# OpenSSL pseudorandom number generator issue w/bind [SOLVED]

## hanj

On one of my servers, bind is not able to start. I see the following in the logs...

```
Jan  7 10:00:54 comp named[3831]: starting BIND 9.12.2-P2 <id:b2bf278>

Jan  7 10:00:54 comp named[3831]: built with '--prefix=/usr' '--build=i686-pc-linux-gnu' '--host=i686-pc-linux-gnu' '--mandir=/usr/share/man' '--infodir=/usr/share/info' '--datadir=/usr/share' '--sysconfdir=/etc' '--localstatedir=/var/lib' '--docdir=/usr/share/doc/bind-9.12.2_p2-r1' '--htmldir=/usr/share/doc/bind-9.12.2_p2-r1/html' '--with-sysroot=/' '--libdir=/usr/lib' '--sysconfdir=/etc/bind' '--localstatedir=/var' '--with-libtool' '--enable-full-report' '--without-readline' '--enable-linux-caps' '--disable-dnsrps' '--disable-fixed-rrset' '--disable-ipv6' '--disable-rpz-nsdname' '--disable-rpz-nsip' '--disable-seccomp' '--disable-threads' '--with-dlz-bdb' '--with-dlopen' '--with-dlz-filesystem' '--with-dlz-stub' '--without-gost' '--without-gssapi' '--without-idnkit' '--without-libidn2' '--without-libjson' '--without-dlz-ldap' '--without-dlz-mysql' '--without-dlz-odbc' '--without-dlz-postgres' '--without-lmdb' '--without-python' '--with-ecdsa' '--with-openssl=/usr' '--with-libxml2' '--with-zlib' '--with-randomdev=/dev/random' 'build_alias=i686-pc-linux-gnu' 'host_alias=i686-pc-linux-gnu' 'CFLAGS=-O3 -march=pentium4 -funroll-loops -fprefetch-loop-arrays -pipe -I/usr/include/db5.3' 'LDFLAGS=-Wl,-O1 -Wl,--as-needed'

Jan  7 10:00:54 comp named[3831]: running as: named -u named -t /chroot/dns

Jan  7 10:00:54 comp named[3831]: compiled by GCC 4.9.4

Jan  7 10:00:54 comp named[3831]: compiled with OpenSSL version: OpenSSL 1.0.2q  20 Nov 2018

Jan  7 10:00:54 comp named[3831]: linked to OpenSSL version: OpenSSL 1.0.2q  20 Nov 2018

Jan  7 10:00:54 comp named[3831]: compiled with libxml2 version: 2.9.8

Jan  7 10:00:54 comp named[3831]: linked to libxml2 version: 20908

Jan  7 10:00:54 comp named[3831]: compiled with zlib version: 1.2.11

Jan  7 10:00:54 comp named[3831]: linked to zlib version: 1.2.11

Jan  7 10:00:54 comp named[3831]: threads support is disabled

Jan  7 10:00:54 comp named[3831]: ----------------------------------------------------

Jan  7 10:00:54 comp named[3831]: BIND 9 is maintained by Internet Systems Consortium,

Jan  7 10:00:54 comp named[3831]: Inc. (ISC), a non-profit 501(c)(3) public-benefit

Jan  7 10:00:54 comp named[3831]: corporation.  Support and training for BIND 9 are

Jan  7 10:00:54 comp named[3831]: available at https://www.isc.org/support

Jan  7 10:00:54 comp named[3831]: ----------------------------------------------------

Jan  7 10:00:54 comp named[3831]: using up to 4096 sockets

Jan  7 10:00:54 comp named[3831]: openssl_link.c:296: fatal error:

Jan  7 10:00:54 comp named[3831]: OpenSSL pseudorandom number generator cannot be initialized (see the `PRNG not seeded' message in the OpenSSL FAQ)

Jan  7 10:00:54 comp named[3831]: exiting (due to fatal error in library)

Jan  7 10:00:54 comp /etc/init.d/named[3825]: start-stop-daemon: failed to start `/usr/sbin/named'

Jan  7 10:00:54 comp /etc/init.d/named[3293]: ERROR: named failed to start
```

I see the following bug report, but no comments:

https://bugs.gentoo.org/673746

I also see another issue at bind-users-forum, again, no resolution:

http://bind-users-forum.2342410.n4.nabble.com/PRNG-not-seeded-service-won-t-start-td6026.html

I'm rolling back to net-dns/bind-9.11.2_p1

Current USE flags with my bind:

```

[ebuild   R    ] net-dns/bind-9.12.2_p2-r1::gentoo  USE="berkdb caps dlz ssl xml zlib -dnsrps -dnstap -doc -fixed-rrset -geoip -gost -gssapi -idn -ipv6 -json -ldap -libidn2 -libressl -lmdb -mysql -odbc -postgres -python -rpz (-seccomp) (-selinux) -static-libs -threads -urandom" PYTHON_TARGETS="python2_7 python3_4 python3_5 python3_6 (-python3_7)" 0 KiB
```

Any ideas?

Thanks!

hanji

----------

## hanj

This thread was interesting...

https://bugzilla.redhat.com/show_bug.cgi?id=1631515 [Moderator note: warning: obnoxious fast flashing banner on the linked page. -Hu]

My box is using a chroot, but do have those in the chroot..

```

ls -al /chroot/dns/dev/

total 0

drwxr-xr-x 2 root root   120 May 14  2014 .

drwxr-x--- 6 root named  144 Jul  4  2014 ..

crw-rw-rw- 1 root root  1, 3 May 14  2014 null

crw-rw-rw- 1 root root  1, 8 May 14  2014 random

crw-rw-rw- 1 root root  1, 5 May 14  2014 zero
```

Still digging...

----------

## Ant P.

Is this immediately after bootup? Try putting `sysctl kernel.random.entropy_avail | logger` in a startup script and see what gets written to syslog, it may be that's too low. Values over 1000 are healthy.

----------

## hanj

 *Ant P. wrote:*   

> Is this immediately after bootup? Try putting `sysctl kernel.random.entropy_avail | logger` in a startup script and see what gets written to syslog, it may be that's too low. Values over 1000 are healthy.

 

Nope.. not after boot up. I've confirmed this on 3 boxes now. 2 boxes have not rebooted in a while, while the 3rd was after a fresh reboot. Also, I didn't specify, all 3 named are in a chroot.

hanji

----------

## Hu

You have some of the nodes.  You don't have urandom.  Does it help to add that?

Also, please next time include a warning before linking to anything with such a horrible flashing banner.  Some administrator who clearly cannot be trusted with access to bugzilla.redhat.com thought it'd be cute to include the following in all their pages:

```
<div id="no-js-message">This site requires JavaScript to be enabled to function correctly, please enable it.</div>
```

```
#no-js-message {

    background-color: #c40000;

    color: white;

    font-weight: bold;

    padding: 15px;

    animation: 1s linear 0s normal none infinite running nojs;

    border-radius: 4px;

    text-align: center;

    font-size: 14pt;

}
```

1s?!

The message isn't even right.  The site works fine, if you can ignore the extremely distracting flash effect.  I'm just glad I didn't have an epileptic looking over my shoulder.Last edited by Hu on Wed Jan 09, 2019 3:07 am; edited 1 time in total

----------

## hanj

 *Hu wrote:*   

> You have some of the nodes.  You don't have urandom.  Does it help to add that?

 

Thanks so much! I did add that.. and it worked!

```
crw-r--r-- 1 root root  1, 9 Jan  8 19:54 urandom
```

For anyone else that has problems...

```
cd /chroot/dns/dev

mknod urandom c 1 9
```

Thanks!

hanji

----------

## guid0

For those hitting this issue, I ran into the same troubles but needed a different fix. 

```
Jun 17 12:19:48 ns1 named[1050]: openssl_link.c:296: fatal error:

Jun 17 12:19:48 ns1 named[1050]: OpenSSL pseudorandom number generator cannot be initialized (see the `PRNG not seeded' message in the OpenSSL FAQ)

Jun 17 12:19:48 ns1 named[1050]: exiting (due to fatal error in library)
```

My chroot is in /var/chroot/dns and since my regular /var was mounted with the 'nodev' option it turned out that this filesystem option was causing the same SSL issue.

I simply remounted /var without -o nodev and was able to recover services.

Will look into this again at some other time in order to see if we can restore 'nodev' on the filesystem.

Cheers,

guid0

----------

