cloud_discovery: add automatic reenrolment of operational certificates

The daemon will check the vailidity of the operational certificate once and hour. If the certificate is valid for less than three days, a reenrollment is attempted. Once the reenroll happened the connection to the cloud controller will be restarted. Fixes: WIFI-14900 Fixes: WIFI-14694 Signed-off-by: John Crispin <john@phrozen.org>
2025-10-28 17:12:22 +00:00 · 2025-07-31 09:48:10 +02:00
parent 3a8fc316f2
commit d1e4c48617
1 changed files with 24 additions and 0 deletions
--- a/feeds/tip/cloud_discovery/files/usr/bin/cloud_discovery
+++ b/feeds/tip/cloud_discovery/files/usr/bin/cloud_discovery
@@ -27,6 +27,8 @@ let timeouts = {
 	'validate': 120,
 	'orphan': 2 * 60 * 60,
 	interval: 10000,
+	expiry_interval: 60 * 60 * 1000,
+	expiry_threshold: 3 * 24 * 60 * 60,
 };

 ulog_open(ULOG_SYSLOG | ULOG_STDIO, LOG_DAEMON, "cloud_discover");
@@ -329,6 +331,27 @@ let ubus_methods = {
 	},
 };

+function expiry_handler() {
+	let stat = fs.stat('/etc/ucentral/operational.ca');
+	if (!stat)
+		return;
+
+	let ret = system(`openssl x509 -checkend ${timeouts.expiry_threshold} -noout -in /certificates/operational.pem`);
+	if (!ret) {
+		ulog(LOG_INFO, 'checked certificate expiry - all ok\n');
+		return;
+	}
+
+	ulog(LOG_INFO, 'certificate will expire soon\n');
+	if (system('/usr/bin/est_client reenroll')) {
+		ulog(LOG_INFO, 'reenroll failed\n');
+		return;
+	}
+	ulog(LOG_INFO, 'reenroll succeeded\n');
+	ulog(LOG_INFO, '(re)starting client\n');
+	system('/etc/init.d/ucentral restart');
+}
+
 if (gateway_available()) {
 	let status = ubus.call('ucentral', 'status');
 	ulog(LOG_INFO, 'cloud is known\n');
@@ -345,6 +368,7 @@ if (gateway_available()) {
 timeouts_load();

 interval = uloop.interval(timeouts.interval, interval_handler);
+uloop.interval(timeouts.expiry_interval, expiry_handler);

 ubus.publish('cloud', ubus_methods);