autocollect.sh connects insecurely to API domain with insecure cert
This line (https://gitlab.labs.nic.cz/turris/nuci/blob/master/src/helpers/autocollect.sh#L36):
CHALLENGE_URL=https://api.turris.cz/challenge.cgi
...
CODE=$(curl -k -m $TIMEOUT "$CHALLENGE_URL" | atsha204cmd challenge-response | head -c 16)
is connecting insecurely to the API host. This means the requests from the router could be intercepted/spoofed/etc which could have a flow on effect into this code.
Secondly, the host api.turris.cz
has a self-signed certificate so that should be replaced regardless. Certbot/Let's Encrypt (https://letsencrypt.org/) offer free certificates that are easily deployed and updated.
As for this script, the easiest option here is to remove the -k
argument from the curl command, once the server has a valid cert.