy (I have this problem during a gitlab-ci run).

To be very safe see this comment

https://security.stackexchange.com/questions/177509/purpose-of-randfile-in-openssl/177512#177512 dd if=/dev/urandom of=~/.rnd bs=256 count=1

+11

ptrovatelli on Feb 14, 2020

If you are in ubuntu environment, just comment out these two lines from /etc/ssl/openssl.cnf

#RANDFILE       = $ENV::HOME/.rnd
#RANDFILE       = $dir/private/.rand    # private random number file

Thant would do the trick !

+10

anrajme on Feb 16, 2020

Can't load /root/.rnd into RNG
140195094647232:error:2406F079:random number generator:RAND_load_file:Cannot open file:../crypto/rand/randfile.c:88:Filename=/root/.rnd
I was experiencing this issue while generating a self signed certificate into a docker container with a ubuntu 18.04 image, before it was working fine with ubuntu 14.

I was able to fix the issue thanks to @mikebridge suggestion:

Is there any risk to working around this just with touch ~/.rnd?

I am doing this locally, in development environment so I don’t need to care about security concerns.

Old code: RUN openssl req -x509 -sha256 -nodes -newkey rsa:4096 -days 365 -keyout /tmp/localhost.key -out /tmp/localhost.crt -subj '/CN=localhost'

New working code: 🎉
RUN touch ~/.rnd
RUN openssl req -x509 -sha256 -nodes -newkey rsa:4096 -days 365 -keyout /tmp/localhost.key -out /tmp/localhost.crt -subj '/CN=localhost'
Hope it helps!

In my case: “RUN touch ~/.rnd” did the magic. Thanks @diegodurante diegodurante

btufail on Jun 20, 2020

Can't load /root/.rnd into RNG
140195094647232:error:2406F079:random number generator:RAND_load_file:Cannot open file:../crypto/rand/randfile.c:88:Filename=/root/.rnd

I was experiencing this issue while generating a self signed certificate into a docker container with a ubuntu 18.04 image, before it was working fine with ubuntu 14.

I was able to fix the issue thanks to @mikebridge suggestion:

Is there any risk to working around this just with touch ~/.rnd?

I am doing this locally, in development environment so I don’t need to care about security concerns.

Old code: RUN openssl req -x509 -sha256 -nodes -newkey rsa:4096 -days 365 -keyout /tmp/localhost.key -out /tmp/localhost.crt -subj '/CN=localhost'

New working code: 🎉

RUN touch ~/.rnd
RUN openssl req -x509 -sha256 -nodes -newkey rsa:4096 -days 365 -keyout /tmp/localhost.key -out /tmp/localhost.crt -subj '/CN=localhost'

Hope it helps!

diegodurante on Mar 13, 2020

Is there any risk to working around this just with touch ~/.rnd?

mikebridge on Feb 12, 2020

I had the same issue as you on Ubuntu 18.04.x. Removing (or commenting out) RANDFILE = $ENV::HOME/.rnd from /etc/ssl/openssl.cnf worked for me.

I can confirm that this also works for me on Ubuntu 18.04.x. If you prefer not to edit the /etc/ssl/openssl.cnf directly, you can pass in an altered copy of the same file, that has the above-mentioned RANDFILE line commented out, by passing in a -config param like so:

-config <(cat /etc/ssl/openssl.cnf | sed "s/RANDFILE\s*=\s*\$ENV::HOME\/\.rnd/#/")

Before (fails)

openssl \
  req \
  -subj "${SUBJECT}" \
  -new \
  -x509 \
  -passout "pass:${CERT_AUTH_PASS}" \
  -keyout "${FILE_NAME}.key" \
  -out "${FILE_NAME}.crt" \
  -days 365

After (succeeds)

openssl \
  req \
  -subj "${SUBJECT}" \
  -new \
  -x509 \
  -passout "pass:${CERT_AUTH_PASS}" \
  -keyout "${FILE_NAME}.key" \
  -out "${FILE_NAME}.crt" \
  -days 365 \
  -config <(cat /etc/ssl/openssl.cnf | sed "s/RANDFILE\s*=\s*\$ENV::HOME\/\.rnd/#/")

In my case, it means one less thing to provision to keep my SSL scripts working on each new Ubuntu server. Hope this helps someone!

Note: You can view what the resulting edited config file would look like by running:

cat /etc/ssl/openssl.cnf | sed "s/RANDFILE\s*=\s*\$ENV::HOME\/\.rnd/#/"

As you can see, I’ve chosen to replace the whole line with a #.

shirakaba on Mar 19, 2020

Hello, for information I had the same issue on Windows with mingw64 (coming from a Git installation). Openssl version is 1.1.1d The problem was solved by running from git bash: chmod 600 ~/.rnd Need also to mention that I used neither -rand nor -writerand option on openssl command.

fred-maria on Jan 8, 2020