Skip to content

Commit

Permalink
Fix CA generation as non-root user due to .rnd error
Browse files Browse the repository at this point in the history 
engine-setup fails creating the CA certificate when running under non-root user with the following error:

---------

plugin.execute:923 execute-output: ('/home/build/**FILTERED**//share/**FILTERED**-engine/bin/pki-create-ca.sh', '--subject=/C=US/O=Test/CN=c0714690d92b.71630', '--keystore-password=**FILTERED**', '--ca-file=ca') stderr:
Can't load .rnd into RNG
803BCAC12B7F0000:error:12000079:random number generator:RAND_load_file:Cannot open file:crypto/rand/randfile.c:106:Filename=.rnd
Cannot write random bytes:
803BCAC12B7F0000:error:12000079:random number generator:RAND_write_file:Cannot open file:crypto/rand/randfile.c:240:Filename=.rnd
Cannot generate CA request

----------

openssl commands try to find a .rnd file in the current directly. If not found, it will be created.
But as we do not change early enough into the correct path, the .rnd file can't be created there, resulting in an error.
So we just switch move the openssl req command in the subshell in the correct PKIDIR path.

Signed-off-by: Brooklyn Dewolf <[email protected]>
Signed-off-by: Jean-Louis Dupond <[email protected]>
  • Loading branch information
@dupondje @sandrobonazzola
dupondje authored and sandrobonazzola committed Mar 27, 2024
1 parent 421a6fd commit 14bca05
Showing 1 changed file with 11 additions and 10 deletions.
21 changes: 11 additions & 10 deletions packaging/bin/pki-create-ca.sh
View file
Original file line number Diff line number Diff line change
Expand Up @@ -76,17 +76,17 @@ enroll() {
-pkeyopt rsa_keygen_bits:2048 \
-out "${PKIDIR}/private/${CA_FILE}.pem" \
|| die "Cannot generate CA key"
openssl req \
-batch \
-config "${PKIDIR}/${CACERT_CONF}" \
-new \
-key "${PKIDIR}/private/${CA_FILE}.pem" \
-out "${PKIDIR}/requests/${CA_FILE}.csr" \
-subj "/" \
|| die "Cannot generate CA request"

(
cd "${PKIDIR}"
openssl req \
-batch \
-config "${PKIDIR}/${CACERT_CONF}" \
-new \
-key "${PKIDIR}/private/${CA_FILE}.pem" \
-out "${PKIDIR}/requests/${CA_FILE}.csr" \
-subj "/" \
|| die "Cannot generate CA request"
openssl ca \
-batch \
-config openssl.conf \
Expand All @@ -100,8 +100,9 @@ enroll() {
-subj "${subject}" \
-utf8 \
-days "${CA_DAYS}" \
-startdate "$(date --utc --date "now -1 days" +"%y%m%d%H%M%SZ")"
) || die "Cannot enroll CA certificate"
-startdate "$(date --utc --date "now -1 days" +"%y%m%d%H%M%SZ")" \
|| die "Cannot enroll CA certificate"
)

return 0
}
Expand Down

0 comments on commit 14bca05

Please sign in to comment.