Hi Petter, On Sunday 27 December 2009 19:46:57 Petter Reinholdtsen wrote: > While trying to figure out > <URL:http://bugs.skolelinux.org/show_bug.cgi?id=1409>, it occured to > me that the approach taken in the snakeoil-on-ice script would only > work when running on the main-server, and would only work if the users > log in on the main-server (or a thin client / diskless workstation > booting off the main-server). On other machines, the symlink > /etc/skel/.mozilla/firefox/debian-edu.default/cert_override.txt would > point to a non-existing file. > > Did I misunderstand something? If I am right, we need something like > /etc/init.d/fetch-ldap-cert to make sure all clients have the web > server certificate available when a user log in for the first time on > that client.
The script snakeoil-on-ice should work outside the main server. It only has to run once the certificate is created/replaced to produce the fingerprint and save it where Iceweasel will copy to all new profiles created. It doesn't update or otherwise access users directories. It should check if it's being ran on the main server then it access the certificate directly in /etc/ssl/certs/ssl-cert-snakeoil.pem, else it fetches the certificate over the network using ssl and holds it in a temporary file, failing this too it returns an error and prints a message. Here's the piece of code: > # On main server read local certificate > # otherwise fetch the certificate over ssl. > > if [[ $PROFILE =~ Main-Server ]]; then > CERT=/etc/ssl/certs/ssl-cert-snakeoil.pem; > elif (ping -c 1 www > /dev/nul); then > CERT=$(tempfile -p fetch -s cert) > echo | openssl s_client -connect www:443 2>/dev/nul | sed -n > '/-----BEGIN CERTIFICATE-----/,/-----END CERTIFICATE-----/p' > $CERT; else > echo 'can not find certificate' > exit 1; > fi During install the message should be saved in the log. When invoked from cfengin it is ran late to allow the certificate to be created before. Also it creates the stuff in /etc/skel on main server only, while /etc/iceweasel/profile/cert_override.txt is created on all profiles. I believe the problem reported in bug #1409 is rather the exception not the rule, that installation had multiple issues. However, since there was a similar problem reported in bug #1359, again with multiple issues (#1358, #1361, #1362), I suspect this has to do with having no network during installation or some network missconfiguration in the other case. I think we must either investigate farther the case of installing without network connection or document that main server (or any server) should be installed while connected, I would expect they'll be operated on a network after all. Odd. -- To UNSUBSCRIBE, email to [email protected] with a subject of "unsubscribe". Trouble? Contact [email protected]
