Openssl never finishes generating uhttpd.key on Turris Omnia

fantom-x · July 10, 2019, 1:31pm

I am trying to setup a TO with 19.07 from scratch, but when it boots up, uhttpd is not running and is waiting the the openssl step to complete. It stays in the state forever. A workaround seems to be to perform a first boot from 18.06 to get the key file generated and then upgrade to 19.07.

root@OpenWrt:~# ps -w | grep uhttp
 3265 root      1220 S    /bin/sh /etc/rc.common /etc/rc.d/S50uhttpd boot
 3372 root      3568 S    /usr/bin/openssl req -x509 -sha256 -outform der -nodes -days 730 -newkey rsa:2048 -keyout /etc/uhttpd.key
 4152 root      1064 S    grep uhttp

fantom-x · July 10, 2019, 1:52pm

Turned out not to be a workaround after all: I cannot connect to LuCI even though it is running.

netstat -nap | grep uhttp
tcp        2      0 0.0.0.0:80              0.0.0.0:*               LISTEN      3222/uhttpd
tcp        2      0 0.0.0.0:443             0.0.0.0:*               LISTEN      3222/uhttpd
tcp        0      0 :::80                   :::*                    LISTEN      3222/uhttpd
tcp        0      0 :::443                  :::*                    LISTEN      3222/uhttpd

anon45274024 · July 10, 2019, 2:03pm

could be that the openssl key generation hangs during maiden boot since there is almost nothing running at that time in the system and thus having a hard time to gather entropy and to generate certificate.

lleachii · July 10, 2019, 2:29pm

@fantom-x, @anon45274024 has a good point:

Try the suggestions here:

fantom-x · July 10, 2019, 3:26pm

I will try that, but even on 18.06 I get this, yet it did not prevent openssl from generating a new key.

sysctl kernel.random.entropy_avail
kernel.random.entropy_avail = 3

anon45274024 · July 10, 2019, 3:31pm

different versions of openssl 1.0.2s <> 1.1.1c, different prerequisites for key generation?

hnyman · July 10, 2019, 3:51pm

Mvebu is especially difficult target on entropy perspective as the WiFi driver does not generate entropy to the kernel pool, like e.g. ath9k and similar drivers do.

I bought a chaoskey entropy key for my wrt3200acm and introduced the drivers for it to OpenWrt. That helps a lot.

You might try generating the key manually later, after the boot process has completed. Jill the uhttps keygen process and possibly uhttps, wait a few minutes, and restart uhttpd to generate the keys.

anomeome · July 10, 2019, 4:30pm

It seemed to me that urngd was doing a pretty good job of generating early, and quickly, on a reboot.

fantom-x · July 10, 2019, 4:47pm

Seems like it is only in master.

anomeome · July 10, 2019, 4:55pm

hmm, I assumed that it would have found its way into 19.x, I wonder if that is an oversight.

fantom-x · July 10, 2019, 6:19pm

Took ~2h to get it this hight I will try havengd shortly.

kernel.random.entropy_avail = 98

fantom-x · July 10, 2019, 7:36pm

haveged has solved the problem. Is there any downside of using it vs urngd that only exists in master?

hnyman · July 10, 2019, 7:40pm

Not to my knowledge.

system · July 20, 2019, 7:47pm

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.