All new accounts created on Gitlab now require administrator approval. If you invite any collaborators, please let Flux staff know so they can approve the accounts.

Commit a7678769 authored by Gary Wong's avatar Gary Wong

Add a unique serial number when regenerating self-signed CA certificate.

parent c8ceb583
...@@ -132,13 +132,16 @@ if( $? == -1 ) { ...@@ -132,13 +132,16 @@ if( $? == -1 ) {
die( "refusing to overwrite $originalfile" ); die( "refusing to overwrite $originalfile" );
rename( "$TB/etc/emulab.pem", "$originalfile" ) or rename( "$TB/etc/emulab.pem", "$originalfile" ) or
die( "could not rename root certificate" ); die( "could not rename root certificate" );
my $serial = TBGetUniqueIndex( "user_sslcerts" );
# Save the new certificate to a temporary file: OpenSSL will reuse the # Save the new certificate to a temporary file: OpenSSL will reuse the
# plain text from the old certificate instead of the current version, # plain text from the old certificate instead of the current version,
# so we regenerate the whole thing once we've finished to avoid # so we regenerate the whole thing once we've finished to avoid
# horrible confusion. # horrible confusion.
system( "$OPENSSL x509 -days 2000 -text -extfile $extfile " . system( "$OPENSSL x509 -days 2000 -text -extfile $extfile " .
"-signkey $TB/etc/emulab.key < $originalfile " . "-set_serial $serial -signkey $TB/etc/emulab.key " .
"> $TB/etc/emulab.tmp" ); "< $originalfile > $TB/etc/emulab.tmp" );
# For some reason, OpenSSL can return non-zero even when the certificate # For some reason, OpenSSL can return non-zero even when the certificate
# generation succeeded. Check the output file instead. # generation succeeded. Check the output file instead.
if( !( -s "$TB/etc/emulab.tmp" ) ) { if( !( -s "$TB/etc/emulab.tmp" ) ) {
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment