Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 956442

Summary: www-servers/apache-2.4.62: default config references SSL cert that doesn't exist by default
Product: Gentoo Linux Reporter: Calvin Buckley <calvin>
Component: Current packagesAssignee: Apache Team - Bugzilla Reports <apache-bugs>
Status: RESOLVED FIXED    
Severity: normal CC: binhost, calvin, eschwartz, floppym, shimarin
Priority: Normal Keywords: PullRequest
Version: unspecified   
Hardware: All   
OS: Linux   
See Also: https://github.com/gentoo/gentoo/pull/42258
https://bugs.gentoo.org/show_bug.cgi?id=956634
Whiteboard:
Package list:
Runtime testing required: ---
Attachments: emerge -av www-server/apache
ssl-cert eclass patch

Description Calvin Buckley 2025-05-22 16:26:26 UTC 
This doesn't seem to be generated out of the box, and it's on by default with USE=ssl. If generating this should be done, it should be documented on i.e. the wiki page for Apache. Otherwise, it should be off by default so that starting Apache works out of the box.

```
$ sudo systemctl status apache2
× apache2.service - The Apache HTTP Server
     Loaded: loaded (/usr/lib/systemd/system/apache2.service; disabled; preset: disabled)
     Active: failed (Result: exit-code) since Thu 2025-05-22 11:54:29 ADT; 17s ago
   Duration: 101ms
 Invocation: 8fb2f071472a42a38f7686c869e46356
    Process: 9123 ExecStart=/usr/sbin/apache2 $APACHE2_OPTS -DFOREGROUND (code=exited, status=1/FAILURE)
   Main PID: 9123 (code=exited, status=1/FAILURE)
   Mem peak: 2.6M
        CPU: 30ms

May 22 11:54:29 utmgentoo systemd[1]: Started The Apache HTTP Server.
May 22 11:54:29 utmgentoo apache2[9123]: AH00526: Syntax error on line 47 of /etc/apache2/vhosts.d/00_default_ssl_vhost.conf:
May 22 11:54:29 utmgentoo apache2[9123]: SSLCertificateFile: file '/etc/ssl/apache2/server.crt' does not exist or is empty
May 22 11:54:29 utmgentoo systemd[1]: apache2.service: Main process exited, code=exited, status=1/FAILURE
May 22 11:54:29 utmgentoo systemd[1]: apache2.service: Failed with result 'exit-code'.
```

emerge --info:

```
Portage 3.0.66.1 (python 3.12.9-final-0, default/linux/arm64/23.0/systemd, gcc-14, glibc-2.40-r8, 6.12.16-gentoo-dist aarch64)
=================================================================
System uname: Linux-6.12.16-gentoo-dist-aarch64-with-glibc2.40
KiB Mem:     3991628 total,   3431176 free
KiB Swap:    4194300 total,   4194300 free
Timestamp of repository gentoo: Tue, 06 May 2025 04:45:00 +0000
Head commit of repository gentoo: 5cb7f712f96426481ecf1d9646b6ac16abe3f69c
sh bash 5.2_p37
ld GNU ld (Gentoo 2.43 p3) 2.43.1
app-misc/pax-utils:        1.3.8::gentoo
app-shells/bash:           5.2_p37::gentoo
dev-build/autoconf:        2.72-r1::gentoo
dev-build/automake:        1.17-r1::gentoo
dev-build/cmake:           3.31.5::gentoo
dev-build/libtool:         2.5.4::gentoo
dev-build/make:            4.4.1-r100::gentoo
dev-build/meson:           1.5.2::gentoo
dev-lang/perl:             5.40.0-r1::gentoo
dev-lang/python:           3.12.9::gentoo, 3.13.2::gentoo
llvm-core/clang:           16.0.6::gentoo, 19.1.7::gentoo
llvm-core/llvm:            16.0.6-r5::gentoo, 19.1.7::gentoo
sys-apps/baselayout:       2.17::gentoo
sys-apps/sandbox:          2.39::gentoo
sys-apps/systemd:          256.10::gentoo
sys-devel/binutils:        2.43-r2::gentoo
sys-devel/binutils-config: 5.5.2::gentoo
sys-devel/gcc:             12.4.1_p20241219::gentoo, 14.2.1_p20241221::gentoo
sys-devel/gcc-config:      2.12.1::gentoo
sys-kernel/linux-headers:  6.12::gentoo (virtual/os-headers)
sys-libs/glibc:            2.40-r8::gentoo
Repositories:

gentoo
    location: /var/db/repos/gentoo
    sync-type: rsync
    sync-uri: rsync://rsync.gentoo.org/gentoo-portage
    priority: -1000
    volatile: False
    sync-rsync-verify-metamanifest: yes
    sync-rsync-verify-max-age: 3
    sync-rsync-verify-jobs: 1
    sync-rsync-extra-opts: 

personal
    location: /var/db/repos/personal
    masters: gentoo
    volatile: False

Binary Repositories:

gentoobinhost
    priority: 1
    sync-uri: https://distfiles.gentoo.org/releases/arm64/binpackages/23.0/arm64

ACCEPT_KEYWORDS="arm64"
ACCEPT_LICENSE="@FREE"
CBUILD="aarch64-unknown-linux-gnu"
CFLAGS="-march=armv8.4-a -O2 -pipe"
CHOST="aarch64-unknown-linux-gnu"
CONFIG_PROTECT="/etc /usr/share/gnupg/qualified.txt"
CONFIG_PROTECT_MASK="/etc/ca-certificates.conf /etc/env.d /etc/gconf /etc/gentoo-release /etc/sandbox.d"
CXXFLAGS="-march=armv8.4-a -O2 -pipe"
DISTDIR="/var/cache/distfiles"
ENV_UNSET="CARGO_HOME DBUS_SESSION_BUS_ADDRESS DISPLAY GDK_PIXBUF_MODULE_FILE GOBIN GOPATH PERL5LIB PERL5OPT PERLPREFIX PERL_CORE PERL_MB_OPT PERL_MM_OPT XAUTHORITY XDG_CACHE_HOME XDG_CONFIG_HOME XDG_DATA_HOME XDG_RUNTIME_DIR XDG_STATE_HOME"
FCFLAGS="-march=armv8.4-a -O2 -pipe"
FEATURES="assume-digests binpkg-docompress binpkg-dostrip binpkg-logs binpkg-multi-instance buildpkg-live config-protect-if-modified distlocks ebuild-locks fixlafiles getbinpkg ipc-sandbox merge-sync merge-wait multilib-strict network-sandbox news parallel-fetch pid-sandbox pkgdir-index-trusted preserve-libs protect-owned qa-unresolved-soname-deps sandbox sfperms strict unknown-features-warn unmerge-logs unmerge-orphans userfetch userpriv usersandbox usersync xattr"
FFLAGS="-march=armv8.4-a -O2 -pipe"
GENTOO_MIRRORS="http://mirror.reenigne.net/gentoo/     http://gentoo.mirrors.tera-byte.com/     http://mirror.csclub.uwaterloo.ca/gentoo-distfiles/"
LANG="en_CA.utf8"
LDFLAGS="-Wl,-O1 -Wl,--as-needed"
LEX="flex"
PKGDIR="/var/cache/binpkgs"
PORTAGE_CONFIGROOT="/"
PORTAGE_RSYNC_OPTS="--recursive --links --safe-links --perms --times --omit-dir-times --compress --force --whole-file --delete --stats --human-readable --timeout=180 --exclude=/distfiles --exclude=/local --exclude=/packages --exclude=/.git"
PORTAGE_TMPDIR="/var/tmp"
SHELL="/bin/bash"
USE="acl arm64 bzip2 crypt gdbm iconv ipv6 libtirpc ncurses nls openmp pam pcre readline seccomp ssl systemd test-rust udev unicode xattr zlib" ADA_TARGET="gcc_14" APACHE2_MODULES="authn_core authz_core socache_shmcb unixd actions alias auth_basic authn_anon authn_dbm authn_file authz_dbm authz_groupfile authz_host authz_owner authz_user autoindex cache cgi cgid dav dav_fs dav_lock deflate dir env expires ext_filter file_cache filter headers include info log_config logio mime mime_magic negotiation rewrite setenvif speling status unique_id userdir usertrack vhost_alias" CALLIGRA_FEATURES="karbon sheets words" COLLECTD_PLUGINS="df interface irq load memory rrdtool swap syslog" CPU_FLAGS_ARM="edsp v8 vfp vfp-d32 vfpv3 vfpv4" ELIBC="glibc" GPSD_PROTOCOLS="ashtech aivdm earthmate evermore fv18 garmin garmintxt gpsclock greis isync itrax navcom oceanserver oncore rtcm104v2 rtcm104v3 sirf skytraq superstar2 tsip tripmate tnt ublox" GUILE_SINGLE_TARGET="3-0" GUILE_TARGETS="3-0" INPUT_DEVICES="libinput" KERNEL="linux" LCD_DEVICES="bayrad cfontz glk hd44780 lb216 lcdm001 mtxorb text" LUA_SINGLE_TARGET="lua5-1" LUA_TARGETS="lua5-1" OFFICE_IMPLEMENTATION="libreoffice" PHP_TARGETS="php8-2" POSTGRES_TARGETS="postgres17" PYTHON_SINGLE_TARGET="python3_13" PYTHON_TARGETS="python3_13" RUBY_TARGETS="ruby32" VIDEO_CARDS="fbdev dummy" XTABLES_ADDONS="quota2 psd pknock lscan length2 ipv4options ipp2p iface geoip fuzzy condition tarpit sysrq proto logmark ipmark dhcpmac delude chaos account"
Unset:  ADDR2LINE, AR, ARFLAGS, AS, ASFLAGS, CC, CCLD, CONFIG_SHELL, CPP, CPPFLAGS, CTARGET, CXX, CXXFILT, ELFEDIT, EMERGE_DEFAULT_OPTS, EXTRA_ECONF, F77FLAGS, FC, GCOV, GPROF, INSTALL_MASK, LC_ALL, LD, LFLAGS, LIBTOOL, LINGUAS, MAKE, MAKEFLAGS, MAKEOPTS, NM, OBJCOPY, OBJDUMP, PORTAGE_BINHOST, PORTAGE_BUNZIP2_COMMAND, PORTAGE_COMPRESS, PORTAGE_COMPRESS_FLAGS, PORTAGE_RSYNC_EXTRA_OPTS, PYTHONPATH, RANLIB, READELF, RUSTFLAGS, SIZE, STRINGS, STRIP, YACC, YFLAGS
```
Comment 1 Hans de Graaff gentoo-dev Security 2025-05-23 06:40:37 UTC 
Installing apache should install that certificate. It does this only when the associated .pem file does not exist. Perhaps you have a /etc/ssl/apache2/server.pem file left that prohibits the generation of the certificate?
Comment 2 Calvin Buckley 2025-05-23 07:12:49 UTC 
This was a new install, so there would be no previous Apache config. The only thing that I could think of that may throw it off is that I'm using the binary packages whenever possible. Perhaps those don't create the certificate vs. a normal emerge from source?
Comment 3 Calvin Buckley 2025-05-23 13:42:13 UTC 
Created attachment 929353 [details]
emerge -av www-server/apache

Attaching the emerge output since I forgot, in case it helps for i.e. post-install stuff that didn't get triggered.
Comment 4 Hans de Graaff gentoo-dev Security 2025-05-25 09:35:58 UTC 
(In reply to Calvin Buckley from comment #2)
> This was a new install, so there would be no previous Apache config. The
> only thing that I could think of that may throw it off is that I'm using the
> binary packages whenever possible. Perhaps those don't create the
> certificate vs. a normal emerge from source?

That is a possibility, I have cc'ed the binhost people so that they can have a look.
Comment 5 Eli Schwartz gentoo-dev 2025-05-25 10:06:37 UTC 
(In reply to Calvin Buckley from comment #2)
> This was a new install, so there would be no previous Apache config. The
> only thing that I could think of that may throw it off is that I'm using the
> binary packages whenever possible. Perhaps those don't create the
> certificate vs. a normal emerge from source?

Binary packages run pkg_postinst only after being installed. Its (pkg_postinst) output is not part of the built package.

apache-2.eclass defines

apache-2_pkg_postinst() {
        if use ssl && [[ ! -e "${EROOT}/etc/ssl/apache2/server.pem" ]]; then
                SSL_ORGANIZATION="${SSL_ORGANIZATION:-Apache HTTP Server}"
                install_cert /etc/ssl/apache2/server
[...]
}


and this code snippet is executed at `emerge --getbinpkg www-servers/apache` time, *not* on the build server.
Comment 6 Eli Schwartz gentoo-dev 2025-05-25 10:17:11 UTC 
From your log, 


>>> /etc/apache2/httpd.conf
 * Generating OpenSSL configuration for CA ...                                                                                                           [ ok ]
 * Generating 4096 bit RSA key for CA ...                                                                                                                [ !! ]
 * 
 * The location of SSL certificates has changed. If you are
 * upgrading from www-servers/apache-2.2.13 or earlier (or remerged
 * *any* apache version), you might want to move your old
 * certificates from /etc/apache2/ssl/ to /etc/ssl/apache2/ and
 * update your config files.

This is from within that conditional block...

install_cert() {
[...]

        # Generate a CA environment #164601
        gen_cnf 1 || return 1
# will print: Generating OpenSSL configuration
        gen_key 1 || return 1
# will print: Generating ${SSL_BITS} bit RSA key
        gen_csr 1 || return 1
# will print: Generating Certificate Signing Request
        gen_crt 1 || return 1
# will print: Generating self-signed X.509 Certificate

[...]
}

But only the first two run. Oops. The status is "[ !! ]" indicating failure.
Comment 7 Mike Gilbert gentoo-dev 2025-05-25 16:52:06 UTC 
Created attachment 929561 [details, diff]
ssl-cert eclass patch

Could you apply this patch to ssl-cert.eclass and reinstall apache? Hopefully this will generate a more useful error message in the build log.
Comment 8 Calvin Buckley 2025-05-25 22:31:37 UTC 
There's no change after applying the patch. Do I need to not use the binary package for this to be applied?

```
[...]
>>> /etc/apache2/httpd.conf
 * Generating OpenSSL configuration for CA ...                                                                                                                 [ ok ]
 * Generating 4096 bit RSA key for CA ...                                                                                                                      [ !! ]
 * 
 * The location of SSL certificates has changed. If you are
 * upgrading from www-servers/apache-2.2.13 or earlier (or remerged
 * *any* apache version), you might want to move your old
 * certificates from /etc/apache2/ssl/ to /etc/ssl/apache2/ and
 * update your config files.
 * 

 * Attention: cgi and cgid modules are now handled via APACHE2_MODULES flags
 * in make.conf. Make sure to enable those in order to compile them.
 * In general, you should use 'cgid' with threaded MPMs and 'cgi' otherwise.

 * Attention: The tls module based on rustls-ffi has been moved to its own package.
 * emerge www-apache/mod_tls to continue using the tls module.
>>> www-servers/apache-2.4.63-r1 merged.
[...]
```
Comment 9 Eli Schwartz gentoo-dev 2025-05-25 23:59:30 UTC 
(In reply to Calvin Buckley from comment #8)
> There's no change after applying the patch. Do I need to not use the binary
> package for this to be applied?


Yes. The pkg_postinst shell code at the time the binary package got built, is what is stored in the binary package for later running.
Comment 10 Calvin Buckley 2025-05-26 01:38:44 UTC 
Building `www-servers/apache-2.4.63-r1` after having merged Mike's patch, it seems it actually succeeds somehow:

```
[...]
>>> /usr/lib64/apache2/modules/mod_authn_file.so
 * Generating OpenSSL configuration for CA ...                                                                                                                  [ ok ]
 * Generating 4096 bit RSA key for CA ...                                                                                                                       [ ok ]
 * Generating Certificate Signing Request for CA ...                                                                                                            [ ok ]
 * Generating self-signed X.509 Certificate for CA ...
Certificate request self-signature ok
subject=C=US, ST=California, L=Santa Barbara, O=Apache HTTP Server, OU=For Testing Purposes Only, CN=localhost CA, emailAddress=root@localhost                  [ ok ]

 * Generating OpenSSL configuration ...                                                                                                                         [ ok ]

 * Generating 4096 bit RSA key ...                                                                                                                              [ ok ]
 * Generating Certificate Signing Request ...                                                                                                                   [ ok ]
 * Generating authority-signed X.509 Certificate ...
Certificate request self-signature ok
subject=C=US, ST=California, L=Santa Barbara, O=Apache HTTP Server, OU=For Testing Purposes Only, CN=localhost, emailAddress=root@localhost                     [ ok ]
 * Generating PEM Certificate ...                                                                                                                               [ ok ]

 * 
 * The location of SSL certificates has changed. If you are
 * upgrading from www-servers/apache-2.2.13 or earlier (or remerged
 * *any* apache version), you might want to move your old
 * certificates from /etc/apache2/ssl/ to /etc/ssl/apache2/ and
 * update your config files.
 * 

 * Attention: cgi and cgid modules are now handled via APACHE2_MODULES flags
 * in make.conf. Make sure to enable those in order to compile them.
 * In general, you should use 'cgid' with threaded MPMs and 'cgi' otherwise.

 * Attention: The tls module based on rustls-ffi has been moved to its own package.
 * emerge www-apache/mod_tls to continue using the tls module.
>>> www-servers/apache-2.4.63-r1 merged.
```

The generated certificate is in `/etc/ssl/apache2`. But, If I try using the same version as binpkg from emerge, however, it fails as previously mentioned:

```
[...]
>>> /etc/apache2/httpd.conf
 * Generating OpenSSL configuration for CA ...                                                                                                                  [ ok ]
 * Generating 4096 bit RSA key for CA ...                                                                                                                       [ !! ]
 * 
 * The location of SSL certificates has changed. If you are
 * upgrading from www-servers/apache-2.2.13 or earlier (or remerged
 * *any* apache version), you might want to move your old
 * certificates from /etc/apache2/ssl/ to /etc/ssl/apache2/ and
 * update your config files.
 * 

 * Attention: cgi and cgid modules are now handled via APACHE2_MODULES flags
 * in make.conf. Make sure to enable those in order to compile them.
 * In general, you should use 'cgid' with threaded MPMs and 'cgi' otherwise.

 * Attention: The tls module based on rustls-ffi has been moved to its own package.
 * emerge www-apache/mod_tls to continue using the tls module.
>>> www-servers/apache-2.4.63-r1 merged.
```
Comment 11 Eli Schwartz gentoo-dev 2025-05-26 02:00:42 UTC 
Hmm, maybe just add a /usr/local/bin/openssl wrapper script that redirects stdout/stderr to /tmp/sslcert.log and wait for the binary package to call the wrapper.
Comment 12 Calvin Buckley 2025-05-26 02:20:59 UTC 
Reinstalling the binary package after removing /etc/ssl/apache2 again, same error condition as last time, and nothing interesting in stdio from openssl:

```
utmgentoo /var/db/repos/gentoo # cat /tmp/ssl.err
 ** openssl genrsa -rand /var/tmp/portage/www-servers/apache-2.4.63-r1/temp/environment:/var/tmp/portage/www-servers/apache-2.4.63-r1/temp/eclass-debug.log:/etc/resolv.conf -out /var/tmp/portage/www-servers/apache-2.4.63-r1/temp/264461ca.key 4096
utmgentoo /var/db/repos/gentoo # cat /tmp/ssl.out
 ** openssl genrsa -rand /var/tmp/portage/www-servers/apache-2.4.63-r1/temp/environment:/var/tmp/portage/www-servers/apache-2.4.63-r1/temp/eclass-debug.log:/etc/resolv.conf -out /var/tmp/portage/www-servers/apache-2.4.63-r1/temp/264461ca.key 4096
utmgentoo /var/db/repos/gentoo # cat /usr/local/bin/openssl
#!/usr/bin/env bash
set -euo pipefail
echo " ** openssl $@" >> /tmp/ssl.out
echo " ** openssl $@" >> /tmp/ssl.err
/usr/bin/openssl "$@" | tee -a /tmp/ssl.out 2>> /tmp/ssl.err
```
Comment 13 Eli Schwartz gentoo-dev 2025-05-26 02:41:15 UTC 
(In reply to Calvin Buckley from comment #12)

> utmgentoo /var/db/repos/gentoo # cat /usr/local/bin/openssl
> #!/usr/bin/env bash
> set -euo pipefail
> echo " ** openssl $@" >> /tmp/ssl.out
> echo " ** openssl $@" >> /tmp/ssl.err
> /usr/bin/openssl "$@" | tee -a /tmp/ssl.out 2>> /tmp/ssl.err
> ```


Don't bother with tee. For this use case it is unnecessary complexity and is hiding the fact that the error stream for the openssl tool isn't being redirected at all -- only the error stream for "tee".
Comment 14 Calvin Buckley 2025-05-26 02:47:21 UTC 
ah, forget I was capturing stderr from the wrong thing. I love unix!

```
utmgentoo /var/db/repos/gentoo # cat /tmp/ssl.out
 ** openssl genrsa -rand /var/tmp/portage/www-servers/apache-2.4.63-r1/temp/environment:/var/tmp/portage/www-servers/apache-2.4.63-r1/temp/eclass-debug.log:/etc/resolv.conf -out /var/tmp/portage/www-servers/apache-2.4.63-r1/temp/264967ca.key 4096
utmgentoo /var/db/repos/gentoo # cat /tmp/ssl.err
 ** openssl genrsa -rand /var/tmp/portage/www-servers/apache-2.4.63-r1/temp/environment:/var/tmp/portage/www-servers/apache-2.4.63-r1/temp/eclass-debug.log:/etc/resolv.conf -out /var/tmp/portage/www-servers/apache-2.4.63-r1/temp/264967ca.key 4096
Can't load /var/tmp/portage/www-servers/apache-2.4.63-r1/temp/eclass-debug.log into RNG
209024ABFFFF0000:error:12000079:random number generator:RAND_load_file:Cannot open file:../openssl-3.3.3/crypto/rand/randfile.c:107:Filename=/var/tmp/portage/www-servers/apache-2.4.63-r1/temp/eclass-debug.log
utmgentoo /var/db/repos/gentoo # cat /usr/local/bin/openssl
#!/usr/bin/env bash
set -euo pipefail
echo " ** openssl $@" >> /tmp/ssl.out
echo " ** openssl $@" >> /tmp/ssl.err
/usr/bin/openssl "$@" >> /tmp/ssl.out 2>> /tmp/ssl.err
```
Comment 15 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2025-05-26 02:52:45 UTC 
```
        # Location of some random files OpenSSL can use: don't use
        # /dev/u?random here -- doesn't work properly on all platforms
        SSL_RANDOM="${T}/environment:${T}/eclass-debug.log:/etc/resolv.conf"
```
Comment 16 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2025-05-26 02:53:46 UTC 
(In reply to Sam James from comment #15)
> ```
>         # Location of some random files OpenSSL can use: don't use
>         # /dev/u?random here -- doesn't work properly on all platforms
>         SSL_RANDOM="${T}/environment:${T}/eclass-debug.log:/etc/resolv.conf"
> ```

https://docs.openssl.org/1.1.1/man1/rand/#notes

"""
NOTES¶

Prior to OpenSSL 1.1.1, it was common for applications to store information about the state of the random-number generator in a file that was loaded at startup and rewritten upon exit. On modern operating systems, this is generally no longer necessary as OpenSSL will seed itself from a trusted entropy source provided by the operating system. The -rand and -writerand flags are still supported for special platforms or circumstances that might require them.

It is generally an error to use the same seed file more than once and every use of -rand should be paired with -writerand.
""""
Comment 17 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2025-05-26 02:56:44 UTC 
*** Bug 791184 has been marked as a duplicate of this bug. ***
Comment 18 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2025-05-26 02:58:00 UTC 
An old dupe: bug 791184.
Comment 19 Mike Gilbert gentoo-dev 2025-05-26 03:02:30 UTC 
openssl is trying to use ${T}/eclass-debug.log to seed its random number generator. It seems this file does not exist when the binpkg is being merged.

ssl-cert.eclass mentions that /dev/[u]random should not be used since it "doesn't work properly on all platforms". This comment dates back to 2003 and is likely nonsense. Modern openssl will use the getrandom() syscall on Linux anyway.

I would propose we drop SSL_RANDOM and the -rand option from ssl-cert.eclass.
Comment 20 Larry the Git Cow gentoo-dev 2025-05-27 18:17:11 UTC 
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=bf8a9809c6529960579264d2102ced61c9779960

commit bf8a9809c6529960579264d2102ced61c9779960
Author:     Mike Gilbert <floppym@gentoo.org>
AuthorDate: 2025-05-26 03:07:43 +0000
Commit:     Mike Gilbert <floppym@gentoo.org>
CommitDate: 2025-05-27 18:14:49 +0000

    ssl-cert.eclass: do not pass -rand to openssl
    
    Let openssl find a suitable entropy source instead of using some random
    log files for "random" bytes.
    
    Bug: https://bugs.gentoo.org/956442
    Signed-off-by: Mike Gilbert <floppym@gentoo.org>

 eclass/ssl-cert.eclass | 6 +-----
 1 file changed, 1 insertion(+), 5 deletions(-)

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=511c5d9c5f92f4b2994f11435e3936b7286318be

commit 511c5d9c5f92f4b2994f11435e3936b7286318be
Author:     Mike Gilbert <floppym@gentoo.org>
AuthorDate: 2025-05-25 16:49:21 +0000
Commit:     Mike Gilbert <floppym@gentoo.org>
CommitDate: 2025-05-27 18:14:48 +0000

    ssl-cert.eclass: use edob for openssl calls
    
    Bug: https://bugs.gentoo.org/956442
    Signed-off-by: Mike Gilbert <floppym@gentoo.org>

 eclass/ssl-cert.eclass | 40 ++++++++++++++++++----------------------
 1 file changed, 18 insertions(+), 22 deletions(-)
Comment 21 Hans de Graaff gentoo-dev Security 2025-06-08 10:27:44 UTC 
My understanding is that the changes in ssl-cert.eclass should fix this. Please re-open if this is still a problem.