him411/wlan-ap-Telecominfraproject
1
0
Fork 0
mirror of https://github.com/Telecominfraproject/wlan-ap.git synced 2025-12-16 08:59:57 +00:00
Code Issues Packages Projects Releases Wiki Activity

est_client: support FQDN-based certificate naming

Browse Source 
Add cert_prefix_determine() function that reads discovery method from
/tmp/discovery.method and determines appropriate certificate naming:

- Centralized (OpenLAN redirector): operational.pem/operational.ca
- Air-gapped (DHCP/FQDN/Flash): <controller-fqdn>.pem/<controller-fqdn>.ca

The FQDN is extracted from the controller address in /tmp/cloud.json
(DHCP Option 224).

This enables APs to enrol and store separate operational certificates
for multiple controllers, supporting portability between centralized
and air-gapped deployments without certificate conflicts.

Signed-off-by: John Crispin <john@phrozen.org>
This commit is contained in:
John Crispin 2025-11-25 07:31:08 +01:00
parent 2009b5eb90
commit 0589fb7f5f
1 changed files with 29 additions and 4 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

33
feeds/tip/cloud_discovery/files/usr/bin/est_client
View File

@ -12,6 +12,25 @@ let store_operational_ca = false;
let est_server = 'est.certificates.open-lan.org';
let cert_prefix = 'operational';
function cert_prefix_determine() {
let discovery_method = trim(fs.readfile('/tmp/discovery.method') || 'OpenLAN');
if (discovery_method == 'OpenLAN') {
return 'operational';
}
let cloud_config = fs.readfile('/tmp/cloud.json');
if (!cloud_config)
return 'operational';
let cloud = json(cloud_config);
if (!cloud || !cloud.dhcp_server)
return 'operational';
let fqdn = split(cloud.dhcp_server, ':')[0];
return fqdn;
}
function discover_est_server_via_caa() {
let cloud_config = fs.readfile('/tmp/cloud.json');
if (!cloud_config)
@ -151,20 +170,24 @@ function call_est_server(path, cert, target) {
function simpleenroll() {
cert_prefix = cert_prefix_determine();
if (fs.stat('/etc/ucentral/' + cert_prefix + '.pem')) {
ulog(LOG_INFO, 'Operational certificate is present\n');
return 0;
}
if (call_est_server('simpleenroll', '/etc/ucentral/cert.pem', '/etc/ucentral/' + cert_prefix + '.pem'))
return 1;
return 1;
ulog(LOG_INFO, 'Operational cert acquired\n');
store_operational_pem = true;
return 0;
}
function simplereenroll() {
cert_prefix = cert_prefix_determine();
if (!fs.stat('/etc/ucentral/' + cert_prefix + '.pem')) {
ulog(LOG_INFO, 'Operational certificate was not found\n');
return 0;
@ -172,7 +195,7 @@ function simplereenroll() {
if (call_est_server('simplereenroll', '/etc/ucentral/' + cert_prefix + '.pem', '/tmp/' + cert_prefix + '.pem'))
return 1;
ulog(LOG_INFO, 'Operational cert updated\n');
store_operational_cert('/tmp/' + cert_prefix + '.pem', cert_prefix + '.pem');
system('cp /tmp/' + cert_prefix + '.pem /etc/ucentral/');
@ -182,12 +205,14 @@ function simplereenroll() {
}
function load_operational_ca() {
cert_prefix = cert_prefix_determine();
if (fs.stat('/etc/ucentral/' + cert_prefix + '.ca')) {
ulog(LOG_INFO, 'Operational CA is present\n');
return 0;
}
set_est_server();
set_est_server();
let ret = system('curl -m 10 -X GET https://' + est_server + '/.well-known/est/cacerts --cert /etc/ucentral/' + cert_prefix + '.pem --key /etc/ucentral/key.pem --cacert /etc/ucentral/insta.pem -o /tmp/' + cert_prefix + '.ca.nohdr.p7');
if (!ret)