[automate-cli] Generate unique serial for self-signed certs #411
Conversation
Automate CLI generates a self-signed SSL certificate for the front-end load balancer if the user does not provide one. Previously, this certificate had a hard-coded Serial of 1. This PR changes it to a random serial to avoid errors in Firefox and potentially other browsers. Signed-off-by: Steven Danna <[email protected]>
| // | ||
| // Here, we set the limit to double this requirement. | ||
| limit := new(big.Int).Lsh(big.NewInt(1), 128) | ||
| ret, err := rand.Int(rand.Reader, limit) |
There was a problem hiding this comment.
Just wondering how this is seeded... would it generate the same sequence the next time the service is started? And is that necessarily a bad thing?
There was a problem hiding this comment.
@msorens Great question. The crypto/rand package uses an operating system entropy source.
On the systems we support, this means we'll likely be calling this system call:
http://man7.org/linux/man-pages/man2/getrandom.2.html
This means that we generally should be getting high-quality random data that will not be the same between runs. On systems that do not have that system call, it may fall back to another source that could produce predictable results if called during very early boot on some systems, but I don't think that is likely for our use case.
Automate CLI generates a self-signed SSL certificate for the front-end
load balancer if the user does not provide one.
Previously, this certificate had a hard-coded Serial of 1. This PR
changes it to a random serial to avoid errors in Firefox and
potentially other browsers.
Signed-off-by: Steven Danna [email protected]