Ubuntu
libapache2-mod-auth-mellon package

openssl: breaks ssl-cert installation: 8022CB35777F0000:error:1200007A:random number generator:RAND_write_file:Not a regular file:../crypto/rand/randfile.c:190:Filename=/dev/urandom

Bug #1945774 reported by Simon Chopin on 2021-10-01

This bug affects 2 people

	Status	Importance	Assigned to
mod_auth_mellon	Fix Released	Unknown	auto-github-latchset-modauthmellon #105
hplip (Ubuntu)	Fix Released	Undecided	Unassigned
Jammy	Fix Released	Undecided	Unassigned
libapache2-mod-auth-mellon (Ubuntu)	New	Undecided	Unassigned
Jammy	Triaged	Undecided	Unassigned
ssl-cert (Debian)	Fix Released	Unknown	debbugs #990228
ssl-cert (Ubuntu)	Fix Released	Undecided	Unassigned
Jammy	Fix Released	Undecided	Unassigned

Bug Description

Imported from Debian bug http://bugs.debian.org/990228:

Package: openssl
Version: 3.0.0~~alpha16-1
Severity: serious
User: <email address hidden>
Usertags: piuparts

Hi,

during a test with piuparts I noticed your package causes other package
to fail installation/upgrading.

From the attached log (scroll to the bottom...):

...
  Setting up openssl (3.0.0~~alpha16-1) ...
  Setting up libbsd0:amd64 (0.11.3-1) ...
  Setting up readline-common (8.1-2) ...
  Setting up libxml2:amd64 (2.9.10+dfsg-6.7) ...
  Setting up libgdbm6:amd64 (1.19-2) ...
  Setting up postgresql-client-common (226) ...
  Setting up libedit2:amd64 (3.1-20210522-1~exp1) ...
  Setting up libreadline8:amd64 (8.1-2) ...
  Setting up libldap-2.4-2:amd64 (2.4.57+dfsg-3) ...
  Setting up libllvm11:amd64 (1:11.0.1-2) ...
  Setting up ssl-cert (1.1.0+nmu1) ...
  Could not create certificate. Openssl output was:
  Generating a RSA private key
  ..+..+......+.......+.....+...+.........+.......+...+..+...+.+..+...+.........+.......+...+..+.........+.+...........+...+.+......+........+......+......+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++*.+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++*..+..........+........+.......+.........+..+...+....+..+.+............+..+................+...+............+..+.............+...+..+.......+...+.....+..................+.......+.........+........+.+........................+............+.........+..+.........+.+..+......+.+...........+.........+.+.....+....+.........+.....+.+....................+....+............+...+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
  ..+.+........+...+...+.......+..................+..+.........+...+.+............+...+.....+......................+..+......+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++*........+...+....+......+...+..+...+..........+.....+......+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++*....+......+...+....+..+....+..+....+.........+..+...+....+.....+.+......+.....+.+..+.............+..+..........+..+.+........+............+.........+....+..+.......+.....+...+.......+...+...+..+....+...+..+.+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
  Writing new private key to '/etc/ssl/private/ssl-cert-snakeoil.key'
  -----
  Warning: No -copy_extensions given; ignoring any extensions in the request
  Cannot write random bytes:
  8022CB35777F0000:error:1200007A:random number generator:RAND_write_file:Not a regular file:../crypto/rand/randfile.c:190:Filename=/dev/urandom
  dpkg: error processing package ssl-cert (--configure):
   installed ssl-cert package post-installation script subprocess returned error exit status 1
  dpkg: dependency problems prevent configuration of postgresql-common:
   postgresql-common depends on ssl-cert (>= 1.0.11); however:
    Package ssl-cert is not configured yet.
...

Hmm, well, yes, /dev/urandom is not a regular file. It's a character device node.

cheers,

Andreas

Tags:

Revision history for this message

Simon Chopin (schopin) wrote on 2021-10-01:

This bug makes hlpip fail to build against OpenSSL 3.0, as the build-deps are uninstallable.

tags:

added: transition-openssl3-jj

Bug Watch Updater (bug-watch-updater) on 2021-10-01

Changed in ssl-cert (Debian):
importance:	Undecided → Unknown

Bug Watch Updater (bug-watch-updater) on 2021-11-08

Changed in ssl-cert (Debian):
status:	New → Fix Released

Revision history for this message

Lucas Kanashiro (lucaskanashiro) wrote on 2021-11-09:

According to the Debian bug, ssl-cert/1.1.1 contains the fix and it is already available in jammy (release pocket), so I am marking this as fix released.

Changed in ssl-cert (Ubuntu):
status:	New → Fix Released

Revision history for this message

Sergio Durigan Junior (sergiodj) wrote on 2021-11-10:

hplip has also built successfully:

https://launchpad.net/ubuntu/+source/hplip/3.21.8+dfsg0-2

So I'm marking this bug as Fix Released for it.

Changed in hplip (Ubuntu):
status:	New → Fix Released

Revision history for this message

Rodrigo Barbieri (rodrigo-barbieri2010) wrote on 2024-04-10:

Apparently this is still happening in Jammy for some reason (maybe a regression), as according to this [1] bug report claiming that this bug is the cause of it.

This is the command that I run to hit it (doesn't need anything in particular for the command to work, can run anywhere such as a fresh new container):

mellon_create_metadata https://sp.10.5.100.3/mellon https://sp.10.5.100.3/v3/OS-FEDERATION/identity_providers/idp.10.5.100.2/protocols/saml2/auth/mellon

It fails silently to create the xml file that it should be creating. It works fine in focal, but doesn't work in jammy.

Versions in jammy:
libapache2-mod-auth-mellon 0.18.0-1build1
apache2-bin 2.4.52-1ubuntu4.8
openssl 3.0.2-0ubuntu1.15
libssl3:amd64 3.0.2-0ubuntu1.15
libxmlsec1-openssl:amd64 1.2.33-1build2

versions in focal:
libapache2-mod-auth-mellon 0.16.0-1ubuntu0.1
apache2-bin 2.4.41-4ubuntu3.16
openssl 1.1.1f-1ubuntu2.22
libssl1.1:amd64 1.1.1f-1ubuntu2.22
libxmlsec1-openssl:amd64 1.2.28-2

[1] https://bugs.launchpad.net/ubuntu/+source/ssl-cert/+bug/2052795

Revision history for this message

Launchpad Janitor (janitor) wrote on 2024-04-11:

Status changed to 'Confirmed' because the bug affects multiple users.

Changed in hplip (Ubuntu Jammy):
status:	New → Confirmed
Changed in ssl-cert (Ubuntu Jammy):
status:	New → Confirmed

Revision history for this message

Mitchell Dzurick (mitchdz) wrote on 2024-04-12:

This is easy to reproduce in a jammy lxd container.

$ lxc launch ubuntu:jammy j
$ lxc shell j
# sed -i 's#"$OUTFILE.key" 2>/dev/null#"$OUTFILE.key"#g' /usr/sbin/mellon_create_metadata
# # mellon_create_metadata https://sp.10.5.100.3/mellon https://sp.10.5.100.3/v3/OS-FEDERATION/identity_providers/idp.10.5.100.2/protocols/saml2/auth/mellon
< cut text here >
Cannot write random bytes:
4097CC2E67760000:error:1200007A:random number generator:RAND_write_file:Not a regular file:../crypto/rand/randfile.c:190:Filename=/dev/urandom

Revision history for this message

Sergio Durigan Junior (sergiodj) wrote on 2024-04-15:

This is not a bug in ssl-cert. It's a bug in libapache2-mod-auth-mellon, more specifically in the way it configures openssl to generate its certificate. From /usr/sbin/mellon_create_metadata:

cat >"$TEMPLATEFILE" <<EOF
RANDFILE = /dev/urandom
[req]
default_bits = 3072
default_keyfile = privkey.pem
distinguished_name = req_distinguished_name
prompt = no
policy = policy_anything
[req_distinguished_name]
commonName = $HOST
EOF

The fix is simple: just remove the RANDFILE entry from the snippet above. This looks like SRU material, so I'm adding a task for the package and setting its status accordingly.

Changed in libapache2-mod-auth-mellon (Ubuntu Jammy):
status:	New → Triaged
Changed in ssl-cert (Ubuntu Jammy):
status:	Confirmed → Fix Released
Changed in hplip (Ubuntu Jammy):
status:	Confirmed → Fix Released