est_client: allow overriding CERT_PREFIX via an env variable

Signed-off-by: John Crispin <john@phrozen.org>
2025-10-30 18:07:52 +00:00 · 2025-07-17 08:19:12 +02:00
parent f56fb3c0d3
commit 20de4fe438
1 changed files with 15 additions and 11 deletions
--- a/feeds/tip/cloud_discovery/files/usr/bin/est_client
+++ b/feeds/tip/cloud_discovery/files/usr/bin/est_client
@@ -8,10 +8,14 @@ import * as fs from 'fs';
 let store_operational_pem = false;
 let store_operational_ca = false;
 let est_server = 'qaest.certificates.open-lan.org:8001';
 let cert_prefix = 'operational';
 if (getenv('EST_SERVER'))
 	est_server = getenv('EST_SERVER');
 if (getenv('CERT_PREFIX'))
 	cert_prefix = getenv('CERT_PREFIX');
 ulog_open(ULOG_SYSLOG | ULOG_STDIO, LOG_DAEMON, "est_client");
 function generate_csr(cert) {
@@ -86,12 +90,12 @@ function call_est_server(path, cert, target) {
 function simpleenroll() {
-	if (fs.stat('/etc/ucentral/operational.pem')) {
+	if (fs.stat('/etc/ucentral/' + cert_prefix + '.pem')) {
 		ulog(LOG_INFO, 'Operational certificate is present\n');
 		return 0;
 	}
-	if (call_est_server('simpleenroll', '/etc/ucentral/cert.pem', '/etc/ucentral/operational.pem'))
+	if (call_est_server('simpleenroll', '/etc/ucentral/cert.pem', '/etc/ucentral/' + cert_prefix + '.pem'))
 		return 1; 
 	ulog(LOG_INFO, 'Operational cert acquired\n');
@@ -100,34 +104,34 @@ function simpleenroll() {
 }
 function simplereenroll() {
-	if (!fs.stat('/etc/ucentral/operational.pem')) {
+	if (!fs.stat('/etc/ucentral/' + cert_prefix + '.pem')) {
 		ulog(LOG_INFO, 'Operational certificate was not found\n');
 		return 0;
 	}
-	if (call_est_server('simplereenroll', '/etc/ucentral/operational.pem', '/tmp/operational.pem'))
+	if (call_est_server('simplereenroll', '/etc/ucentral/' + cert_prefix + '.pem', '/tmp/' + cert_prefix + '.pem'))
 		return 1;
 	ulog(LOG_INFO, 'Operational cert updated\n');
-	store_operational_cert('/tmp/operational.pem', 'operational.pem');
+	store_operational_cert('/tmp/' + cert_prefix + '.pem', cert_prefix + '.pem');
 	system('store_certs');
 	return 0;
 }
 function load_operational_ca() {
-	if (fs.stat('/etc/ucentral/operational.ca')) {
+	if (fs.stat('/etc/ucentral/' + cert_prefix + '.ca')) {
 		ulog(LOG_INFO, 'Operational CA is present\n');
 		return 0;
 	}
-	let ret = system('curl -X GET https://' + est_server + '/.well-known/est/cacerts --cert /etc/ucentral/operational.pem --key /etc/ucentral/key.pem --cacert /etc/ucentral/insta.pem -o /tmp/operational.ca.nohdr.p7');
+	let ret = system('curl -X GET https://' + est_server + '/.well-known/est/cacerts --cert /etc/ucentral/' + cert_prefix + '.pem --key /etc/ucentral/key.pem --cacert /etc/ucentral/insta.pem -o /tmp/' + cert_prefix + '.ca.nohdr.p7');
 	if (!ret)
-		ret = p7_too_pem('/tmp/operational.ca.nohdr.p7', '/etc/ucentral/operational.ca');
+		ret = p7_too_pem('/tmp/' + cert_prefix + '.ca.nohdr.p7', '/etc/ucentral/' + cert_prefix + '.ca');
 	if (ret) {
 		ulog(LOG_INFO, 'Failed to load CA\n');
 		return 1;
 	}
-	system('cat /etc/ucentral/openlan.pem >> /etc/ucentral/operational.ca');
+	system('cat /etc/ucentral/openlan.pem >> /etc/ucentral/' + cert_prefix + '.ca');
 	ulog(LOG_INFO, 'Acquired CA\n');
 	store_operational_ca = true;
 	return 0;
@@ -164,9 +168,9 @@ case 'enroll':
 	if (!ret)
 		ret = load_operational_ca();
 	if (store_operational_pem)
-		store_operational_cert('/etc/ucentral/operational.pem', 'operational.pem');
+		store_operational_cert('/etc/ucentral/' + cert_prefix + '.pem', cert_prefix + '.pem');
 	if (store_operational_ca)
-		store_operational_cert('/etc/ucentral/operational.ca', 'operational.ca');
+		store_operational_cert('/etc/ucentral/' + cert_prefix + '.ca', cert_prefix + '.ca');
 	if (store_operational_pem || store_operational_ca)
 		system('store_certs');