From f2b69ce97208172e374526a530e2be9fd7a97af5 Mon Sep 17 00:00:00 2001
From: John Crispin <john@phrozen.org>
Date: Tue, 8 Jul 2025 09:41:12 +0200
Subject: [PATCH] est_client: fix reenroll call

the wrong certificate was being used

Signed-off-by: John Crispin <john@phrozen.org>
---
 feeds/tip/cloud_discovery/files/usr/bin/est_client | 10 +++++-----
 1 file changed, 5 insertions(+), 5 deletions(-)

diff --git a/feeds/tip/cloud_discovery/files/usr/bin/est_client b/feeds/tip/cloud_discovery/files/usr/bin/est_client
index 18a7cf4b3..a5fa8a786 100755
--- a/feeds/tip/cloud_discovery/files/usr/bin/est_client
+++ b/feeds/tip/cloud_discovery/files/usr/bin/est_client
@@ -65,11 +65,11 @@ function p7_too_pem(src, dst) {
 	return 0;
 }
 
-function call_est_server(cert, target) {
+function call_est_server(path, cert, target) {
 	if (generate_csr(cert))
 		return 1;
 
-	let ret = system('curl -X POST https://qaest.certificates.open-lan.org:8001/.well-known/est/simpleenroll -d @/tmp/csr.nohdr.p10 -H "Content-Type: application/pkcs10" --cert /etc/ucentral/cert.pem --key /etc/ucentral/key.pem --cacert /etc/ucentral/insta.pem -o /tmp/operational.nohdr.p7');
+	let ret = system('curl -X POST https://qaest.certificates.open-lan.org:8001/.well-known/est/' + path + ' -d @/tmp/csr.nohdr.p10 -H "Content-Type: application/pkcs10" --cert ' + cert + ' --key /etc/ucentral/key.pem --cacert /etc/ucentral/insta.pem -o /tmp/operational.nohdr.p7');
 	if (ret) {
 		ulog(LOG_INFO, 'Failed to request operational certificate\n');
 		return 1;
@@ -86,7 +86,7 @@ function simpleenroll() {
 		return 0;
 	}
 
-	if (call_est_server('/etc/ucentral/cert.pem', '/etc/ucentral/operational.pem'))
+	if (call_est_server('simpleenroll', '/etc/ucentral/cert.pem', '/etc/ucentral/operational.pem'))
 		return 1; 
 	
 	ulog(LOG_INFO, 'Operational cert acquired\n');
@@ -100,7 +100,7 @@ function simplereenroll() {
 		return 0;
 	}
 
-	if (call_est_server('/etc/ucentral/operational.pem', '/tmp/operational.pem'))
+	if (call_est_server('simplereenroll', '/etc/ucentral/operational.pem', '/tmp/operational.pem'))
 		return 1;
 	
 	ulog(LOG_INFO, 'Operational cert updated\n');
@@ -114,7 +114,7 @@ function load_operational_ca() {
 		ulog(LOG_INFO, 'Operational CA is present\n');
 		return 0;
 	}
-	let ret = system('curl -X GET https://qaest.certificates.open-lan.org:8001/.well-known/est/cacerts --cert /etc/ucentral/cert.pem --key /etc/ucentral/key.pem --cacert /etc/ucentral/insta.pem -o /tmp/operational.ca.nohdr.p7');
+	let ret = system('curl -X GET https://qaest.certificates.open-lan.org:8001/.well-known/est/cacerts --cert /etc/ucentral/operational.pem --key /etc/ucentral/key.pem --cacert /etc/ucentral/insta.pem -o /tmp/operational.ca.nohdr.p7');
 	if (!ret)
 		ret = p7_too_pem('/tmp/operational.ca.nohdr.p7', '/etc/ucentral/operational.ca');
 	if (ret) {