ucentral-client: update to latest HEAD

cb17a78 ucentral-client: Add command-line options for certificate paths Signed-off-by: John Crispin <john@phrozen.org>
cloud_discovery: add bind-dig dependency
2025-12-04 23:15:16 +00:00 · 2025-11-25 08:07:10 +01:00 · 2025-11-25 08:06:54 +01:00 · 2025-11-25 07:31:08 +01:00 · 2025-11-25 07:31:08 +01:00 · 2025-11-25 07:31:08 +01:00
7 changed files with 181 additions and 25 deletions
--- a/feeds/tip/certificates/files/etc/init.d/early_boot
+++ b/feeds/tip/certificates/files/etc/init.d/early_boot
@@ -5,7 +5,7 @@ START=09
 copy_certificates() {
 	[ -f /certificates/key.pem ] || return

-	cp /certificates/cert.pem /certificates/key.pem /certificates/operational.* /etc/ucentral/
+	cp /certificates/*.pem /certificates/*.ca /etc/ucentral/ 2>/dev/null || true
 	chown root.network /etc/ucentral/*.pem /etc/ucentral/*.ca
 	chmod 0440 root.network /etc/ucentral/*.pem /etc/ucentral/*.ca
 	[ -f /certificates/gateway.json ] && cp /certificates/gateway.json /etc/ucentral/gateway.flash
--- a/feeds/tip/cloud_discovery/Makefile
+++ b/feeds/tip/cloud_discovery/Makefile
@@ -12,7 +12,7 @@ define Package/cloud_discovery
  SECTION:=ucentral
  CATEGORY:=uCentral
  TITLE:=TIP cloud_discovery
-  DEPENDS:=+certificates
+  DEPENDS:=+certificates +bind-dig
 endef

 Build/Compile=
--- a/feeds/tip/cloud_discovery/files/usr/bin/cloud_discovery
+++ b/feeds/tip/cloud_discovery/files/usr/bin/cloud_discovery
@@ -3,6 +3,7 @@
 'use strict';

 import { ulog_open, ulog, ULOG_SYSLOG, ULOG_STDIO, LOG_DAEMON, LOG_INFO } from 'log';
+import { query } from 'resolv';
 import * as libubus from 'ubus';
 import * as uloop from 'uloop';
 import * as libuci from 'uci';
@@ -17,8 +18,12 @@ const ORPHAN = 4;

 const DISCOVER_DHCP = "DHCP";
 const DISCOVER_FLASH = "FLASH";
+const DISCOVER_FQDN = "STANDARD_FQDN";
 const DISCOVER_LOOKUP = "OpenLAN";

+const STANDARD_FQDN = "openwifi.wlan.local";
+const STANDARD_FQDN_PORT = 15002;
+
 let ubus = libubus.connect();
 let uci = libuci.cursor();
 let state = DISCOVER;
@@ -118,7 +123,7 @@ function gateway_write(data) {
 	gateway ??= {};
 	let new = {};
 	let changed = false;
-	for (let key in [ 'server', 'port', 'valid', 'hostname_validate' ]) {
+	for (let key in [ 'server', 'port', 'valid', 'hostname_validate', 'cert', 'ca' ]) {
 		if (exists(data, key))
 			new[key] = data[key];
 		else if (exists(gateway, key))
@@ -140,6 +145,17 @@ function gateway_available() {
 	return true;
 }

+function dnsmasq_rebind_allow(fqdn) {
+	let config_dir = '/tmp/dnsmasq.d';
+	let config_file = `${config_dir}/cloud-discovery.conf`;
+
+	if (!fs.stat(config_dir))
+		fs.mkdir(config_dir);
+
+	fs.writefile(config_file, `rebind-domain-ok=/${fqdn}/\n`);
+	system('/etc/init.d/dnsmasq reload');
+}
+
 function set_state(set) {
 	if (state == set)
 		return;
@@ -187,8 +203,21 @@ function set_state(set) {
 function discover_dhcp() {
 	let dhcp = readjsonfile('/tmp/cloud.json');
 	if (dhcp?.dhcp_server && dhcp?.dhcp_port) {
-		if (gateway_write({ server: dhcp.dhcp_server, port:dhcp.dhcp_port, valid: false, hostname_validate: dhcp.no_validation ? 0 : 1 })) {
-			ulog(LOG_INFO, `Discovered cloud via DHCP ${dhcp.dhcp_server}:${dhcp.dhcp_port}\n`);
+		let fqdn = split(dhcp.dhcp_server, ':')[0];
+		dnsmasq_rebind_allow(fqdn);
+		if (gateway_write({
+			server: dhcp.dhcp_server,
+			port: dhcp.dhcp_port,
+			valid: false,
+			hostname_validate: dhcp.no_validation ? 0 : 1,
+			cert: `/etc/ucentral/${fqdn}.pem`,
+			ca: `/etc/ucentral/${fqdn}.ca`
+		})) {
+			ulog(LOG_INFO, `Discovered cloud via DHCP ${dhcp.dhcp_server}:${dhcp.dhcp_port} - trying EST\n`);
+			fs.writefile('/tmp/discovery.method', DISCOVER_DHCP);
+			if (system('/usr/bin/est_client enroll'))
+	                        return false;
+			ulog(LOG_INFO, `Discovered cloud via DHCP ${dhcp.dhcp_server}:${dhcp.dhcp_port} - starting client\n`);
 			client_start();
 			set_state(VALIDATING);
 		}
@@ -209,10 +238,18 @@ function redirector_lookup() {
 	let redir = readjsonfile(path);
 	if (redir?.controller_endpoint) {
 		let controller_endpoint = split(redir.controller_endpoint, ':');
-		if (gateway_write({ server: controller_endpoint[0], port: controller_endpoint[1] || 15002, valid: false, hostname_validate: 1 })) {
+		if (gateway_write({
+			server: controller_endpoint[0],
+			port: controller_endpoint[1] || 15002,
+			valid: false,
+			hostname_validate: 1,
+			cert: '/etc/ucentral/operational.pem',
+			ca: '/etc/ucentral/operational.ca'
+		})) {
 			ulog(LOG_INFO, `Discovered cloud via lookup service ${controller_endpoint[0]}:${controller_endpoint[1] || 15002}\n`);
-                        client_start();
-                	set_state(VALIDATING);
+			fs.writefile('/tmp/discovery.method', DISCOVER_LOOKUP);
+			client_start();
+			set_state(VALIDATING);
 		}
 	} else {
 		ulog(LOG_INFO, 'Failed to discover cloud endpoint\n');
@@ -224,11 +261,44 @@ function discover_flash() {
 		return 1;
 	ulog(LOG_INFO, 'Using pre-populated cloud information\n');
 	fs.writefile('/etc/ucentral/gateway.json', fs.readfile('/etc/ucentral/gateway.flash'));
+	fs.writefile('/tmp/discovery.method', DISCOVER_FLASH);
 	client_start();
 	set_state(VALIDATING);
 	return 0;
 }

+function discover_standard_fqdn() {
+	ulog(LOG_INFO, `Trying standard FQDN: ${STANDARD_FQDN}\n`);
+
+	let result = query([STANDARD_FQDN], { type: ['A'] });
+	if (!result || !result[STANDARD_FQDN] || !result[STANDARD_FQDN].A) {
+		ulog(LOG_INFO, `Failed to resolve ${STANDARD_FQDN}\n`);
+		return false;
+	}
+
+	let address = result[STANDARD_FQDN].A[0];
+	ulog(LOG_INFO, `Resolved ${STANDARD_FQDN} to ${address}\n`);
+
+	dnsmasq_rebind_allow(STANDARD_FQDN);
+
+	if (gateway_write({
+		server: STANDARD_FQDN,
+		port: STANDARD_FQDN_PORT,
+		valid: false,
+		hostname_validate: 1,
+		cert: `/etc/ucentral/${STANDARD_FQDN}.pem`,
+		ca: `/etc/ucentral/${STANDARD_FQDN}.ca`
+	})) {
+		ulog(LOG_INFO, `Discovered cloud via standard FQDN ${STANDARD_FQDN}\n`);
+		fs.writefile('/tmp/discovery.method', DISCOVER_FQDN);
+		client_start();
+		set_state(VALIDATING);
+		return true;
+	}
+
+	return false;
+}
+
 function time_is_valid() {
 	let valid = !!fs.stat('/tmp/ntp.set');
 	if (!valid)
@@ -269,21 +339,25 @@ function interval_handler() {

 	case DISCOVER:
 		ulog(LOG_INFO, 'Starting discover\n');
-	
-		if (!time_is_valid())
-			return;

-		if (system('/usr/bin/est_client enroll'))
+		if (!time_is_valid())
 			return;

 		discovery_method = DISCOVER_DHCP;
 		if (!is_discover_method_blacked() && discover_dhcp())
 			return;

+		if (system('/usr/bin/est_client enroll'))
+			return;
+
 		discovery_method = DISCOVER_FLASH;
 		if (!is_discover_method_blacked() && !discover_flash())
 			return;

+		discovery_method = DISCOVER_FQDN;
+		if (!is_discover_method_blacked() && discover_standard_fqdn())
+			return;
+
 		discovery_method = DISCOVER_LOOKUP;
 		redirector_lookup();

--- a/feeds/tip/cloud_discovery/files/usr/bin/est_client
+++ b/feeds/tip/cloud_discovery/files/usr/bin/est_client
@@ -11,7 +11,70 @@ let store_operational_ca = false;
 let est_server = 'est.certificates.open-lan.org';
 let cert_prefix = 'operational';

+function cert_prefix_determine() {
+	let cloud_config = fs.readfile('/tmp/cloud.json');
+	if (cloud_config) {
+		let cloud = json(cloud_config);
+		if (cloud?.dhcp_server) {
+			let fqdn = split(cloud.dhcp_server, ':')[0];
+			ulog(LOG_INFO, `Using controller-specific cert prefix from cloud.json: ${fqdn}\n`);
+			return fqdn;
+		}
+	}
+
+	let discovery_method = trim(fs.readfile('/tmp/discovery.method') || 'OpenLAN');
+	ulog(LOG_INFO, `Discovery method from file: ${discovery_method}\n`);
+
+	if (discovery_method == 'OpenLAN') {
+		ulog(LOG_INFO, 'Using operational cert prefix\n');
+		return 'operational';
+	}
+
+	ulog(LOG_INFO, 'Using operational cert prefix as fallback\n');
+	return 'operational';
+}
+
+function discover_est_server_via_caa() {
+	let cloud_config = fs.readfile('/tmp/cloud.json');
+	if (!cloud_config)
+		return null;
+
+	let cloud = json(cloud_config);
+	if (!cloud || !cloud.dhcp_server)
+		return null;
+
+	let controller_fqdn = cloud.dhcp_server;
+	let fqdn_parts = split(controller_fqdn, ':');
+	if (length(fqdn_parts) > 0)
+		controller_fqdn = fqdn_parts[0];
+
+	ulog(LOG_INFO, `Attempting CAA lookup for controller FQDN: ${controller_fqdn}\n`);
+
+	let pipe = fs.popen(`dig @localhost ${controller_fqdn} CAA +short | cut -d'"' -f2`);
+	let est_server = pipe.read('all');
+	pipe.close();
+
+	if (!est_server)
+		return null;
+
+	est_server = trim(est_server);
+	if (est_server) {
+		ulog(LOG_INFO, `Found EST server via CAA: ${est_server}\n`);
+		return est_server;
+	}
+
+	return null;
+}
+
 function set_est_server() {
+	let discovered_server = discover_est_server_via_caa();
+	if (discovered_server) {
+		est_server = discovered_server;
+		return;
+	}
+
+	ulog(LOG_INFO, 'No EST server found via CAA, using certificate issuer-based selection\n');
+
 	let pipe = fs.popen(`openssl x509 -in /etc/ucentral/cert.pem -noout -issuer`);
 	let issuer = pipe.read("all");
 	pipe.close();
@@ -94,11 +157,13 @@ function call_est_server(path, cert, target) {
 	if (generate_csr(cert))
 		return 1;

-	set_est_server();	
+	set_est_server();

-	let ret = system('curl -m 10 -X POST https://' + est_server + '/.well-known/est/' + path + ' -d @/tmp/csr.nohdr.p10 -H "Content-Type: application/pkcs10" --cert ' + cert + ' --key /etc/ucentral/key.pem --cacert /etc/ucentral/insta.pem -o /tmp/operational.nohdr.p7');
+	let curl_cmd = 'curl -m 10 -X POST https://' + est_server + '/.well-known/est/' + path + ' -d @/tmp/csr.nohdr.p10 -H "Content-Type: application/pkcs10" --cert ' + cert + ' --key /etc/ucentral/key.pem --cacert /etc/ucentral/insta.pem -o /tmp/operational.nohdr.p7';
+	ulog(LOG_INFO, `Executing: ${curl_cmd}\n`);
+	let ret = system(curl_cmd);
 	if (ret) {
-		ulog(LOG_INFO, 'Failed to request operational certificate\n');
+		ulog(LOG_INFO, `Failed to request operational certificate (exit code: ${ret})\n`);
 		return 1;
 	}
 	ulog(LOG_INFO, 'EST succeeded\n');
@@ -108,20 +173,26 @@ function call_est_server(path, cert, target) {


 function simpleenroll() {
+	cert_prefix = cert_prefix_determine();
+	ulog(LOG_INFO, `Checking for certificate: /etc/ucentral/${cert_prefix}.pem\n`);
+
 	if (fs.stat('/etc/ucentral/' + cert_prefix + '.pem')) {
 		ulog(LOG_INFO, 'Operational certificate is present\n');
 		return 0;
 	}

+	ulog(LOG_INFO, 'Operational certificate not found, enrolling...\n');
 	if (call_est_server('simpleenroll', '/etc/ucentral/cert.pem', '/etc/ucentral/' + cert_prefix + '.pem'))
-		return 1; 
-	
+		return 1;
+
 	ulog(LOG_INFO, 'Operational cert acquired\n');
 	store_operational_pem = true;
 	return 0;
 }

 function simplereenroll() {
+	cert_prefix = cert_prefix_determine();
+
 	if (!fs.stat('/etc/ucentral/' + cert_prefix + '.pem')) {
 		ulog(LOG_INFO, 'Operational certificate was not found\n');
 		return 0;
@@ -129,7 +200,7 @@ function simplereenroll() {

 	if (call_est_server('simplereenroll', '/etc/ucentral/' + cert_prefix + '.pem', '/tmp/' + cert_prefix + '.pem'))
 		return 1;
-	
+
 	ulog(LOG_INFO, 'Operational cert updated\n');
 	store_operational_cert('/tmp/' + cert_prefix + '.pem', cert_prefix + '.pem');
 	system('cp /tmp/' + cert_prefix + '.pem /etc/ucentral/');
@@ -139,18 +210,22 @@ function simplereenroll() {
 }

 function load_operational_ca() {
+	cert_prefix = cert_prefix_determine();
+
 	if (fs.stat('/etc/ucentral/' + cert_prefix + '.ca')) {
 		ulog(LOG_INFO, 'Operational CA is present\n');
 		return 0;
 	}

-	set_est_server();	
+	set_est_server();

-	let ret = system('curl -m 10 -X GET https://' + est_server + '/.well-known/est/cacerts --cert /etc/ucentral/' + cert_prefix + '.pem --key /etc/ucentral/key.pem --cacert /etc/ucentral/insta.pem -o /tmp/' + cert_prefix + '.ca.nohdr.p7');
+	let curl_cmd = 'curl -m 10 -X GET https://' + est_server + '/.well-known/est/cacerts --cert /etc/ucentral/' + cert_prefix + '.pem --key /etc/ucentral/key.pem --cacert /etc/ucentral/insta.pem -o /tmp/' + cert_prefix + '.ca.nohdr.p7';
+	ulog(LOG_INFO, `Executing: ${curl_cmd}\n`);
+	let ret = system(curl_cmd);
 	if (!ret)
 		ret = p7_too_pem('/tmp/' + cert_prefix + '.ca.nohdr.p7', '/etc/ucentral/' + cert_prefix + '.ca');
 	if (ret) {
-		ulog(LOG_INFO, 'Failed to load CA\n');
+		ulog(LOG_INFO, `Failed to load CA (exit code: ${ret})\n`);
 		return 1;
 	}
 	system('cat /etc/ucentral/openlan.pem >> /etc/ucentral/' + cert_prefix + '.ca');
--- a/feeds/tip/tip-defaults/files/etc/ucentral/insta.pem
+++ b/feeds/tip/tip-defaults/files/etc/ucentral/insta.pem
@@ -7,3 +7,6 @@ MIIFIDCCAwigAwIBAgICDnkwDQYJKoZIhvcNAQELBQAwHzEdMBsGA1UEAwwUT3BlbkxBTiBEZW1vIFJv
 -----BEGIN CERTIFICATE-----
 MIIFFTCCAv2gAwIBAgICAxIwDQYJKoZIhvcNAQELBQAwGjEYMBYGA1UEAwwPT3BlbkxBTiBSb290IENBMCAXDTI1MDUxNDA4NDcxMFoYDzIwNTUwNTE0MDg0NzEwWjAaMRgwFgYDVQQDDA9PcGVuTEFOIFJvb3QgQ0EwggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAwggIKAoICAQDGibJ04A55kSURTBSKgcBmLnND2I5wws1taKqqU9aaRhB7NtvMHwh2voH9b1brUiulZaZwTN/9kzd4AnXeKQ+0u5tV7Ofk0fzF2MK47n17TS30Yenqc4NuQEKdpKK/pM3VvOEppR/bqtgyLtDmbDnmFOx+zTj/+smTgouwA+Iier0P4s5OohYxn/bjOqwQbHbU79VpGBIWv6/kt55AhH7zvsqqKHkrzTxnsRBv3SBIufrjJr9PIhZBLDrqr56P6KgAi0eoutNt2ToiJbE0WfjU7GI1RSiSN5bGj1zXhjNVzQWs1H9QzRf3c9pl3+haHQZ7FZ1UqiTRewmbNrQ6I9k81au3SttUlb87MyAuDSzatkiq7CjQ8VE1J6te6ZBt2zWpUhHsR/Lg7g3eOw5dL4oZJdK5GgGu/MUajLUXifIqM13Mvg0VTzDhN69VLXLSL0gPcicsQCwJuAza1IC/VqmBGx19fAkyJhOurCXWOgisi0g1+xzPKRphUNwMPUf8vBVOM/Vc6xDIvwVGE3+eWXyhixneFlSpAI03nWWjpwWXihTBoxbfRXO3Y/ilJqrgFN+U4PJcCPA+Wo7ThH0mgX6bOTPcgXMUzT3v3FF6Bx5/PNV3kYrw2yLzribUiS6AGvVGnW4hX2Z6OQvA/aHME8KF+6y6m4pC7FkUjVaRlzWu/wIDAQABo2MwYTAfBgNVHSMEGDAWgBSUaFuoOPk4QLByZP47kj4p1IbCJjAdBgNVHQ4EFgQUlGhbqDj5OECwcmT+O5I+KdSGwiYwDgYDVR0PAQH/BAQDAgGGMA8GA1UdEwEB/wQFMAMBAf8wDQYJKoZIhvcNAQELBQADggIBAB+/RUC2X6eVoPsFNMkaXO5Iib/ub0JoWhODQm8j2Mr5dpGXESSpXjfDcqDOLuJbWWoflXBLdr8BsVCBqOA9YgCX0H8Br7dUWmCScixxLW0he592/424EvdwifxcKHZLjv9CKV5Txhqnm2djc5RY/nTH5MYVrIh/If2TNO5ydDP6+vgy9GQ4en04VK7rz+PW17O8l7k9/lOmYptZmHgSDAPj/cT3PlG+McqaI5rMSHeEHlzH+PvgWjtSeEhF4FwFBXroDl4/yb4l2JB8bqAZ3vsOXSkigFcZh5MXPe+zuSSW+G8iLr4xoi0CFsP2DaHEyxgqP4B1FtE9nFPo6cvWbwqTVT7QSzqfH+jPJuQvpFXeRF5UFegNZTFT5/uFFPamihakFslEYxeJey1y+OJdLcP6ef87ruSt8amsq56OAETYpnW4JFowlEh0C+QwLGHGGY6WrOgHY/90hJmPgXBdBVg/IoOhzbvk5A+LqZDvxV2/rLNfClw8Kr3g5e8obcB6dWgMCy2z+us0H79ucnmhzQKsjpxM9T1ncHovAQfiD3jVqfHULY53avh0wIAjosoTGbe8dyx80quHe+16qWan7C9idXeAYYJXbZt5hs6hLw4I8M1LsjTg6vwsqiaHZpsmDyyQLdFjNJldG7aosfS9F+BIpuwijF+1dashL0CPsbIJ
 -----END CERTIFICATE-----
+-----BEGIN CERTIFICATE-----
+MIIGBzCCA++gAwIBAgICCQYwDQYJKoZIhvcNAQELBQAwGjEYMBYGA1UEAwwPT3BlbkxBTiBSb290IENBMB4XDTI1MDUxNDA4NTY0MVoXDTQ1MDUxNDA5MjY0MVowJDEiMCAGA1UEAwwZT3BlbkxBTiBTZXJ2ZXIgSXNzdWluZyBDQTCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBALSdJpzwPfQM9oHBGt6w8UDLDJNznxI7cpfl0u0xVCHN1YY7onpwxFVkFRzUx/JrQ/tbEGZH19XtngaCZ91KbGbqVao9S32H0tyn2t3eTJ5h+klJ7+7YAbZr8UfOi3nG4bZzNSa5dDBPaNPvI51byKDN7siXXnALV3f0l6lZgDpLQco/E7ANU3lslUVjVNALfFUEonDyP7XV+lFAyidpjIn6dRn7oYs3SUwkzZUntYJAhAykmxXMWox+85gDkdb+2O3G8ci0uHVbb0A9LP+MeIhzxHgnnAMfWLfEZexdmEd2PwVHaz/D2Xp/gYrpPDTsbqWjQ9NmgdASwqN5j8BuJ8vHDVBVCztVDltm6JPw3Y6GQPN1LmiSLUzst7VYpydUJRDHYIAKJhT9DYxQ126VfiyMo6Xl4IQO8YZ/J6r8yR7gyvyUiBW+wvvC1bCY5+VuI4P/cY+6iA1qwC1SOWjYlccy+tbfGj9zr32Qf27e9RXSAkcATHen1rc/9AGEeAuSpKrzhmZIIvM4+EtYgbBvf91NkP51zbGpvsAbfWN/ecNmqH9SeyrrVgv68Z34hMijCcvJNyIvloo3nkb/gHYV4tAiwTTrX13Rio/8qNF4nwHLsjw0t7jEyRiXdOciePyhGbtdicuiUxrShzbGY7ID0yNwyTKcJYhorL/8r+YFpsXrAgMBAAGjggFLMIIBRzAfBgNVHSMEGDAWgBSUaFuoOPk4QLByZP47kj4p1IbCJjAdBgNVHQ4EFgQUBwUkiaCh5hdY+ZH6O8NmEE/nH5EwDgYDVR0PAQH/BAQDAgGGMBIGA1UdEwEB/wQIMAYBAf8CAQAwRwYDVR0fBEAwPjA8oDqgOIY2aHR0cDovL2NybC5jZXJ0aWZpY2F0ZXMub3Blbi1sYW4ub3JnL29wZW5sYW5yb290Y2EuY3JsMIGXBggrBgEFBQcBAQSBijCBhzBEBggrBgEFBQcwAoY4aHR0cDovL2NlcnRzLmNlcnRpZmljYXRlcy5vcGVuLWxhbi5vcmcvb3BlbmxhbnJvb3RjYS5jZXIwPwYIKwYBBQUHMAGGM2h0dHA6Ly9vY3NwLmNlcnRpZmljYXRlcy5vcGVuLWxhbi5vcmcvb3BlbmxhbnJvb3RjYTANBgkqhkiG9w0BAQsFAAOCAgEAqEk5ZJdpMVr2U0YhmqEU6gqxEeih9MWKcQfmsT/lhf5m5V7VuLMc3r+EBCsPssw60umdQcAU2IPlJXLAeWwdRyY7ZNNwQVgl9GBI/CM2b7x18+12/llCdXW9FOagdChTuuhwRnGTt71jcrJkleQyEYhqwwIEN82hxq4HSZO6XJDev4IsMRF00+qt8biJcf7OVGOSLoyiU6Dm/EzxoB+DZf3HdUc0vzfVjD4Im+yYzqXuwWV6c9oIBQH6obzaqlpg926CtEBFR8E1LQe93ahMvF7pExpIOkE5PTuqONvy7Xn3Ui8NRxHhmm8j/unql6bUTGENz9s68n8Im7weq6awC9Hfu8aGWjcnXI7tsDY5uJEguP5fSwCUrdTE85XgPgPHeKaIwBZsyRZTqVSvbky+c15Yv6ITXLWoA0AUxz9ste3WpqiWCNJVI90MCruSYKdpXGV0KU3QQXJDMKhHJBF5DLpuKiboFfh9O8pB7B4/tJ76JpAc6Z0rfaQUo2vxSpb3Sbd/IHNcL08zB8Ay+YUBULspxe+1StKthmCzCHI9DOhIgeASyNBpcL7uZPjCXiYGhUuzsFGv4sQ+d267Jyvql/Piw/vYg1k2aVBfdIoIU4TpIEVyQqPz4aAW+0SgL7OM+/zD9jxn3gVdusCpmHcoTzOfZRriH0FGIeDSQydpOJU=
+-----END CERTIFICATE-----
--- a/feeds/ucentral/ucentral-client/Makefile
+++ b/feeds/ucentral/ucentral-client/Makefile
@@ -4,10 +4,10 @@ PKG_NAME:=ucentral-client
 PKG_RELEASE:=1

 PKG_SOURCE_URL=https://github.com/Telecominfraproject/wlan-ucentral-client.git
-PKG_MIRROR_HASH:=2935998d6074f0c290d9b96c2988c89aae6f405608f12a0063fa7215498bae9a
+PKG_MIRROR_HASH:=1cc7ab3d041221610d8da8b4e3a4c87749508e6fee81194b5cca28065dc86d75
 PKG_SOURCE_PROTO:=git
-PKG_SOURCE_DATE:=2025-08-11
-PKG_SOURCE_VERSION:=549e84e5fea7230c5471d6a3dbddcc7d3152f665
+PKG_SOURCE_DATE:=2025-11-25
+PKG_SOURCE_VERSION:=cb17a7819f558fb22e56bb20102ce98f24e5f3eb

 PKG_LICENSE:=BSD-3-Clause
 PKG_MAINTAINER:=John Crispin <john@phrozen.org>
--- a/feeds/ucentral/ucentral-client/files/etc/init.d/ucentral
+++ b/feeds/ucentral/ucentral-client/files/etc/init.d/ucentral
@@ -46,6 +46,9 @@ start_service() {
 	port=$(cat /etc/ucentral/gateway.json | jsonfilter -e '@["port"]')
 	[ -n "$server" -a -n "$port" ] || return 0

+	cert=$(cat /etc/ucentral/gateway.json | jsonfilter -e '@["cert"]')
+	ca=$(cat /etc/ucentral/gateway.json | jsonfilter -e '@["ca"]')
+
 	boot_cause=$(cat /tmp/pstore | jsonfilter -e '@["pstore"][-1]'.boot_cause)
 	[ -z $boot_cause ] && boot_cause=coldboot
 	procd_open_instance
@@ -55,8 +58,9 @@ start_service() {
 	procd_append_param command -P $port
 	[ "$debug" -eq 0 ] || procd_append_param command -d
 	[ "$insecure" -eq 0 ] || procd_append_param command -i
+	[ -n "$cert" -a -n "$ca" ] && procd_append_param command -c $cert -C $ca
 	[ -z "$(mount | grep 'tmpfs on / type tmpfs')" ] || procd_append_param command -r
-	procd_append_param command -c "$boot_cause"
+	procd_append_param command -b "$boot_cause"
 	procd_append_param command -f "$(cat /tmp/ucentral.version)"
 	procd_set_param respawn 3600 5 0
 	procd_close_instance
Author	SHA1	Message	Date
John Crispin	0c1b9c7bbf	ucentral-client: update to latest HEAD cb17a78 ucentral-client: Add command-line options for certificate paths Signed-off-by: John Crispin <john@phrozen.org>	2025-11-25 08:07:10 +01:00
John Crispin	93dfd47823	cloud_discovery: add bind-dig dependency Add bind-dig package dependency required for CAA record lookups in est_client, which uses the dig command to query DNS for EST server discovery. Signed-off-by: John Crispin <john@phrozen.org>	2025-11-25 08:06:54 +01:00
John Crispin	928a005fa9	cloud_discovery: use .local TLD for standard FQDN discovery Change standard FQDN from 'openwifi.network' to 'openwifi.wlan.local' to prevent DNS hijacking attacks. The .local TLD is reserved for local network use (mDNS) and cannot be registered in public DNS, ensuring that discovery traffic cannot be redirected to attacker-controlled infrastructure. Signed-off-by: John Crispin <john@phrozen.org>	2025-11-25 07:31:08 +01:00
John Crispin	b62e459076	cloud_discovery: run EST enrollment within DHCP discovery flow Move EST client enrollment to occur immediately after successful DHCP discovery and before starting the ucentral client. This ensures controller-specific certificates are enrolled before attempting to connect. If EST enrollment fails during DHCP discovery, the client will not be started. Adjust interval_handler to call EST enrollment after DHCP discovery attempt rather than before, ensuring proper certificate handling for DHCP-discovered controllers. Signed-off-by: John Crispin <john@phrozen.org>	2025-11-25 07:31:08 +01:00
John Crispin	3535043c06	est_client: switch to dig for CAA lookups and improve logging Replace resolv module usage with dig command for CAA record lookups to simplify DNS query handling. Reorganise cert_prefix_determine() to prioritise controller-specific FQDN from cloud.json before checking discovery method. Add extensive debug logging throughout to aid troubleshooting of EST enrollment process, including curl commands and exit codes. Signed-off-by: John Crispin <john@phrozen.org>	2025-11-25 07:31:08 +01:00
John Crispin	4548b5f200	tip-defaults: add OpenLAN Server Issuing CA certificate The air-gapped EST server uses a certificate signed by the OpenLAN Server Issuing CA. This certificate is used to ensure mTLS authentication when the device connects to the EST server. Signed-off-by: John Crispin <john@phrozen.org>	2025-11-25 07:31:08 +01:00
John Crispin	8e9c9588e1	cloud_discovery: allow DNS rebind for controller FQDNs Add dnsmasq_rebind_allow() function to automatically whitelist controller FQDNs for private IP resolution in air-gapped deployments. When dnsmasq's boguspriv option is enabled (default), it blocks DNS responses containing private IP addresses (RFC 1918) as a security measure. This prevents DHCP Option 224 from resolving controller FQDNs to local private IPs in air-gapped networks. Solution: Inject rebind-domain-ok directives into /tmp/dnsmasq.d/ directory, which dnsmasq automatically includes via --conf-dir option. Behaviour: - DHCP discovery: Whitelist FQDN from dhcp_server field - Standard FQDN discovery: Whitelist openwifi.network - Centralized discovery: No changes (public IPs not affected) This maintains security by only allowing specific controller domains to resolve to private IPs whilst filtering all other RFC 1918 responses. Signed-off-by: John Crispin <john@phrozen.org>	2025-11-25 07:31:08 +01:00
John Crispin	f82097dd7e	est_client: support FQDN-based certificate naming Add cert_prefix_determine() function that reads discovery method from /tmp/discovery.method and determines appropriate certificate naming: - Centralized (OpenLAN redirector): operational.pem/operational.ca - Air-gapped (DHCP/FQDN/Flash): <controller-fqdn>.pem/<controller-fqdn>.ca The FQDN is extracted from the controller address in /tmp/cloud.json (DHCP Option 224). This enables APs to enrol and store separate operational certificates for multiple controllers, supporting portability between centralized and air-gapped deployments without certificate conflicts. Signed-off-by: John Crispin <john@phrozen.org>	2025-11-25 07:31:08 +01:00
John Crispin	9b3ec56101	cloud_discovery: add certificate paths to gateway.json Extend gateway.json to include cert and ca fields specifying which certificate files the client should use for the connection. Certificate naming strategy: - Centralized (redirector discovery): operational.pem/operational.ca - Air-gapped (DHCP/FQDN/Flash): <fqdn>.pem/<fqdn>.ca Write discovery method to /tmp/discovery.method so est_client can determine appropriate certificate naming when enrolling. This enables APs to maintain separate operational certificates for multiple controllers and automatically select the correct certificates based on which controller they're connecting to. Signed-off-by: John Crispin <john@phrozen.org>	2025-11-25 07:31:08 +01:00
John Crispin	b5a2818a3f	certificates: copy all certificates at boot Modify early_boot init script to copy all .pem and .ca files from /certificates/ to /etc/ucentral/ instead of only operational.pem and operational.ca. This enables support for multiple trust chains where certificates are stored with FQDN-based names (e.g., controller.example.com.pem) alongside the traditional operational.pem. The simple wildcard copy allows air-gapped deployments to maintain certificates for multiple controllers without complex logic. Signed-off-by: John Crispin <john@phrozen.org>	2025-11-25 07:31:08 +01:00
John Crispin	ffd5ffd897	cloud_discovery: add standard FQDN fallback discovery Add discovery method that attempts to resolve a standard FQDN when DHCP discovery fails. This enables zero-touch provisioning in environments where administrators configure DNS without modifying DHCP infrastructure. The standard FQDN is configurable via STANDARD_FQDN constant (defaults to "openwifi.network"). Administrators can configure their local DNS to resolve this FQDN to their controller, allowing APs to discover the controller automatically. Discovery priority order: 1. EST enrollment (blocking) 2. DHCP discovery (Option 224/138) 3. Flash-based configuration 4. Standard FQDN resolution (NEW) 5. Cloud redirector service (internet-connected only) The implementation uses the resolv module for DNS queries, performing A record lookups. If resolution fails, discovery continues to the next method. The standard FQDN method integrates with the existing discovery block list mechanism to prevent repeated failed attempts. Note: The boguspriv dnsmasq option may prevent FQDNs from resolving to private IPs. Administrators should either use CG NAT Safe IP addresses (100.64.0.0/10) or configure dnsmasq with rebind-domain-ok exceptions. Signed-off-by: John Crispin <john@phrozen.org>	2025-11-25 07:31:08 +01:00
John Crispin	dbee5f6078	cloud_discovery: add CAA DNS-based EST server discovery Implement EST server discovery via CAA DNS records for air-gapped deployments. When DHCP Option 224 provides a controller FQDN, query CAA records to determine the appropriate EST server endpoint. The discovery flow: 1. Read controller FQDN from /tmp/cloud.json (set by DHCP handler) 2. Query CAA records for the controller domain 3. Use EST server from CAA 'issue' tag if present 4. Fall back to certificate issuer-based selection if CAA lookup fails This allows network administrators to configure local EST servers via DNS rather than relying on hardcoded public endpoints. Air-gapped deployments can now specify private EST servers through standard DNS infrastructure. Example DNS configuration: controller.local. IN CAA 0 issue "est.local:8001" When an AP receives controller.local via DHCP Option 224, it will query CAA records and use est.local:8001 for certificate enrollment instead of the public est.certificates.open-lan.org endpoint. Signed-off-by: John Crispin <john@phrozen.org>	2025-11-25 07:28:46 +01:00