So far, all of Ganeti's server certificates had the serial number '1'. While this works, it makes it hard to distinguish situations where the certificate is renewed from those where it wasn't. This patch uses a timestamp as serial number.
While this is still not stricly according to the SSL RFC, it is at least a number that is stricly growing and we can be sure that no two different server certificates will have the same serial number. Signed-off-by: Helga Velroyen <[email protected]> --- lib/backend.py | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/lib/backend.py b/lib/backend.py index 8f495a2..69bd333 100644 --- a/lib/backend.py +++ b/lib/backend.py @@ -3988,9 +3988,11 @@ def CreateX509Certificate(validity, cryptodir=pathutils.CRYPTO_KEYS_DIR): @return: Certificate name and public part """ + serial_no = int(time.time()) (key_pem, cert_pem) = \ utils.GenerateSelfSignedX509Cert(netutils.Hostname.GetSysName(), - min(validity, _MAX_SSL_CERT_VALIDITY), 1) + min(validity, _MAX_SSL_CERT_VALIDITY), + serial_no) cert_dir = tempfile.mkdtemp(dir=cryptodir, prefix="x509-%s-" % utils.TimestampForFilename()) -- 2.4.3.573.g4eafbef
