From d1e4c486175c0e064cca9794f98c25dc57349169 Mon Sep 17 00:00:00 2001 From: John Crispin Date: Thu, 31 Jul 2025 09:48:10 +0200 Subject: [PATCH] cloud_discovery: add automatic reenrolment of operational certificates The daemon will check the vailidity of the operational certificate once and hour. If the certificate is valid for less than three days, a reenrollment is attempted. Once the reenroll happened the connection to the cloud controller will be restarted. Fixes: WIFI-14900 Fixes: WIFI-14694 Signed-off-by: John Crispin --- .../files/usr/bin/cloud_discovery | 24 +++++++++++++++++++ 1 file changed, 24 insertions(+) diff --git a/feeds/tip/cloud_discovery/files/usr/bin/cloud_discovery b/feeds/tip/cloud_discovery/files/usr/bin/cloud_discovery index a60c97478..c3d7f4b1c 100755 --- a/feeds/tip/cloud_discovery/files/usr/bin/cloud_discovery +++ b/feeds/tip/cloud_discovery/files/usr/bin/cloud_discovery @@ -27,6 +27,8 @@ let timeouts = { 'validate': 120, 'orphan': 2 * 60 * 60, interval: 10000, + expiry_interval: 60 * 60 * 1000, + expiry_threshold: 3 * 24 * 60 * 60, }; ulog_open(ULOG_SYSLOG | ULOG_STDIO, LOG_DAEMON, "cloud_discover"); @@ -329,6 +331,27 @@ let ubus_methods = { }, }; +function expiry_handler() { + let stat = fs.stat('/etc/ucentral/operational.ca'); + if (!stat) + return; + + let ret = system(`openssl x509 -checkend ${timeouts.expiry_threshold} -noout -in /certificates/operational.pem`); + if (!ret) { + ulog(LOG_INFO, 'checked certificate expiry - all ok\n'); + return; + } + + ulog(LOG_INFO, 'certificate will expire soon\n'); + if (system('/usr/bin/est_client reenroll')) { + ulog(LOG_INFO, 'reenroll failed\n'); + return; + } + ulog(LOG_INFO, 'reenroll succeeded\n'); + ulog(LOG_INFO, '(re)starting client\n'); + system('/etc/init.d/ucentral restart'); +} + if (gateway_available()) { let status = ubus.call('ucentral', 'status'); ulog(LOG_INFO, 'cloud is known\n'); @@ -345,6 +368,7 @@ if (gateway_available()) { timeouts_load(); interval = uloop.interval(timeouts.interval, interval_handler); +uloop.interval(timeouts.expiry_interval, expiry_handler); ubus.publish('cloud', ubus_methods);