refactor: don't use deprecated rand impl

soerenschneider · Jul 10, 2023 · f0c519b · f0c519b
1 parent 003e621
commit f0c519b
Showing 1 changed file with 7 additions and 5 deletions.
diff --git a/pkg/certstorage/storage.go b/pkg/certstorage/storage.go
@@ -6,11 +6,12 @@ import (
 	"encoding/pem"
 	"errors"
 	"fmt"
+	"math/rand"
+	"time"
+
 	"github.com/go-acme/lego/v4/registration"
 	"github.com/rs/zerolog/log"
 	"github.com/soerenschneider/acmevault/internal/metrics"
-	"math/rand"
-	"time"
 )
 
 const (
@@ -20,6 +21,8 @@ const (
 	Skew            = time.Duration(24*60) * time.Hour
 )
 
+var rnd *rand.Rand = rand.New(rand.NewSource(time.Now().UnixNano())) // #nosec G404
+
 type CertStorage interface {
 	// Authenticate authenticates against the storage subsystem and returns an error about the success of the operation.
 	Authenticate() error
@@ -74,9 +77,8 @@ func (cert *AcmeCertificate) NeedsRenewal() (bool, error) {
 	log.Info().Msgf("Not renewing cert for domain %s, still valid for %v", cert.Domain, timeLeft)
 
 	if timeLeft > MinCertLifetime && timeLeft <= Skew {
-		rand.Seed(time.Now().UnixNano())
-		if rand.Intn(100) >= 97 {
-			log.Info().Msgf("Earlier renewal of cert for domain %s to distribute cert expiries (%v)", cert.Domain, timeLeft)
+		if rnd.Intn(100) >= 97 {
+			log.Info().Msgf("Earlier renewal of cert for domain %s to distribute cert expires (%v)", cert.Domain, timeLeft)
 			return true, nil
 		}
 	}