From c36a02371977a34e8a92dbef1738b91c0626e302 Mon Sep 17 00:00:00 2001
From: Vojtech Myslivec <vojtech.myslivec@nic.cz>
Date: Thu, 25 Apr 2019 22:08:55 +0200
Subject: [PATCH 1/5] nuci: Cancel certificate pinning

---
 cznic/nuci/Makefile | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/cznic/nuci/Makefile b/cznic/nuci/Makefile
index b1ddb51e2..6b85d40c2 100644
--- a/cznic/nuci/Makefile
+++ b/cznic/nuci/Makefile
@@ -8,7 +8,7 @@
 include $(TOPDIR)/rules.mk
 
 PKG_NAME:=nuci
-PKG_VERSION:=161
+PKG_VERSION:=162
 PKG_RELEASE:=1
 PKG_SOURCE_PROTO:=git
 PKG_SOURCE_URL:=https://gitlab.labs.nic.cz/turris/nuci.git
-- 
GitLab


From 251449ee0ef5649aac993965d17c6587caed9002 Mon Sep 17 00:00:00 2001
From: Vojtech Myslivec <vojtech.myslivec@nic.cz>
Date: Thu, 25 Apr 2019 21:53:48 +0200
Subject: [PATCH 2/5] server-uplink: Cancel certificate pinning

---
 cznic/server-uplink/files/contract_valid.sh | 9 +++++++--
 cznic/server-uplink/files/registered.sh     | 2 --
 2 files changed, 7 insertions(+), 4 deletions(-)

diff --git a/cznic/server-uplink/files/contract_valid.sh b/cznic/server-uplink/files/contract_valid.sh
index 8701127a6..74da04af4 100644
--- a/cznic/server-uplink/files/contract_valid.sh
+++ b/cznic/server-uplink/files/contract_valid.sh
@@ -21,13 +21,18 @@
 set -e
 
 TIMEOUT=120
-CA_FILE=/etc/ssl/www_turris_cz_ca.pem
 OUTPUT_FILE=/usr/share/server-uplink/contract_valid
 CONTRACT_URL='https://project.turris.cz/api/contract-valid.txt'
 
 
 CODE=$(cat /usr/share/server-uplink/registration_code)
-RESULT=$(curl -s -S -L -G --data-urlencode "registration_code=$CODE" -H "Accept: plain/text" --cacert "$CA_FILE" --cert-status -m "$TIMEOUT" "$CONTRACT_URL" | sed -ne 's/^result: *\(..*\)/\1/p')
+RESULT=$(
+		curl -s -S -L -G -H "Accept: plain/text" \
+						--data-urlencode "registration_code=$CODE" \
+						--cert-status -m "$TIMEOUT" \
+						"$CONTRACT_URL" \
+				| sed -ne 's/^result: *\(..*\)/\1/p'
+)
 
 if [ -z "$RESULT" ] ; then
 	# failed to download
diff --git a/cznic/server-uplink/files/registered.sh b/cznic/server-uplink/files/registered.sh
index 05b067cf7..17b5be191 100644
--- a/cznic/server-uplink/files/registered.sh
+++ b/cznic/server-uplink/files/registered.sh
@@ -34,12 +34,10 @@ LANG="$2"
 LANG=${LANG:-en}
 
 TIMEOUT=120
-CA_FILE=/etc/ssl/www_turris_cz_ca.pem
 
 
 CODE=$(cat /usr/share/server-uplink/registration_code)
 URL="https://project.turris.cz/api/registration-lookup.txt"
 curl -G -s -S -L -H "Accept: plain/text" -H "Accept-Language: $LANG" \
 	--data-urlencode "registration_code=${CODE}" --data-urlencode "email=${EMAIL}" \
-	--cacert "$CA_FILE" \
 	--cert-status -m "$TIMEOUT" "$URL" -w "\ncode: %{http_code}"
-- 
GitLab


From f065bc47fdb767a7fe5a6a4cb88d1f5ad24b5c0e Mon Sep 17 00:00:00 2001
From: Vojtech Myslivec <vojtech.myslivec@nic.cz>
Date: Thu, 25 Apr 2019 21:55:05 +0200
Subject: [PATCH 3/5] haas-proxy: Cancel certificate pinning

---
 cznic/haas-proxy/files/register.sh | 2 --
 1 file changed, 2 deletions(-)

diff --git a/cznic/haas-proxy/files/register.sh b/cznic/haas-proxy/files/register.sh
index da014993e..5ed7c960b 100644
--- a/cznic/haas-proxy/files/register.sh
+++ b/cznic/haas-proxy/files/register.sh
@@ -21,14 +21,12 @@
 set -e
 
 TIMEOUT=120
-CA_FILE=/etc/ssl/www_turris_cz_ca.pem  # let's encrypt inside
 URL='https://haas.nic.cz/api/turris/register'
 
 if [ -z "$(uci -q get haas.settings.token 2>/dev/null)" ]; then
 	CODE=$(cat /usr/share/server-uplink/registration_code)
 	TOKEN=$(curl -sS -H "Content-Type: application/json" \
 		-X POST -d "{\"registration_code\": \"${CODE}\"}" \
-		--cacert "$CA_FILE" \
 		-m "${TIMEOUT}" \
 		"${URL}" | sed -n -e 's/^.*"token":[[:blank:]]*"\([^"]*\)".*/\1/p')
 
-- 
GitLab


From aac423a4a6371cde2a8f9b2613a44ca5c31bbe2f Mon Sep 17 00:00:00 2001
From: Vojtech Myslivec <vojtech.myslivec@nic.cz>
Date: Thu, 25 Apr 2019 22:07:17 +0200
Subject: [PATCH 4/5] cznic-cacert-bundle: Remove custom LE intermedietes
 bundle

---
 cznic/cznic-cacert-bundle/Makefile | 3 +--
 1 file changed, 1 insertion(+), 2 deletions(-)

diff --git a/cznic/cznic-cacert-bundle/Makefile b/cznic/cznic-cacert-bundle/Makefile
index c743e158f..c016c309b 100644
--- a/cznic/cznic-cacert-bundle/Makefile
+++ b/cznic/cznic-cacert-bundle/Makefile
@@ -28,10 +28,10 @@ define Package/$(PKG_NAME)/postinst
 [ -n "$$IPKG_INSTROOT" ] || {
 	# TODO: If ever anything gets removed from this list, use -r, not delete it manually.
 	/usr/sbin/cert-backup \
-		/etc/ssl/www_turris_cz_ca.pem \
 		/etc/ssl/turris.pem \
 		/usr/bin/get-api-crl \
 		/etc/ssl/ucollect-server.pem \
+		-r /etc/ssl/www_turris_cz_ca.pem \
 		-r /etc/ssl/startcom.pem \
 		-r /etc/ssl/api.turris.pem
 	get-api-crl
@@ -53,7 +53,6 @@ define Package/$(PKG_NAME)/install
 	$(INSTALL_DIR) $(1)/etc/ssl/
 	# TODO: If anything is modified here, it needs to be updated in the postinst too
 	$(INSTALL_DATA) $(PKG_BUILD_DIR)/cacerts/emergency-ca/ca.crt $(1)/etc/ssl/turris.pem
-	$(INSTALL_DATA) $(PKG_BUILD_DIR)/cacerts/letsencrypt.pem $(1)/etc/ssl/www_turris_cz_ca.pem
 	$(INSTALL_DATA) $(PKG_BUILD_DIR)/cacerts/ucollect-server.pem $(1)/etc/ssl/
 	ln -s /tmp/crl.pem $(1)/etc/ssl/crl.pem
 
-- 
GitLab


From 3a0462a2dadf2e64cc4cf5e517402e4199739eaa Mon Sep 17 00:00:00 2001
From: Vojtech Myslivec <vojtech.myslivec@nic.cz>
Date: Mon, 29 Apr 2019 15:03:35 +0200
Subject: [PATCH 5/5] turris-diagnostics: Bump package version

- Cancel certificate pinning
- Test repo instead of api
---
 cznic/turris-diagnostics/Makefile | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/cznic/turris-diagnostics/Makefile b/cznic/turris-diagnostics/Makefile
index 5b2210b47..4f18011e6 100644
--- a/cznic/turris-diagnostics/Makefile
+++ b/cznic/turris-diagnostics/Makefile
@@ -8,7 +8,7 @@
 include $(TOPDIR)/rules.mk
 
 PKG_NAME:=turris-diagnostics
-PKG_VERSION:=9.2
+PKG_VERSION:=9.3
 PKG_RELEASE:=1
 PKG_SOURCE_PROTO:=git
 PKG_SOURCE_URL:=https://gitlab.labs.nic.cz/turris/diagnostics.git
-- 
GitLab