Closed kheimerl closed 7 years ago
are you sure? It looks fine to me:
TASK [add easyrsa repo] ********************************************************
changed: [cert] => {"after": "5a429d22c78604c95813b457a8bea565a39793fa", "before": null, "changed": true, "warnings": []}
TASK [copy easyrsa] ************************************************************
changed: [cert] => {"changed": true, "cmd": ["cp", "/home/vagrant/easyrsa/easyrsa3/easyrsa", "/home/vagrant/certifier/"], "delta": "0:00:00.004870", "end": "2016-12-19 13:38:32.960355", "rc": 0, "start": "2016-12-19 13:38:32.955485", "stderr": "", "stdout": "", "stdout_lines": [], "warnings": []}
TASK [easyrsa permissions] *****************************************************
ok: [cert] => {"changed": false, "gid": 0, "group": "root", "mode": "0755", "owner": "root", "path": "/home/vagrant/certifier/easyrsa", "size": 35253, "state": "file", "uid": 0}
The prod one, certifier.yml.
This is by design. The cert generation used for the development environment isn't a recommended setup for a production deployment, and how one wants to deploy in production is probably going to vary from environment to environment.
What we've done in the past for production environments is generate a root key on a known trusted machine with a good source of randomness (i.e., not on AWS). The root key is stored offline and used only to generate signing key(s), which are then manually copied over to the machine running certifier
via a secure channel. Then the signing key is used like the root key in the dev environment.
We should copy the easyrsa script and certifier.py over, and if we're not doing that that's a bug. But adding instructions or a script for production-ready key generation, etc, is something we'd have to add.
We are not copying the easyrsa script over and that is a bug.
On Tue, Dec 20, 2016 at 9:21 AM, Shaddi Hasan notifications@github.com wrote:
This is by design. The cert generation used for the development environment isn't a recommended setup for a production deployment, and how one wants to deploy in production is probably going to vary from environment to environment.
What we've done in the past for production environments is generate a root key on a known trusted machine with a good source of randomness (i.e., not on AWS). The root key is stored offline and used only to generate signing key(s), which are then manually copied over to the machine running certifier via a secure channel. Then the signing key is used like the root key in the dev environment.
We should copy the easyrsa script and certifier.py over, and if we're not doing that that's a bug. But adding instructions or a script for production-ready key generation, etc, is something we'd have to add.
— You are receiving this because you authored the thread. Reply to this email directly, view it on GitHub https://github.com/facebookincubator/CommunityCellularManager/issues/18#issuecomment-268302910, or mute the thread https://github.com/notifications/unsubscribe-auth/AA_rnzRjLjLyaqmw9jQ11TzjWV6lv5uNks5rKA6cgaJpZM4LPqG2 .
resolved by 8ec79b6
eom