Bug 1256427

Summary: unable to write 'random state'
Product: OpenShift Online Reporter: M.M <murali>
Component: DocumentationAssignee: brice <bfallonf>
Status: CLOSED EOL QA Contact: Vikram Goyal <vigoyal>
Severity: low Docs Contact: Vikram Goyal <vigoyal>
Priority: low    
Version: 2.xCC: aos-bugs, jokerman, mmccomas, murali, xtian
Target Milestone: ---   
Target Release: ---   
Hardware: x86_64   
OS: Windows   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2016-09-22 03:27:05 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description M.M 2015-08-24 14:34:18 UTC 
Description of problem:
Error when trying to create a private key and CSR using the command line in openshift.

[abc-xyz.rhcloud.com data]\> openssl genrsa -des3 -out myserverkey.key 2048
Generating RSA private key, 2048 bit long modulus
.+++
.............+++
unable to write 'random state'
e is 65537 (0x10001)
Enter pass phrase for myserverkey.key:

How reproducible:
Follow the command line on openshift documentation to generate the private key and CSR. It will result in the above error

Steps to Reproduce:
1. Access openshift SSH / Command line
2. Run openssl genrsa -des3 -out example.com.key 2048

Actual results:
.+++
.............+++
unable to write 'random state'
e is 65537 (0x10001)

Expected results:
......++++++
...................++++++
e is 65537 (0x10001)
Comment 1 Timothy Williams 2015-08-24 20:40:15 UTC 
This is expected behavior.

You are not allowed to create additional files at the root of your home directory. The openssl command will attempt to create the file $HOME/.rnd. When it cannot be created, the error you are seeing is reported.

This has never been allowed and is not a recent change. Could you please provide a link to the documentation you reference where this command is instructed to be run inside of a gear?

The key can still be created successfully if you specify a path where you have write persmissions, such as $OPENSHIFT_DATA_DIR/, for the .rnd file and your key file:

> export RANDFILE=$OPENSHIFT_DATA_DIR/.rnd
> openssl genrsa -des3 -out $OPENSHIFT_DATA_DIR/myserverkey.key 2048
Generating RSA private key, 2048 bit long modulus
.+++
.............................................+++
e is 65537 (0x10001)
Enter pass phrase for /var/lib/openshift/55d72c2d5a00089d700003cb/app-root/data//mykey.key:
Comment 2 M.M 2015-08-25 00:50:50 UTC 
I have tried creating the private key and the csr in the data directory many times earlier. Followed the steps mentioned in this openshift documentation: https://developers.openshift.com/en/managing-domains-ssl.html. When I was creating the private and csr keys I did a cd into $OPENSHIFT_DATA_DIR and ran the commands there - so it should have tried creating the files in it's current directory which was the data directory. So even when in data directory it tries to create the randfile in the home directory - now is that causing the trouble or something?

The lines that I followed are 

For creating the private key: openssl genrsa -des3 -out example.com.key 2048 (This will fail with the unable to write 'random state' error) ... well, unless you precede this line with export RANDFILE=$OPENSHIFT_DATA_DIR/.rnd I guess)

For generating the csr: openssl req -new -key example.com.key -out example.com.csr

The method that you described works and I have been told about that method earlier - one that starts with randfile
Comment 3 Timothy Williams 2015-08-25 14:39:10 UTC 
Thanks for the additional information.

OpenSSL does not attempt to create the 'random state' file in the current working directory. By default, it always creates this file in the user's home directory. 

We'll fix the documentation to instruct developers to properly create the CSR from within their gear.
Comment 4 brice 2016-09-22 03:27:05 UTC 
Closing this as it's close to the EOL for v2.