Lack of Entropy

A while back I upgraded CUPS on my NAS device to CUPS 1.2, and as my configuration file had bitrotted I decided to erase it and start again. It was looking good, CUPS detected the USB printer like they said it would, but then it just stopped working. I had to upgrade to a SSL connection to perform administration tasks, and it just wasn't working. strace shows the daemon was just running a select loop, I had no idea what the problem was.

Today after a bit more searching the solution hit me. It's trying to create a self-signed SSL key, and SSL keys need random data. Now, what creates random data on Linux? Mouse activity (the NAS has no mouse), keyboard activity (no keyboard), and disk activity (it gets used once a week). A quick poke with sysctl proved my problem: 

$ sysctl  kernel.random.entropy_avail
kernel.random.entropy_avail = 8

Hm, eight bytes with which to create a SSL key from, that just won't work. Solution: find /. I ran that in one terminal with sysctl in another, and could watch the entropy pool get filled with IDE data, to be used by CUPS. After twenty seconds of disk activity, the certificate was finally generated. Yay, a working printer!

So, for Google and anyone else out there: if you see Generating SSL server key... in the CUPS log and then CUPS hangs, check your entropy levels.

18:00 Monday, 14 Aug 2006 [#] [computers] (17 comments)

Posted by ken lewis at Mon Aug 14 18:41:50 2006:
Wasn't there discussion on the LKML about whether it's appropriate to use network latencies to seed the entropy pool?  Would your NAS, on a home, be a suitable candidate to use that?
Posted by Mikael Hallendal at Mon Aug 14 18:52:25 2006:
Nice catch Ross, sounds like something one could spend a few hours on figuring out :)
Posted by Arno at Tue Aug 15 12:41:11 2006:
Had the same issue with apache. After doing some development on an otherwise quiet machine. Apache would no longer restart. Reinstalling it would help but it took me quite long to figure out why :-)
Posted by Dmd at Tue Aug 22 08:23:36 2006:
Wow. I was close to a kernel recompile on that one (all this occured after a hardware upgrade, and was coupled with other driver issues, adding to my complete confusion). Thank you!
Posted by un_brice at Fri Nov 24 22:31:01 2006:
Thanks ! ^_^ I was really lost.
Posted by Ken M at Thu Nov 30 23:29:03 2006:
Thanks.. my poor Xen vm had been hanging on this for over 10 minutes.
Posted by Andy at Tue Dec 12 02:59:13 2006:
Thanks!

I was staring blankly at that one for a while.  Same situation (server w/no mouse - never use console), except disk activity didn't help.  I actually had to jump on a keyboard on the console and pound on the keys for a minute ;-)
Posted by Péter Varga at Mon Dec 18 14:32:06 2006:
Thank you very much. Something I wouldn't ever think of.
Posted by brendan at Mon Jan 15 16:46:01 2007:
wow -thanks, cups and samba are enough of a learning curve without wondering where the security was wrong... i too had to pound the keyboard before it got sorted though.
Posted by Stroller at Sun Apr 1 15:58:19 2007:
Wow!

I don't know which to say first:
- thanks for posting this, or
- Google's amazing!

I couldn't connect to the print server I had set up - it just timed out as soon as it redirected me to the https pages - and so I slapped the last entry in the cups log ("Generating SSL server key...") into my search bar. Hey presto! You solved my problem!

Stroller.
Posted by Charafantah at Sat Apr 21 13:54:55 2007:
this could be fixed using this:



$ apt-get install rng-tools
OR
$ apt-get install rngd-tools

then
$ rngd -r /dev/urandom -o /dev/random
Posted by bombcar at Sun May 20 22:11:38 2007:
Thanks! I ran into this, too. Standalone servers don't have much entropy!
Posted by infinity at Fri Jun 1 02:55:34 2007:
I'm still having random login problems. Not as bad, but still there. Entropy seems fine when looking at it though. Maybe it has high and low spikes?
Posted by Adnoh at Fri Aug 3 10:11:10 2007:
Thanks a lot - you safed my day !
Posted by Carey Evans at Mon Sep 10 23:25:37 2007:
Part of the problem here is that GnuTLS uses so much entropy to generate its keys. OpenSSL uses much less, and uses /dev/urandom anyway, so another solution is to generate the SSL certificate before accessing CUPS:



openssl req -new -newkey rsa:2048 -nodes -x509 -days 3650 -batch -subj "/CN=$(hostname -f)/O=Big Company, Inc./C=BS" -out /etc/cups/ssl/server.crt -keyout /etc/cups/ssl/server.key
Posted by Fabian Bernhard at Tue Nov 6 17:33:41 2007:
Thanks a lot for this post! Would not have found it myself, though.
Posted by mahk at Sat Feb 16 12:50:32 2008:
wow. using an old P3-667 as file/print server with just two cables connected (power/lan) I had the same problem. just accessing my mp3 collection via samba was enough to solve it.

thanks, man, great post!

Name:


E-mail:


URL:


Add 9 and 8 (required):


Comment: