From 14bca0502d0a45aa8f8d85c43c3dd19d1f1ceb60 Mon Sep 17 00:00:00 2001 From: Jean-Louis Dupond Date: Tue, 5 Mar 2024 09:07:19 +0100 Subject: [PATCH] Fix CA generation as non-root user due to .rnd error engine-setup fails creating the CA certificate when running under non-root user with the following error: --------- plugin.execute:923 execute-output: ('/home/build/**FILTERED**//share/**FILTERED**-engine/bin/pki-create-ca.sh', '--subject=/C=US/O=Test/CN=c0714690d92b.71630', '--keystore-password=**FILTERED**', '--ca-file=ca') stderr: Can't load .rnd into RNG 803BCAC12B7F0000:error:12000079:random number generator:RAND_load_file:Cannot open file:crypto/rand/randfile.c:106:Filename=.rnd Cannot write random bytes: 803BCAC12B7F0000:error:12000079:random number generator:RAND_write_file:Cannot open file:crypto/rand/randfile.c:240:Filename=.rnd Cannot generate CA request ---------- openssl commands try to find a .rnd file in the current directly. If not found, it will be created. But as we do not change early enough into the correct path, the .rnd file can't be created there, resulting in an error. So we just switch move the openssl req command in the subshell in the correct PKIDIR path. Signed-off-by: Brooklyn Dewolf Signed-off-by: Jean-Louis Dupond --- packaging/bin/pki-create-ca.sh | 21 +++++++++++---------- 1 file changed, 11 insertions(+), 10 deletions(-) diff --git a/packaging/bin/pki-create-ca.sh b/packaging/bin/pki-create-ca.sh index d91bfeaa7d6..4c6667380fe 100755 --- a/packaging/bin/pki-create-ca.sh +++ b/packaging/bin/pki-create-ca.sh @@ -76,17 +76,17 @@ enroll() { -pkeyopt rsa_keygen_bits:2048 \ -out "${PKIDIR}/private/${CA_FILE}.pem" \ || die "Cannot generate CA key" - openssl req \ - -batch \ - -config "${PKIDIR}/${CACERT_CONF}" \ - -new \ - -key "${PKIDIR}/private/${CA_FILE}.pem" \ - -out "${PKIDIR}/requests/${CA_FILE}.csr" \ - -subj "/" \ - || die "Cannot generate CA request" ( cd "${PKIDIR}" + openssl req \ + -batch \ + -config "${PKIDIR}/${CACERT_CONF}" \ + -new \ + -key "${PKIDIR}/private/${CA_FILE}.pem" \ + -out "${PKIDIR}/requests/${CA_FILE}.csr" \ + -subj "/" \ + || die "Cannot generate CA request" openssl ca \ -batch \ -config openssl.conf \ @@ -100,8 +100,9 @@ enroll() { -subj "${subject}" \ -utf8 \ -days "${CA_DAYS}" \ - -startdate "$(date --utc --date "now -1 days" +"%y%m%d%H%M%SZ")" - ) || die "Cannot enroll CA certificate" + -startdate "$(date --utc --date "now -1 days" +"%y%m%d%H%M%SZ")" \ + || die "Cannot enroll CA certificate" + ) return 0 }