Package: debian-edu-config Version: 2.10.65 Severity: important While working on fixing #931413, Mike Gabriel pointed out that (instead of using a bundled certificate) the Debian Edu RootCA certificate should be used to verify the LDAP SSL certificate. This RootCA file is atm unavailable for download inside the internal Debian Edu network and should be added.
=====================
Quoting the relevant information from the discussion on the Edu mailing
list (accidently those mails were not Cc'd to #931413) just for the sake
of completeness:
On Mon, Jul 22, 2019 at 07:38:53PM +0000, Holger Levsen wrote:
> On Mon, Jul 22, 2019 at 06:32:47PM +0000, Mike Gabriel wrote:
> > The school I can test this on is currently powered down due to maintenance
> > work on the electric wiring in the building that hosts the server chamber.
> > It's on the list...
>
> do you have an ETA for this?
>
> currently the next point release is planned for August 31 or September
> 7...
We should really get this into 10.1; as the real world test date appears
to be uncertain, I've now tested the fetch-ldap-script in two virtual Edu
networks with buster and stretch workstations against both buster and
pre buster main servers. Everything works like expected; see logs from
various scenarios further below to get the picture.
(Compared to my previous version there are a few cosmetic changes, also
logging has been improved a bit.)
This is the diff against the current version in Git:
diff --git a/debian/debian-edu-config.fetch-ldap-cert
b/debian/debian-edu-config.fetch-ldap-cert
index dfec40da..4a4f5585 100755
--- a/debian/debian-edu-config.fetch-ldap-cert
+++ b/debian/debian-edu-config.fetch-ldap-cert
@@ -27,10 +27,10 @@ BUNDLECRT=/etc/ssl/certs/debian-edu-bundle.crt
do_start() {
# Locate LDAP server
LDAPSERVER=$(debian-edu-ldapserver)
-
+ LDAPPORT=636 # ldaps
ERROR=false
- if [ -f /etc/nslcd.conf ] &&
- grep -q /etc/ssl/certs/debian-edu-server.crt /etc/nslcd.conf ; then
+ if [ ! -f $CERTFILE ] && [ -f /etc/nslcd.conf ] &&
+ grep -q /etc/ssl/certs/debian-edu-server.crt /etc/nslcd.conf ; then
if [ -z "$LDAPSERVER" ] ; then
msg="Failed to locate LDAP server"
log_action_begin_msg "$msg"
@@ -39,18 +39,30 @@ do_start() {
return 1
fi
[ "$VERBOSE" != no ] && log_action_begin_msg "Fetching LDAP SSL
certificate."
- if curl -f -k https://www.intern/debian-edu-bundle.crt > $BUNDLECRT ;
then
- gnutls-cli --x509cafile $BUNDLECRT --save-cert=$CERTFILE.new
ldap.intern < /dev/null
+ if echo | openssl s_client -connect "$LDAPSERVER:$LDAPPORT" 2>/dev/null
| grep RootCA ; then
+ if curl -k https://www.intern/debian-edu-bundle.crt > $BUNDLECRT &&
\
+ grep -v -q 404 $BUNDLECRT ; then
+ gnutls-cli --x509cafile $BUNDLECRT --save-cert=$CERTFILE.new
$LDAPSERVER < /dev/null
+ logger -t fetch-ldap-cert "Fetched bundle certificate from
www.intern."
+ else
+ rm $BUNDLECRT
+ logger -t fetch-ldap-cert "Failed to fetch bundle certificate
from www.intern."
+ fi
else
/usr/share/debian-edu-config/tools/ldap-server-getcert $LDAPSERVER
> $CERTFILE.new
chmod 644 $CERTFILE.new
+ logger -t fetch-ldap-cert "Fetched pre Buster LDAP server
certificate."
fi
if test -s $CERTFILE.new ; then
mv $CERTFILE.new $CERTFILE
[ "$VERBOSE" != no ] && log_action_end_msg 0
- logger -t fetch-ldap-cert "Fetched and verified LDAP SSL
certificate from $LDAPSERVER."
+ if [ -f $BUNDLECRT ] ; then
+ logger -t fetch-ldap-cert "Fetched and verified LDAP SSL
certificate from $LDAPSERVER."
+ else
+ logger -t fetch-ldap-cert "Fetched LDAP SSL certificate from
$LDAPSERVER."
+ fi
else
- rm $CERTFILE.new
+ rm -f $CERTFILE.new
log_action_end_msg 1
logger -t fetch-ldap-cert "Failed to fetch LDAP SSL certificate
from $LDAPSERVER."
ERROR=true
@@ -64,6 +76,14 @@ do_start() {
log_action_begin_msg "Copying LDAP SSL certificate to
ltsp-chroot $ltsp_chroot "
if test -s $CERTFILE; then
cp $CERTFILE $ltsp_chroot$CERTFILE
+ [ "$VERBOSE" != no ] && log_action_end_msg 0
+ else
+ log_action_end_msg 1
+ ERROR=true
+ fi
+ log_action_begin_msg "Copying TLS certificate bundle to
ltsp-chroot $ltsp_chroot "
+ if test -s $BUNDLECRT; then
+ cp $BUNDLECRT $ltsp_chroot$BUNDLECRT
[ "$VERBOSE" != no ] && log_action_end_msg 0
else
log_action_end_msg 1
@@ -76,16 +96,9 @@ do_start() {
return 1
fi
}
-
case "$1" in
start)
- # do absolutely nothing, if this host is already "attached" to
- # a Debian Edu network
- if [ -e /etc/ssl/certs/debian-edu-server.crt ]; then
- :
- else
- do_start
- fi
+ do_start
;;
stop)
;;
In all test cases the existing certificates have been removed, then
'service fetch-ldap-cert' has been run twice. The logs are from the
first run. After the second one I checked if the certificates not been
fetched again. They had stayed untouched. I can also confirm that
authentication actually worked afterwards.
(1) stretch workstation against buster main server
Jul 24 14:24:25 ws9mate systemd[1]: Starting LSB: Fetch LDAP SSL public key
from the server...
Jul 24 14:24:25 ws9mate fetch-ldap-cert[2103]: Fetching LDAP SSL
certificate....done.
Jul 24 14:24:25 ws9mate fetch-ldap-cert: Fetched LDAP SSL certificate from ldap.
Jul 24 14:24:25 ws9mate systemd[1]: Started LSB: Fetch LDAP SSL public key from
the server.
(2) buster workstation against jessie main server
Jul 24 12:57:15 am-080027dbce36 systemd[1]: Starting LSB: Fetch LDAP SSL public
key from the server...
Jul 24 12:57:15 am-080027dbce36 fetch-ldap-cert: Fetched pre Buster LDAP server
certificate.
Jul 24 12:57:15 am-080027dbce36 fetch-ldap-cert[1998]: Fetching LDAP SSL
certificate....done.
Jul 24 12:57:15 am-080027dbce36 fetch-ldap-cert: Fetched LDAP SSL certificate
from ldap.intern.
Jul 24 12:57:15 am-080027dbce36 systemd[1]: Started LSB: Fetch LDAP SSL public
key from the server.
(3) buster workstation against buster main server
Jul 24 13:20:15 am-0800276f4d92 systemd[1]: Starting LSB: Fetch LDAP SSL public
key from the server...
Jul 24 13:20:16 am-0800276f4d92 fetch-ldap-cert[1968]: Fetching LDAP SSL
certificate.... 0 s:C = NO, ST = Intern, L = Debian Edu Network, O = Debian
Edu, OU = Debian Edu RootCA, CN = www.intern, emailAddress =
[email protected]
Jul 24 13:20:16 am-0800276f4d92 fetch-ldap-cert[1968]: i:C = NO, ST =
Intern, L = Debian Edu Network, O = Debian Edu, OU = Debian Edu RootCA, CN =
www.intern, emailAddress = [email protected]
Jul 24 13:20:16 am-0800276f4d92 fetch-ldap-cert[1968]: subject=C = NO, ST =
Intern, L = Debian Edu Network, O = Debian Edu, OU = Debian Edu RootCA, CN =
www.intern, emailAddress = [email protected]
Jul 24 13:20:16 am-0800276f4d92 fetch-ldap-cert[1968]: issuer=C = NO, ST =
Intern, L = Debian Edu Network, O = Debian Edu, OU = Debian Edu RootCA, CN =
www.intern, emailAddress = [email protected]
Jul 24 13:20:16 am-0800276f4d92 fetch-ldap-cert[1968]: % Total % Received
% Xferd Average Speed Time Time Time Current
Jul 24 13:20:16 am-0800276f4d92 fetch-ldap-cert[1968]:
Dload Upload Total Spent Left Speed
Jul 24 13:20:16 am-0800276f4d92 fetch-ldap-cert[1968]: #015 0 0 0 0
0 0 0 0 --:--:-- --:--:-- --:--:-- 0#015100 3460 100
3460 0 0 259k 0 --:--:-- --:--:-- --:--:-- 259k
Jul 24 13:20:16 am-0800276f4d92 fetch-ldap-cert[1968]: |<1>| There was a non-CA
certificate in the trusted list: C=NO,ST=Intern,L=Debian Edu Network,O=Debian
Edu,OU=Debian Edu RootCA,CN=www.intern,[email protected].
Jul 24 13:20:16 am-0800276f4d92 fetch-ldap-cert[1968]: Processed 2 CA
certificate(s).
Jul 24 13:20:16 am-0800276f4d92 fetch-ldap-cert[1968]: Resolving
'tjener.intern:443'...
Jul 24 13:20:16 am-0800276f4d92 fetch-ldap-cert[1968]: Connecting to
'10.0.2.2:443'...
Jul 24 13:20:16 am-0800276f4d92 fetch-ldap-cert[1968]: - Certificate type: X.509
Jul 24 13:20:16 am-0800276f4d92 fetch-ldap-cert[1968]: - Got a certificate list
of 1 certificates.
Jul 24 13:20:16 am-0800276f4d92 fetch-ldap-cert[1968]: - Certificate[0] info:
Jul 24 13:20:16 am-0800276f4d92 fetch-ldap-cert[1968]: - subject
`[email protected],CN=www.intern,OU=Debian Edu RootCA,O=Debian
Edu,L=Debian Edu Network,ST=Intern,C=NO', issuer
`[email protected],CN=www.intern,OU=Debian Edu RootCA,O=Debian
Edu,L=Debian Edu Network,ST=Intern,C=NO', serial
0x535fb6ec31d07546625c3c70ecdebc7504d4b473, RSA key 2048 bits, signed using
RSA-SHA256, activated `2019-07-22 07:57:32 UTC', expires `2029-07-19 07:57:32
UTC', pin-sha256="jlFjHURnQF3eoxKPHJSzs3FO3JIJL7vjlLPHIm1X8CU="
Jul 24 13:20:16 am-0800276f4d92 fetch-ldap-cert[1968]: #011Public Key ID:
Jul 24 13:20:16 am-0800276f4d92 fetch-ldap-cert[1968]:
#011#011sha1:374487a04ac5ed79838f1e112e49677b11c46e70
Jul 24 13:20:16 am-0800276f4d92 fetch-ldap-cert[1968]:
#011#011sha256:8e51631d4467405ddea3128f1c94b3b3714edc92092fbbe394b3c7226d57f025
Jul 24 13:20:16 am-0800276f4d92 fetch-ldap-cert[1968]: #011Public Key PIN:
Jul 24 13:20:16 am-0800276f4d92 fetch-ldap-cert[1968]:
#011#011pin-sha256:jlFjHURnQF3eoxKPHJSzs3FO3JIJL7vjlLPHIm1X8CU=
Jul 24 13:20:16 am-0800276f4d92 fetch-ldap-cert[1968]: - Status: The
certificate is trusted.
Jul 24 13:20:16 am-0800276f4d92 fetch-ldap-cert[1968]: - Description:
(TLS1.3)-(ECDHE-SECP256R1)-(RSA-PSS-RSAE-SHA256)-(AES-256-GCM)
Jul 24 13:20:16 am-0800276f4d92 fetch-ldap-cert[1968]: - Options:
Jul 24 13:20:16 am-0800276f4d92 fetch-ldap-cert[1968]: - Handshake was completed
Jul 24 13:20:16 am-0800276f4d92 fetch-ldap-cert[1968]: - Simple Client Mode:
Jul 24 13:20:16 am-0800276f4d92 fetch-ldap-cert[1968]: - Peer has closed the
GnuTLS connection
Jul 24 13:20:16 am-0800276f4d92 fetch-ldap-cert: Fetched bundle certificate
from www.intern.
Jul 24 13:20:16 am-0800276f4d92 fetch-ldap-cert[1968]: done.
Jul 24 13:20:16 am-0800276f4d92 fetch-ldap-cert: Fetched and verified LDAP SSL
certificate from tjener.intern.
Jul 24 13:20:16 am-0800276f4d92 fetch-ldap-cert[1968]: Copying LDAP SSL
certificate to ltsp-chroot /opt/ltsp/i386 ...done.
Jul 24 13:20:16 am-0800276f4d92 fetch-ldap-cert[1968]: Copying TLS certificate
bundle to ltsp-chroot /opt/ltsp/i386 ...done.
Jul 24 13:20:16 am-0800276f4d92 systemd[1]: Started LSB: Fetch LDAP SSL public
key from the server.
(4) similar to (3) but with the bundle certificate made unavailable
(just to check if a failure is reported)
Jul 24 13:26:24 am-0800276f4d92 systemd[1]: Starting LSB: Fetch LDAP SSL public
key from the server...
Jul 24 13:26:24 am-0800276f4d92 fetch-ldap-cert[2185]: Fetching LDAP SSL
certificate.... 0 s:C = NO, ST = Intern, L = Debian Edu Network, O = Debian
Edu, OU = Debian Edu RootCA, CN = www.intern, emailAddress =
[email protected]
Jul 24 13:26:24 am-0800276f4d92 fetch-ldap-cert[2185]: i:C = NO, ST =
Intern, L = Debian Edu Network, O = Debian Edu, OU = Debian Edu RootCA, CN =
www.intern, emailAddress = [email protected]
Jul 24 13:26:24 am-0800276f4d92 fetch-ldap-cert[2185]: subject=C = NO, ST =
Intern, L = Debian Edu Network, O = Debian Edu, OU = Debian Edu RootCA, CN =
www.intern, emailAddress = [email protected]
Jul 24 13:26:24 am-0800276f4d92 fetch-ldap-cert[2185]: issuer=C = NO, ST =
Intern, L = Debian Edu Network, O = Debian Edu, OU = Debian Edu RootCA, CN =
www.intern, emailAddress = [email protected]
Jul 24 13:26:24 am-0800276f4d92 fetch-ldap-cert[2185]: % Total % Received
% Xferd Average Speed Time Time Time Current
Jul 24 13:26:24 am-0800276f4d92 fetch-ldap-cert[2185]:
Dload Upload Total Spent Left Speed
Jul 24 13:26:24 am-0800276f4d92 fetch-ldap-cert[2185]: #015 0 0 0 0
0 0 0 0 --:--:-- --:--:-- --:--:-- 0#015100 296 100
296 0 0 26909 0 --:--:-- --:--:-- --:--:-- 26909
Jul 24 13:26:24 am-0800276f4d92 fetch-ldap-cert[2185]: *** Fatal error: Error
in the certificate.
Jul 24 13:26:24 am-0800276f4d92 fetch-ldap-cert[2185]: Processed 0 CA
certificate(s).
Jul 24 13:26:24 am-0800276f4d92 fetch-ldap-cert[2185]: Resolving
'tjener.intern:443'...
Jul 24 13:26:24 am-0800276f4d92 fetch-ldap-cert[2185]: Connecting to
'10.0.2.2:443'...
Jul 24 13:26:24 am-0800276f4d92 fetch-ldap-cert[2185]: - Certificate type: X.509
Jul 24 13:26:24 am-0800276f4d92 fetch-ldap-cert[2185]: - Got a certificate list
of 1 certificates.
Jul 24 13:26:24 am-0800276f4d92 fetch-ldap-cert[2185]: - Certificate[0] info:
Jul 24 13:26:24 am-0800276f4d92 fetch-ldap-cert[2185]: - subject
`[email protected],CN=www.intern,OU=Debian Edu RootCA,O=Debian
Edu,L=Debian Edu Network,ST=Intern,C=NO', issuer
`[email protected],CN=www.intern,OU=Debian Edu RootCA,O=Debian
Edu,L=Debian Edu Network,ST=Intern,C=NO', serial
0x535fb6ec31d07546625c3c70ecdebc7504d4b473, RSA key 2048 bits, signed using
RSA-SHA256, activated `2019-07-22 07:57:32 UTC', expires `2029-07-19 07:57:32
UTC', pin-sha256="jlFjHURnQF3eoxKPHJSzs3FO3JIJL7vjlLPHIm1X8CU="
Jul 24 13:26:24 am-0800276f4d92 fetch-ldap-cert[2185]: #011Public Key ID:
Jul 24 13:26:24 am-0800276f4d92 fetch-ldap-cert[2185]:
#011#011sha1:374487a04ac5ed79838f1e112e49677b11c46e70
Jul 24 13:26:24 am-0800276f4d92 fetch-ldap-cert[2185]:
#011#011sha256:8e51631d4467405ddea3128f1c94b3b3714edc92092fbbe394b3c7226d57f025
Jul 24 13:26:24 am-0800276f4d92 fetch-ldap-cert[2185]: #011Public Key PIN:
Jul 24 13:26:24 am-0800276f4d92 fetch-ldap-cert[2185]:
#011#011pin-sha256:jlFjHURnQF3eoxKPHJSzs3FO3JIJL7vjlLPHIm1X8CU=
Jul 24 13:26:24 am-0800276f4d92 fetch-ldap-cert[2185]: - Status: The
certificate is NOT trusted. The certificate issuer is unknown.
Jul 24 13:26:24 am-0800276f4d92 fetch-ldap-cert[2185]: *** PKI verification of
server certificate failed...
Jul 24 13:26:24 am-0800276f4d92 systemd[1]: fetch-ldap-cert.service: Control
process exited, code=exited, status=1/FAILURE
Jul 24 13:26:24 am-0800276f4d92 systemd[1]: fetch-ldap-cert.service: Failed
with result 'exit-code'.
Jul 24 13:26:24 am-0800276f4d92 systemd[1]: Failed to start LSB: Fetch LDAP SSL
public key from the server.
If no one shouts I'll commit the script with a delay of two days...
Wolfgang
--------------------
Hi Wolfgang,
On Mi 24 Jul 2019 16:05:13 CEST, Wolfgang Schweer wrote:
On Mon, Jul 22, 2019 at 07:38:53PM +0000, Holger Levsen wrote:
On Mon, Jul 22, 2019 at 06:32:47PM +0000, Mike Gabriel wrote:
> The school I can test this on is currently powered down due to
maintenance
> work on the electric wiring in the building that hosts the server
chamber.
> It's on the list...
do you have an ETA for this?
I am waiting for the system to come online again fully. The admin teacher at
that school has been pinged/pong.
currently the next point release is planned for August 31 or September
7...
We should really get this into 10.1; as the real world test date appears
Yes!
to be uncertain, I've now tested the fetch-ldap-script in two virtual Edu
networks with buster and stretch workstations against both buster and
pre buster main servers. Everything works like expected; see logs from
various scenarios further below to get the picture.
Nice!
(Compared to my previous version there are a few cosmetic changes, also
logging has been improved a bit.)
Ok.
This is the diff against the current version in Git:
diff --git a/debian/debian-edu-config.fetch-ldap-cert
b/debian/debian-edu-config.fetch-ldap-cert
index dfec40da..4a4f5585 100755
--- a/debian/debian-edu-config.fetch-ldap-cert
+++ b/debian/debian-edu-config.fetch-ldap-cert
[...]
[ "$VERBOSE" != no ] && log_action_begin_msg "Fetching LDAP SSL
certificate."
- if curl -f -k https://www.intern/debian-edu-bundle.crt > $BUNDLECRT ;
then
- gnutls-cli --x509cafile $BUNDLECRT --save-cert=$CERTFILE.new ldap.intern
< /dev/null + if echo | openssl s_client -connect "$LDAPSERVER:$LDAPPORT"
2>/dev/null | grep RootCA ; then
+ if curl -k https://www.intern/debian-edu-bundle.crt > $BUNDLECRT &&
\
+ grep -v -q 404 $BUNDLECRT ; then
WARNING: you dropped the "-f" parameter from curl. Without "-f" curl always
exits with exit code 0, we should rather have curl to fail properly on
connection problems, DNS problems, etc. Further above, in the remove curl call,
I had added the "-f" option especially for better exit result handling.
Capturing curl issues by grepping for a 404 is IMHO incomplete. (Turn of
Apache2 and you won't get the 404 and curl | grep ends in some untested realm).
+ gnutls-cli --x509cafile $BUNDLECRT --save-cert=$CERTFILE.new $LDAPSERVER
< /dev/null
+ logger -t fetch-ldap-cert "Fetched bundle certificate from
www.intern."
+ else
+ rm $BUNDLECRT
+ logger -t fetch-ldap-cert "Failed to fetch bundle certificate from
www.intern."
+ fi
[...]
Furthermore, you operate on the bundle certificate file still for
buster<->buster setups.
Have you tested with distributing just the rootCA file to the clients?
Greets,
Mike
-------------------
Hi Mike,
thanks for the fast feedback.
On Wed, Jul 24, 2019 at 03:11:11PM +0000, Mike Gabriel wrote:
> I am waiting for the system to come online again fully. The admin teacher at
> that school has been pinged/pong.
Good.
> > + if curl -k https://www.intern/debian-edu-bundle.crt > $BUNDLECRT &&
> > \
>
> > + grep -v -q 404 $BUNDLECRT ; then
>
> WARNING: you dropped the "-f" parameter from curl. Without "-f" curl always
> exits with exit code 0, we should rather have curl to fail properly on
> connection problems, DNS problems, etc. Further above, in the remove curl
> call, I had added the "-f" option especially for better exit result
> handling.
>
> Capturing curl issues by grepping for a 404 is IMHO incomplete. (Turn of
> Apache2 and you won't get the 404 and curl | grep ends in some untested
> realm).
Good point; this should definitly be improved.
> Furthermore, you operate on the bundle certificate file still for
> buster<->buster setups.
>
> Have you tested with distributing just the rootCA file to the clients?
Yes, works like expected. But then, one more change needs to get into
10.1 (share/debian-edu-config/tools/create-debian-edu-certs) and it
won't be easy to handle this change upon upgrades. Please correct me if
I'm wrong.
Wolfgang
------------------
On Wed, Jul 24, 2019 at 06:41:42PM +0200, Wolfgang Schweer wrote:
> > Capturing curl issues by grepping for a 404 is IMHO incomplete. (Turn of
> > Apache2 and you won't get the 404 and curl | grep ends in some untested
> > realm).
>
> Good point; this should definitly be improved.
See my proposal in the revised fetch-ldap-cert script, also attached.
> > Furthermore, you operate on the bundle certificate file still for
> > buster<->buster setups.
> >
> > Have you tested with distributing just the rootCA file to the clients?
>
> Yes, works like expected. But then, one more change needs to get into
> 10.1 (share/debian-edu-config/tools/create-debian-edu-certs) and it
> won't be easy to handle this change upon upgrades.
The complete diff for all required changes (also for upgrading), fetch
script included. Don't know if this is suitable for 10.1, though:
diff --git a/cf3/cf.finalize b/cf3/cf.finalize
index 5f3ee1b9..a4185128 100644
--- a/cf3/cf.finalize
+++ b/cf3/cf.finalize
@@ -66,6 +66,8 @@ files:
copy_from => local_cp("/etc/ssl/certs/debian-edu-server.crt");
"/opt/ltsp/$(default_arch)/etc/ssl/certs/debian-edu-bundle.crt"
copy_from => local_cp("/etc/ssl/certs/debian-edu-bundle.crt");
+ "/opt/ltsp/$(default_arch)/etc/ssl/certs/Debian-Edu_rootCA.crt"
+ copy_from => local_cp("/etc/ssl/certs/Debian-Edu_rootCA.crt");
commands:
@@ -124,12 +126,21 @@ commands:
# Adjust certificate rights to make them accessible.
+ debian.server.installation::
+
+ "/bin/chmod 0644 /etc/debian-edu/www/Debian-Edu_rootCA.crt"
+ contain => in_shell;
+
debian.ltspclient.installation::
"/bin/chmod 0644 /etc/ssl/certs/debian-edu*.crt"
contain => in_shell;
+ "/bin/chmod 0644 /etc/ssl/certs/Debian-Edu_rootCA.crt"
+ contain => in_shell;
"/bin/chmod 0644 /opt/ltsp/*/etc/ssl/certs/debian-edu*.crt"
contain => in_shell;
+ "/bin/chmod 0644 /opt/ltsp/*/etc/ssl/certs/Debian-Edu_rootCA.crt"
+ contain => in_shell;
# Note that 'ltsp-update-image --config-nbd' is needed to generate the image
and
# to configure NBD; adjust rights to make the image available for the NBD
server.
diff --git a/cf3/cf.workarounds b/cf3/cf.workarounds
index 716ed817..671459af 100644
--- a/cf3/cf.workarounds
+++ b/cf3/cf.workarounds
@@ -33,6 +33,12 @@ files:
link_from => ln_s("/usr/share/debian-edu-config/edu-firefox-nfs"),
move_obstructions => "true";
+ # Provide Debian Edu RootCA pub key as download.
+
+ debian.server.installation::
+ "/etc/debian-edu/www/Debian-Edu_rootCA.crt"
+ copy_from => local_cp("/etc/ssl/certs/Debian-Edu_rootCA.crt");
+
commands:
debian.xfce.(ltspclient|ltspserver).installation::
diff --git a/debian/debian-edu-config.fetch-ldap-cert
b/debian/debian-edu-config.fetch-ldap-cert
index dfec40da..1ee84443 100755
--- a/debian/debian-edu-config.fetch-ldap-cert
+++ b/debian/debian-edu-config.fetch-ldap-cert
@@ -23,14 +23,15 @@ set -e
CERTFILE=/etc/ssl/certs/debian-edu-server.crt
BUNDLECRT=/etc/ssl/certs/debian-edu-bundle.crt
+ROOTCACRT=/etc/ssl/certs/Debian-Edu_rootCA.crt
do_start() {
# Locate LDAP server
LDAPSERVER=$(debian-edu-ldapserver)
-
+ LDAPPORT=636 # ldaps
ERROR=false
- if [ -f /etc/nslcd.conf ] &&
- grep -q /etc/ssl/certs/debian-edu-server.crt /etc/nslcd.conf ; then
+ if [ ! -f $CERTFILE ] && [ -f /etc/nslcd.conf ] &&
+ grep -q /etc/ssl/certs/debian-edu-server.crt /etc/nslcd.conf ; then
if [ -z "$LDAPSERVER" ] ; then
msg="Failed to locate LDAP server"
log_action_begin_msg "$msg"
@@ -39,18 +40,43 @@ do_start() {
return 1
fi
[ "$VERBOSE" != no ] && log_action_begin_msg "Fetching LDAP SSL
certificate."
- if curl -f -k https://www.intern/debian-edu-bundle.crt > $BUNDLECRT ;
then
- gnutls-cli --x509cafile $BUNDLECRT --save-cert=$CERTFILE.new
ldap.intern < /dev/null
+ if echo | openssl s_client -connect "$LDAPSERVER:$LDAPPORT" 2>/dev/null
| grep RootCA ; then
+ if curl -sfk --head -o /dev/null https://www.intern ; then
+ if curl -k https://www.intern/Debian-Edu_rootCA.crt >
$ROOTCACRT && \
+ grep -q CERTIFICATE $ROOTCACRT ; then
+ gnutls-cli --x509cafile $ROOTCACRT
--save-cert=$CERTFILE.new $LDAPSERVER < /dev/null
+ logger -t fetch-ldap-cert "Fetched rootCA certificate
from www.intern."
+ else
+ rm -f $ROOTCACRT
+ if curl -k https://www.intern/debian-edu-bundle.crt >
$BUNDLECRT && \
+ grep -q CERTIFICATE $BUNDLECRT ; then
+ gnutls-cli --x509cafile $BUNDLECRT
--save-cert=$CERTFILE.new $LDAPSERVER < /dev/null
+ logger -t fetch-ldap-cert "Fetched bundle
certificate from www.intern."
+ else
+ rm -f $BUNDLECRT
+ logger -t fetch-ldap-cert "Failed to fetch certificates
from www.intern."
+ fi
+ fi
+ else
+ log_action_end_msg 1
+ logger -t fetch-ldap-cert "Failed to connect to www.intern,
maybe the web server down."
+ ERROR=true
+ fi
else
/usr/share/debian-edu-config/tools/ldap-server-getcert $LDAPSERVER
> $CERTFILE.new
chmod 644 $CERTFILE.new
+ logger -t fetch-ldap-cert "Fetched pre Buster LDAP server
certificate."
fi
if test -s $CERTFILE.new ; then
mv $CERTFILE.new $CERTFILE
[ "$VERBOSE" != no ] && log_action_end_msg 0
- logger -t fetch-ldap-cert "Fetched and verified LDAP SSL
certificate from $LDAPSERVER."
+ if [ -f $BUNDLECRT ] ; then
+ logger -t fetch-ldap-cert "Fetched and verified LDAP SSL
certificate from $LDAPSERVER."
+ else
+ logger -t fetch-ldap-cert "Fetched LDAP SSL certificate from
$LDAPSERVER."
+ fi
else
- rm $CERTFILE.new
+ rm -f $CERTFILE.new
log_action_end_msg 1
logger -t fetch-ldap-cert "Failed to fetch LDAP SSL certificate
from $LDAPSERVER."
ERROR=true
@@ -64,10 +90,24 @@ do_start() {
log_action_begin_msg "Copying LDAP SSL certificate to
ltsp-chroot $ltsp_chroot "
if test -s $CERTFILE; then
cp $CERTFILE $ltsp_chroot$CERTFILE
+ [ "$VERBOSE" != no ] && log_action_end_msg 0
+ else
+ log_action_end_msg 1
+ ERROR=true
+ fi
+ log_action_begin_msg "Copying Debian Edu rootCA certificate to
ltsp-chroot $ltsp_chroot "
+ if test -s $ROOTCACRT; then
+ cp $ROOTCACRT $ltsp_chroot$ROOTCACRT
[ "$VERBOSE" != no ] && log_action_end_msg 0
else
+ log_action_begin_msg "Copying TLS certificate bundle to
ltsp-chroot $ltsp_chroot "
+ if test -s $BUNDLECRT; then
+ cp $BUNDLECRT $ltsp_chroot$BUNDLECRT
+ [ "$VERBOSE" != no ] && log_action_end_msg 0
+ else
log_action_end_msg 1
ERROR=true
+ fi
fi
fi
done
@@ -76,16 +116,9 @@ do_start() {
return 1
fi
}
-
case "$1" in
start)
- # do absolutely nothing, if this host is already "attached" to
- # a Debian Edu network
- if [ -e /etc/ssl/certs/debian-edu-server.crt ]; then
- :
- else
- do_start
- fi
+ do_start
;;
stop)
;;
diff --git a/share/debian-edu-config/tools/create-debian-edu-certs
b/share/debian-edu-config/tools/create-debian-edu-certs
index 346f0bf4..93f345cf 100755
--- a/share/debian-edu-config/tools/create-debian-edu-certs
+++ b/share/debian-edu-config/tools/create-debian-edu-certs
@@ -72,7 +72,9 @@ generate() {
# available via web-server.
cp /etc/ssl/certs/debian-edu-bundle.crt /etc/debian-edu/www
cp /etc/ssl/certs/debian-edu-bundle.pem /etc/debian-edu/www
+ cp /etc/ssl/certs/Debian-Edu_rootCA.crt /etc/debian-edu/www
chmod 644 /etc/debian-edu/www/debian-edu-bundle.*
+ chmod 644 /etc/debian-edu/www/Debian-Edu_rootCA.crt
logger -t create-debian-edu-certs "Certs with both .crt and .pem extension
made available in /etc/debian-edu/www."
}
Wolfgang
signature.asc
Description: PGP signature
