PRNG still contains insufficient entropy


#1

I issued three Let’s Encrypt certificates with certbot (two of them were renewed, one is completely new). When I load the page everything works fine. After reloading the site a few times the website throws an SSL Exception: ERR_SSL_PROTOCOL_ERROR (Chrome) / SSL_ERROR_INTERNAL_ERROR_ALERT (FireFox)

When I reload the page again it gets back working sometimes (and sometimes not). This appears for all of the tree domains. Sometimes they work, and sometimes they don’t. I haven’t found any regularity in this behaviour.

It seems as it apache is confused by the setup.

I checked the logs and found the following error code in apache’s error.log:
AH01990: PRNG still contains insufficient entropy!


#2

This is not related to your certificate, rather your random number generator.

Have a look at installing haveged ( https://linux.die.net/man/8/haveged ) on your debian server to ensure sufficient entropy


#3

You shouldn’t need to use things like haveged on a modern Linux kernel, it’s capable of using hardware events as entropy these days.

The only time you should be seeing that warning is if OpenSSL can’t initialize it’s internal RNG, it should use the kernel RNG by default which should mean that should never happen. Is SSLRandomSeed being set to something different in any of the Apache config files?

If it’s not being set anywhere, another option is to try this in a global configuration area

SSLRandomSeed startup file:/dev/urandom 512
SSLRandomSeed connect file:/dev/urandom 512

#4

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.