From 48f66a0d7a71ed034ee57473295960ae11984b2f Mon Sep 17 00:00:00 2001
From: Sunil Mohan Adapa <sunil@medhas.org>
Date: Sun, 31 May 2020 21:52:42 -0700
Subject: [PATCH] pagekite: Fix expired certificates causing connection
 failures

This is to make Pagekite use certficates shipped by Debian. Otherwise by
default, it uses internally shipped certificates that may be outdated. See:
https://pagekite.wordpress.com/2020/05/30/tls-certificate-validation-issues/

Tests performed:

- Without the patch, configure pagekite with a proper account. Notice that
pagekite fails to connect to the server due to SSL failures.

- Stop FreedomBox, apply the patch, run ./setup.py and run FreedomBox. File
/etc/pagekite.d/90_freedombox_certs.rc is present. Pagekite is restarted by
restarts. It start connecting to the server successfully.

Signed-off-by: Sunil Mohan Adapa <sunil@medhas.org>
[jvalleroy: Fix typo in comment]
Signed-off-by: James Valleroy <jvalleroy@mailbox.org>
Reviewed-by: James Valleroy <jvalleroy@mailbox.org>
---
 plinth/modules/pagekite/__init__.py                   |  9 +++++++--
 .../data/etc/pagekite.d/90_freedombox_certs.rc        | 11 +++++++++++
 2 files changed, 18 insertions(+), 2 deletions(-)
 create mode 100644 plinth/modules/pagekite/data/etc/pagekite.d/90_freedombox_certs.rc

diff --git a/plinth/modules/pagekite/__init__.py b/plinth/modules/pagekite/__init__.py
index 0a33cd5b0..429b0469d 100644
--- a/plinth/modules/pagekite/__init__.py
+++ b/plinth/modules/pagekite/__init__.py
@@ -5,6 +5,7 @@ FreedomBox app to configure PageKite.
 
 from django.utils.translation import ugettext_lazy as _
 
+from plinth import actions
 from plinth import app as app_module
 from plinth import cfg, menu
 from plinth.daemon import Daemon
@@ -14,7 +15,7 @@ from plinth.utils import format_lazy
 from . import utils
 from .manifest import backup  # noqa, pylint: disable=unused-import
 
-version = 1
+version = 2
 
 depends = ['names']
 
@@ -106,4 +107,8 @@ def init():
 def setup(helper, old_version=None):
     """Install and configure the module."""
     helper.install(managed_packages)
-    helper.call('post', app.enable)
+    if not old_version:
+        helper.call('post', app.enable)
+
+    if old_version == 1:
+        actions.superuser_run('service', ['try-restart', managed_services[0]])
diff --git a/plinth/modules/pagekite/data/etc/pagekite.d/90_freedombox_certs.rc b/plinth/modules/pagekite/data/etc/pagekite.d/90_freedombox_certs.rc
new file mode 100644
index 000000000..00d7bb4ee
--- /dev/null
+++ b/plinth/modules/pagekite/data/etc/pagekite.d/90_freedombox_certs.rc
@@ -0,0 +1,11 @@
+#
+# This file is shipped by FreedomBox. DO NOT EDIT.
+#
+# This is to make Pagekite use certficates shipped by Debian. Otherwise by
+# default, it uses internally shipped certificates that may be outdated. See:
+# https://pagekite.wordpress.com/2020/05/30/tls-certificate-validation-issues/
+#
+# If you wish to override this setting, create another file starting with a
+# number higher than 90.
+#
+ca_certs = /etc/ssl/certs/ca-certificates.crt