[automate-cli] Generate unique serial for self-signed certs (#411)

Automate CLI generates a self-signed SSL certificate for the front-end load balancer if the user does not provide one. Previously, this certificate had a hard-coded Serial of 1. This PR changes it to a random serial to avoid errors in Firefox and potentially other browsers. Signed-off-by: Steven Danna <[email protected]>
chef · May 24, 2019 · 13c733e · 13c733e
1 parent 1a9719f
commit 13c733e
Showing 1 changed file with 23 additions and 1 deletion.
diff --git a/api/config/deployment/init_config.go b/api/config/deployment/init_config.go
@@ -356,9 +356,31 @@ func generatePrivateKey() (*rsa.PrivateKey, error) {
 	return rsa.GenerateKey(rand.Reader, keyLength)
 }
 
+func generateSerial() (*big.Int, error) {
+	// According to
+	// https://cabforum.org/wp-content/uploads/CA-Browser-Forum-BR-1.6.4.pdf:
+	//
+	// Effective September 30, 2016, CAs SHALL generate
+	// non-sequential Certificate serial numbers greater than zero
+	// (0) containing at least 64 bits of output from a CSPRNG.
+	//
+	// Here, we set the limit to double this requirement.
+	limit := new(big.Int).Lsh(big.NewInt(1), 128)
+	ret, err := rand.Int(rand.Reader, limit)
+	if err != nil {
+		return nil, errors.Wrap(err, "failed to generate serial number")
+	}
+	return ret, nil
+}
+
 func generateCert(priv *rsa.PrivateKey, fqdn string) ([]byte, error) {
+	serial, err := generateSerial()
+	if err != nil {
+		return nil, err
+	}
+
 	certSpec := x509.Certificate{
-		SerialNumber: big.NewInt(1),
+		SerialNumber: serial,
 		Subject: pkix.Name{
 			Country:            []string{"US"},
 			Organization:       []string{"Chef Software"},