Read certificates from localdata and preserve them during upgrades (#187)

killenheladagen · web-flow · commit edbe3a3e1570 · 2024-04-11T13:20:51.000+02:00
diff --git a/README.md b/README.md
@@ -117,26 +117,26 @@ achieve this, for example by using `scp` to copy the files from a remote machine
 This can be done by running the following command on the remote machine:
 
 ```sh
-scp ca.pem server-cert.pem server-key.pem root@<device ip>:/usr/local/packages/dockerdwrapper/
+scp ca.pem server-cert.pem server-key.pem root@<device ip>:/usr/local/packages/dockerdwrapper/localdata/
 ```
 
 #### The Certificate Authority (CA) certificate
 
 This certificate needs to be present in the dockerdwrapper package folder on the
 Axis device and be named `ca.pem`. The full path of the file should be
-`/usr/local/packages/dockerdwrapper/ca.pem`.
+`/usr/local/packages/dockerdwrapper/localdata/ca.pem`.
 
 #### The server certificate
 
 This certificate needs to be present in the dockerdwrapper package folder on the
 Axis device and be named `server-cert.pem`. The full path of the file should be
-`/usr/local/packages/dockerdwrapper/server-cert.pem`.
+`/usr/local/packages/dockerdwrapper/localdata/server-cert.pem`.
 
 #### The private server key
 
 This key needs to be present in the dockerdwrapper package folder on the Axis device
 and be named `server-key.pem`. The full path of the file should be
-`/usr/local/packages/dockerdwrapper/server-key.pem`.
+`/usr/local/packages/dockerdwrapper/localdata/server-key.pem`.
 
 #### Client key and certificate
 
diff --git a/app/dockerdwrapper.c b/app/dockerdwrapper.c
@@ -95,7 +95,7 @@ static const char* ax_parameters[] = {PARAM_APPLICATION_LOG_LEVEL,
                                       PARAM_TCP_SOCKET,
                                       PARAM_USE_TLS};
 
-static const char* tls_cert_path = APP_DIRECTORY;
+#define TLS_CERT_PATH APP_LOCALDATA
 
 static const char* tls_certs[] = {"ca.pem", "server-cert.pem", "server-key.pem"};
 
@@ -410,9 +410,9 @@ static gboolean get_and_verify_tls_selection(AXParameter* param_handle, bool* us
     const bool use_tls = is_parameter_yes(param_handle, PARAM_USE_TLS);
     {
         if (use_tls) {
-            char* ca_path = g_strdup_printf("%s/%s", tls_cert_path, tls_certs[0]);
-            char* cert_path = g_strdup_printf("%s/%s", tls_cert_path, tls_certs[1]);
-            char* key_path = g_strdup_printf("%s/%s", tls_cert_path, tls_certs[2]);
+            char* ca_path = g_strdup_printf("%s/%s", TLS_CERT_PATH, tls_certs[0]);
+            char* cert_path = g_strdup_printf("%s/%s", TLS_CERT_PATH, tls_certs[1]);
+            char* key_path = g_strdup_printf("%s/%s", TLS_CERT_PATH, tls_certs[2]);
 
             bool ca_exists = access(ca_path, F_OK) == 0;
             bool cert_exists = access(cert_path, F_OK) == 0;
@@ -530,19 +530,15 @@ static bool start_dockerd(const struct settings* settings, struct app_state* app
         args_offset +=
             g_snprintf(args + args_offset, args_len - args_offset, " -H tcp://0.0.0.0:%d", port);
         if (use_tls) {
-            const char* ca_path = APP_DIRECTORY "/ca.pem";
-            const char* cert_path = APP_DIRECTORY "/server-cert.pem";
-            const char* key_path = APP_DIRECTORY "/server-key.pem";
             args_offset += g_snprintf(args + args_offset,
                                       args_len - args_offset,
-                                      " %s %s %s %s %s %s %s",
-                                      "--tlsverify",
-                                      "--tlscacert",
-                                      ca_path,
-                                      "--tlscert",
-                                      cert_path,
-                                      "--tlskey",
-                                      key_path);
+                                      " --tlsverify"
+                                      " --tlscacert %s/ca.pem"
+                                      " --tlscert %s/server-cert.pem"
+                                      " --tlskey %s/server-key.pem",
+                                      TLS_CERT_PATH,
+                                      TLS_CERT_PATH,
+                                      TLS_CERT_PATH);
             g_strlcat(msg, " in TLS mode", msg_len);
         } else {
             args_offset += g_snprintf(args + args_offset, args_len - args_offset, " --tls=false");
