On Wed, Jul 24, 2019 at 06:41:42PM +0200, Wolfgang Schweer wrote: > > Capturing curl issues by grepping for a 404 is IMHO incomplete. (Turn of > > Apache2 and you won't get the 404 and curl | grep ends in some untested > > realm). > > Good point; this should definitly be improved.
See my proposal in the revised fetch-ldap-cert script, also attached.
> > Furthermore, you operate on the bundle certificate file still for
> > buster<->buster setups.
> >
> > Have you tested with distributing just the rootCA file to the clients?
>
> Yes, works like expected. But then, one more change needs to get into
> 10.1 (share/debian-edu-config/tools/create-debian-edu-certs) and it
> won't be easy to handle this change upon upgrades.
The complete diff for all required changes (also for upgrading), fetch
script included. Don't know if this is suitable for 10.1, though:
diff --git a/cf3/cf.finalize b/cf3/cf.finalize
index 5f3ee1b9..a4185128 100644
--- a/cf3/cf.finalize
+++ b/cf3/cf.finalize
@@ -66,6 +66,8 @@ files:
copy_from => local_cp("/etc/ssl/certs/debian-edu-server.crt");
"/opt/ltsp/$(default_arch)/etc/ssl/certs/debian-edu-bundle.crt"
copy_from => local_cp("/etc/ssl/certs/debian-edu-bundle.crt");
+ "/opt/ltsp/$(default_arch)/etc/ssl/certs/Debian-Edu_rootCA.crt"
+ copy_from => local_cp("/etc/ssl/certs/Debian-Edu_rootCA.crt");
commands:
@@ -124,12 +126,21 @@ commands:
# Adjust certificate rights to make them accessible.
+ debian.server.installation::
+
+ "/bin/chmod 0644 /etc/debian-edu/www/Debian-Edu_rootCA.crt"
+ contain => in_shell;
+
debian.ltspclient.installation::
"/bin/chmod 0644 /etc/ssl/certs/debian-edu*.crt"
contain => in_shell;
+ "/bin/chmod 0644 /etc/ssl/certs/Debian-Edu_rootCA.crt"
+ contain => in_shell;
"/bin/chmod 0644 /opt/ltsp/*/etc/ssl/certs/debian-edu*.crt"
contain => in_shell;
+ "/bin/chmod 0644 /opt/ltsp/*/etc/ssl/certs/Debian-Edu_rootCA.crt"
+ contain => in_shell;
# Note that 'ltsp-update-image --config-nbd' is needed to generate the image
and
# to configure NBD; adjust rights to make the image available for the NBD
server.
diff --git a/cf3/cf.workarounds b/cf3/cf.workarounds
index 716ed817..671459af 100644
--- a/cf3/cf.workarounds
+++ b/cf3/cf.workarounds
@@ -33,6 +33,12 @@ files:
link_from => ln_s("/usr/share/debian-edu-config/edu-firefox-nfs"),
move_obstructions => "true";
+ # Provide Debian Edu RootCA pub key as download.
+
+ debian.server.installation::
+ "/etc/debian-edu/www/Debian-Edu_rootCA.crt"
+ copy_from => local_cp("/etc/ssl/certs/Debian-Edu_rootCA.crt");
+
commands:
debian.xfce.(ltspclient|ltspserver).installation::
diff --git a/debian/debian-edu-config.fetch-ldap-cert
b/debian/debian-edu-config.fetch-ldap-cert
index dfec40da..1ee84443 100755
--- a/debian/debian-edu-config.fetch-ldap-cert
+++ b/debian/debian-edu-config.fetch-ldap-cert
@@ -23,14 +23,15 @@ set -e
CERTFILE=/etc/ssl/certs/debian-edu-server.crt
BUNDLECRT=/etc/ssl/certs/debian-edu-bundle.crt
+ROOTCACRT=/etc/ssl/certs/Debian-Edu_rootCA.crt
do_start() {
# Locate LDAP server
LDAPSERVER=$(debian-edu-ldapserver)
-
+ LDAPPORT=636 # ldaps
ERROR=false
- if [ -f /etc/nslcd.conf ] &&
- grep -q /etc/ssl/certs/debian-edu-server.crt /etc/nslcd.conf ; then
+ if [ ! -f $CERTFILE ] && [ -f /etc/nslcd.conf ] &&
+ grep -q /etc/ssl/certs/debian-edu-server.crt /etc/nslcd.conf ; then
if [ -z "$LDAPSERVER" ] ; then
msg="Failed to locate LDAP server"
log_action_begin_msg "$msg"
@@ -39,18 +40,43 @@ do_start() {
return 1
fi
[ "$VERBOSE" != no ] && log_action_begin_msg "Fetching LDAP SSL
certificate."
- if curl -f -k https://www.intern/debian-edu-bundle.crt > $BUNDLECRT ;
then
- gnutls-cli --x509cafile $BUNDLECRT --save-cert=$CERTFILE.new
ldap.intern < /dev/null
+ if echo | openssl s_client -connect "$LDAPSERVER:$LDAPPORT" 2>/dev/null
| grep RootCA ; then
+ if curl -sfk --head -o /dev/null https://www.intern ; then
+ if curl -k https://www.intern/Debian-Edu_rootCA.crt >
$ROOTCACRT && \
+ grep -q CERTIFICATE $ROOTCACRT ; then
+ gnutls-cli --x509cafile $ROOTCACRT
--save-cert=$CERTFILE.new $LDAPSERVER < /dev/null
+ logger -t fetch-ldap-cert "Fetched rootCA certificate
from www.intern."
+ else
+ rm -f $ROOTCACRT
+ if curl -k https://www.intern/debian-edu-bundle.crt >
$BUNDLECRT && \
+ grep -q CERTIFICATE $BUNDLECRT ; then
+ gnutls-cli --x509cafile $BUNDLECRT
--save-cert=$CERTFILE.new $LDAPSERVER < /dev/null
+ logger -t fetch-ldap-cert "Fetched bundle
certificate from www.intern."
+ else
+ rm -f $BUNDLECRT
+ logger -t fetch-ldap-cert "Failed to fetch certificates
from www.intern."
+ fi
+ fi
+ else
+ log_action_end_msg 1
+ logger -t fetch-ldap-cert "Failed to connect to www.intern,
maybe the web server down."
+ ERROR=true
+ fi
else
/usr/share/debian-edu-config/tools/ldap-server-getcert $LDAPSERVER
> $CERTFILE.new
chmod 644 $CERTFILE.new
+ logger -t fetch-ldap-cert "Fetched pre Buster LDAP server
certificate."
fi
if test -s $CERTFILE.new ; then
mv $CERTFILE.new $CERTFILE
[ "$VERBOSE" != no ] && log_action_end_msg 0
- logger -t fetch-ldap-cert "Fetched and verified LDAP SSL
certificate from $LDAPSERVER."
+ if [ -f $BUNDLECRT ] ; then
+ logger -t fetch-ldap-cert "Fetched and verified LDAP SSL
certificate from $LDAPSERVER."
+ else
+ logger -t fetch-ldap-cert "Fetched LDAP SSL certificate from
$LDAPSERVER."
+ fi
else
- rm $CERTFILE.new
+ rm -f $CERTFILE.new
log_action_end_msg 1
logger -t fetch-ldap-cert "Failed to fetch LDAP SSL certificate
from $LDAPSERVER."
ERROR=true
@@ -64,10 +90,24 @@ do_start() {
log_action_begin_msg "Copying LDAP SSL certificate to
ltsp-chroot $ltsp_chroot "
if test -s $CERTFILE; then
cp $CERTFILE $ltsp_chroot$CERTFILE
+ [ "$VERBOSE" != no ] && log_action_end_msg 0
+ else
+ log_action_end_msg 1
+ ERROR=true
+ fi
+ log_action_begin_msg "Copying Debian Edu rootCA certificate to
ltsp-chroot $ltsp_chroot "
+ if test -s $ROOTCACRT; then
+ cp $ROOTCACRT $ltsp_chroot$ROOTCACRT
[ "$VERBOSE" != no ] && log_action_end_msg 0
else
+ log_action_begin_msg "Copying TLS certificate bundle to
ltsp-chroot $ltsp_chroot "
+ if test -s $BUNDLECRT; then
+ cp $BUNDLECRT $ltsp_chroot$BUNDLECRT
+ [ "$VERBOSE" != no ] && log_action_end_msg 0
+ else
log_action_end_msg 1
ERROR=true
+ fi
fi
fi
done
@@ -76,16 +116,9 @@ do_start() {
return 1
fi
}
-
case "$1" in
start)
- # do absolutely nothing, if this host is already "attached" to
- # a Debian Edu network
- if [ -e /etc/ssl/certs/debian-edu-server.crt ]; then
- :
- else
- do_start
- fi
+ do_start
;;
stop)
;;
diff --git a/share/debian-edu-config/tools/create-debian-edu-certs
b/share/debian-edu-config/tools/create-debian-edu-certs
index 346f0bf4..93f345cf 100755
--- a/share/debian-edu-config/tools/create-debian-edu-certs
+++ b/share/debian-edu-config/tools/create-debian-edu-certs
@@ -72,7 +72,9 @@ generate() {
# available via web-server.
cp /etc/ssl/certs/debian-edu-bundle.crt /etc/debian-edu/www
cp /etc/ssl/certs/debian-edu-bundle.pem /etc/debian-edu/www
+ cp /etc/ssl/certs/Debian-Edu_rootCA.crt /etc/debian-edu/www
chmod 644 /etc/debian-edu/www/debian-edu-bundle.*
+ chmod 644 /etc/debian-edu/www/Debian-Edu_rootCA.crt
logger -t create-debian-edu-certs "Certs with both .crt and .pem extension
made available in /etc/debian-edu/www."
}
Wolfgang
#!/bin/sh ### BEGIN INIT INFO # Provides: fetch-ldap-cert # Required-Start: $local_fs $remote_fs # Required-Stop: $local_fs $remote_fs # Should-Start: $network $syslog $named slapd # Default-Start: 2 3 4 5 # Default-Stop: # Short-Description: Fetch LDAP SSL public key from the server # Description: # Start before krb5-kdc to give slapd time to become operational # before krb5-kdc try to connect to the LDAP server as a workaround # for #589915. # X-Start-Before: isc-dhcp-server krb5-kdc nslcd ### END INIT INFO # # Author: Petter Reinholdtsen <[email protected]> # Date: 2007-06-09 set -e . /lib/lsb/init-functions CERTFILE=/etc/ssl/certs/debian-edu-server.crt BUNDLECRT=/etc/ssl/certs/debian-edu-bundle.crt ROOTCACRT=/etc/ssl/certs/Debian-Edu_rootCA.crt do_start() { # Locate LDAP server LDAPSERVER=$(debian-edu-ldapserver) LDAPPORT=636 # ldaps ERROR=false if [ ! -f $CERTFILE ] && [ -f /etc/nslcd.conf ] && grep -q /etc/ssl/certs/debian-edu-server.crt /etc/nslcd.conf ; then if [ -z "$LDAPSERVER" ] ; then msg="Failed to locate LDAP server" log_action_begin_msg "$msg" log_action_end_msg 1 logger -t fetch-ldap-cert "$msg." return 1 fi [ "$VERBOSE" != no ] && log_action_begin_msg "Fetching LDAP SSL certificate." if echo | openssl s_client -connect "$LDAPSERVER:$LDAPPORT" 2>/dev/null | grep RootCA ; then if curl -sfk --head -o /dev/null https://www.intern ; then if curl -k https://www.intern/Debian-Edu_rootCA.crt > $ROOTCACRT && \ grep -q CERTIFICATE $ROOTCACRT ; then gnutls-cli --x509cafile $ROOTCACRT --save-cert=$CERTFILE.new $LDAPSERVER < /dev/null logger -t fetch-ldap-cert "Fetched rootCA certificate from www.intern." else rm -f $ROOTCACRT if curl -k https://www.intern/debian-edu-bundle.crt > $BUNDLECRT && \ grep -q CERTIFICATE $BUNDLECRT ; then gnutls-cli --x509cafile $BUNDLECRT --save-cert=$CERTFILE.new $LDAPSERVER < /dev/null logger -t fetch-ldap-cert "Fetched bundle certificate from www.intern." else rm -f $BUNDLECRT logger -t fetch-ldap-cert "Failed to fetch certificates from www.intern." fi fi else log_action_end_msg 1 logger -t fetch-ldap-cert "Failed to connect to www.intern, maybe the web server down." ERROR=true fi else /usr/share/debian-edu-config/tools/ldap-server-getcert $LDAPSERVER > $CERTFILE.new chmod 644 $CERTFILE.new logger -t fetch-ldap-cert "Fetched pre Buster LDAP server certificate." fi if test -s $CERTFILE.new ; then mv $CERTFILE.new $CERTFILE [ "$VERBOSE" != no ] && log_action_end_msg 0 if [ -f $BUNDLECRT ] ; then logger -t fetch-ldap-cert "Fetched and verified LDAP SSL certificate from $LDAPSERVER." else logger -t fetch-ldap-cert "Fetched LDAP SSL certificate from $LDAPSERVER." fi else rm -f $CERTFILE.new log_action_end_msg 1 logger -t fetch-ldap-cert "Failed to fetch LDAP SSL certificate from $LDAPSERVER." ERROR=true fi fi if [ -d /opt/ltsp ] ; then for ltsp_chroot in `find /opt/ltsp/ -mindepth 1 -maxdepth 1 -type d`; do if [ ! -f $ltsp_chroot$CERTFILE ] && [ -f $ltsp_chroot/etc/nslcd.conf ] && grep -q /etc/ssl/certs/debian-edu-server.crt $ltsp_chroot/etc/nslcd.conf ; then [ "$VERBOSE" != no ] && log_action_begin_msg "Copying LDAP SSL certificate to ltsp-chroot $ltsp_chroot " if test -s $CERTFILE; then cp $CERTFILE $ltsp_chroot$CERTFILE [ "$VERBOSE" != no ] && log_action_end_msg 0 else log_action_end_msg 1 ERROR=true fi log_action_begin_msg "Copying Debian Edu rootCA certificate to ltsp-chroot $ltsp_chroot " if test -s $ROOTCACRT; then cp $ROOTCACRT $ltsp_chroot$ROOTCACRT [ "$VERBOSE" != no ] && log_action_end_msg 0 else log_action_begin_msg "Copying TLS certificate bundle to ltsp-chroot $ltsp_chroot " if test -s $BUNDLECRT; then cp $BUNDLECRT $ltsp_chroot$BUNDLECRT [ "$VERBOSE" != no ] && log_action_end_msg 0 else log_action_end_msg 1 ERROR=true fi fi fi done fi if $ERROR; then return 1 fi } case "$1" in start) do_start ;; stop) ;; restart|force-reload) ;; *) echo "Usage: $0 {start|stop|restart|force-reload}" exit 2 esac exit 0
signature.asc
Description: PGP signature
