From 143d4e3b589ac9d0aab6eced2e8ca03c67be35ca Mon Sep 17 00:00:00 2001
From: John Crispin <john@phrozen.org>
Date: Thu, 14 Aug 2025 11:44:04 +0200
Subject: [PATCH] cloud_discovery: make the reenrollment process more robust

Signed-off-by: John Crispin <john@phrozen.org>
---
 .../files/usr/bin/cloud_discovery             | 61 ++++++++++++-------
 1 file changed, 39 insertions(+), 22 deletions(-)

diff --git a/feeds/tip/cloud_discovery/files/usr/bin/cloud_discovery b/feeds/tip/cloud_discovery/files/usr/bin/cloud_discovery
index 85b411c71..27dda32da 100755
--- a/feeds/tip/cloud_discovery/files/usr/bin/cloud_discovery
+++ b/feeds/tip/cloud_discovery/files/usr/bin/cloud_discovery
@@ -119,9 +119,10 @@ function gateway_write(data) {
 		if (new[key] != gateway[key])
 			changed = true;
 	}
-	if (changed)
+	if (changed) {
 		fs.writefile('/etc/ucentral/gateway.json', new);
 		system('sync');
+	}
 	return changed;
 }
 
@@ -287,6 +288,36 @@ function interval_handler() {
 	}
 }
 
+function trigger_reenroll() {
+	ulog(LOG_INFO, 'triggering reenroll\n');
+
+	if (system('/usr/bin/est_client reenroll')) {
+		ulog(LOG_INFO, 'reenroll failed\n');
+		return;
+	}
+	
+	ulog(LOG_INFO, 'reenroll succeeded\n');
+	ulog(LOG_INFO, 'stopping client\n');
+	
+	system('/etc/init.d/ucentral stop');
+	set_state(DISCOVER);
+}
+
+function expiry_handler() {
+	let stat = fs.stat('/etc/ucentral/operational.ca');
+	if (!stat)
+		return;
+
+	let ret = system(`openssl x509 -checkend ${timeouts.expiry_threshold} -noout -in /certificates/operational.pem`);
+	if (!ret) {
+		ulog(LOG_INFO, 'checked certificate expiry - all ok\n');
+		return;
+	}
+
+	ulog(LOG_INFO, 'certificate will expire soon\n');
+	trigger_reenroll();
+}
+
 let ubus_methods = {
 	discover: {
 		call: function(req) {
@@ -361,29 +392,15 @@ let ubus_methods = {
 		},
 		args: {},
 	},
+	reenroll: {
+		call: function(req) {
+			trigger_reenroll();
+			return 0;
+		},
+		args: {},
+	},
 };
 
-function expiry_handler() {
-	let stat = fs.stat('/etc/ucentral/operational.ca');
-	if (!stat)
-		return;
-
-	let ret = system(`openssl x509 -checkend ${timeouts.expiry_threshold} -noout -in /certificates/operational.pem`);
-	if (!ret) {
-		ulog(LOG_INFO, 'checked certificate expiry - all ok\n');
-		return;
-	}
-
-	ulog(LOG_INFO, 'certificate will expire soon\n');
-	if (system('/usr/bin/est_client reenroll')) {
-		ulog(LOG_INFO, 'reenroll failed\n');
-		return;
-	}
-	ulog(LOG_INFO, 'reenroll succeeded\n');
-	ulog(LOG_INFO, '(re)starting client\n');
-	system('/etc/init.d/ucentral restart');
-}
-
 set_cds_server();
 
 if (gateway_available()) {