hi, please include the bug in further mails on this topic and many thanks for all your work on it! Thanks!
On Thu, Jul 25, 2019 at 03:08:05PM +0200, Wolfgang Schweer wrote: > On Wed, Jul 24, 2019 at 06:41:42PM +0200, Wolfgang Schweer wrote: > > > Capturing curl issues by grepping for a 404 is IMHO incomplete. (Turn of > > > Apache2 and you won't get the 404 and curl | grep ends in some untested > > > realm). > > > > Good point; this should definitly be improved. > > See my proposal in the revised fetch-ldap-cert script, also attached. > > > > Furthermore, you operate on the bundle certificate file still for > > > buster<->buster setups. > > > > > > Have you tested with distributing just the rootCA file to the clients? > > > > Yes, works like expected. But then, one more change needs to get into > > 10.1 (share/debian-edu-config/tools/create-debian-edu-certs) and it > > won't be easy to handle this change upon upgrades. > > The complete diff for all required changes (also for upgrading), fetch > script included. Don't know if this is suitable for 10.1, though: > > diff --git a/cf3/cf.finalize b/cf3/cf.finalize > index 5f3ee1b9..a4185128 100644 > --- a/cf3/cf.finalize > +++ b/cf3/cf.finalize > @@ -66,6 +66,8 @@ files: > copy_from => local_cp("/etc/ssl/certs/debian-edu-server.crt"); > "/opt/ltsp/$(default_arch)/etc/ssl/certs/debian-edu-bundle.crt" > copy_from => local_cp("/etc/ssl/certs/debian-edu-bundle.crt"); > + "/opt/ltsp/$(default_arch)/etc/ssl/certs/Debian-Edu_rootCA.crt" > + copy_from => local_cp("/etc/ssl/certs/Debian-Edu_rootCA.crt"); > > commands: > > @@ -124,12 +126,21 @@ commands: > > # Adjust certificate rights to make them accessible. > > + debian.server.installation:: > + > + "/bin/chmod 0644 /etc/debian-edu/www/Debian-Edu_rootCA.crt" > + contain => in_shell; > + > debian.ltspclient.installation:: > > "/bin/chmod 0644 /etc/ssl/certs/debian-edu*.crt" > contain => in_shell; > + "/bin/chmod 0644 /etc/ssl/certs/Debian-Edu_rootCA.crt" > + contain => in_shell; > "/bin/chmod 0644 /opt/ltsp/*/etc/ssl/certs/debian-edu*.crt" > contain => in_shell; > + "/bin/chmod 0644 /opt/ltsp/*/etc/ssl/certs/Debian-Edu_rootCA.crt" > + contain => in_shell; > > # Note that 'ltsp-update-image --config-nbd' is needed to generate the > image and > # to configure NBD; adjust rights to make the image available for the NBD > server. > diff --git a/cf3/cf.workarounds b/cf3/cf.workarounds > index 716ed817..671459af 100644 > --- a/cf3/cf.workarounds > +++ b/cf3/cf.workarounds > @@ -33,6 +33,12 @@ files: > link_from => ln_s("/usr/share/debian-edu-config/edu-firefox-nfs"), > move_obstructions => "true"; > > + # Provide Debian Edu RootCA pub key as download. > + > + debian.server.installation:: > + "/etc/debian-edu/www/Debian-Edu_rootCA.crt" > + copy_from => local_cp("/etc/ssl/certs/Debian-Edu_rootCA.crt"); > + > commands: > > debian.xfce.(ltspclient|ltspserver).installation:: > diff --git a/debian/debian-edu-config.fetch-ldap-cert > b/debian/debian-edu-config.fetch-ldap-cert > index dfec40da..1ee84443 100755 > --- a/debian/debian-edu-config.fetch-ldap-cert > +++ b/debian/debian-edu-config.fetch-ldap-cert > @@ -23,14 +23,15 @@ set -e > > CERTFILE=/etc/ssl/certs/debian-edu-server.crt > BUNDLECRT=/etc/ssl/certs/debian-edu-bundle.crt > +ROOTCACRT=/etc/ssl/certs/Debian-Edu_rootCA.crt > > do_start() { > # Locate LDAP server > LDAPSERVER=$(debian-edu-ldapserver) > - > + LDAPPORT=636 # ldaps > ERROR=false > - if [ -f /etc/nslcd.conf ] && > - grep -q /etc/ssl/certs/debian-edu-server.crt /etc/nslcd.conf ; then > + if [ ! -f $CERTFILE ] && [ -f /etc/nslcd.conf ] && > + grep -q /etc/ssl/certs/debian-edu-server.crt /etc/nslcd.conf ; then > if [ -z "$LDAPSERVER" ] ; then > msg="Failed to locate LDAP server" > log_action_begin_msg "$msg" > @@ -39,18 +40,43 @@ do_start() { > return 1 > fi > [ "$VERBOSE" != no ] && log_action_begin_msg "Fetching LDAP SSL > certificate." > - if curl -f -k https://www.intern/debian-edu-bundle.crt > $BUNDLECRT ; > then > - gnutls-cli --x509cafile $BUNDLECRT --save-cert=$CERTFILE.new > ldap.intern < /dev/null > + if echo | openssl s_client -connect "$LDAPSERVER:$LDAPPORT" 2>/dev/null > | grep RootCA ; then > + if curl -sfk --head -o /dev/null https://www.intern ; then > + if curl -k https://www.intern/Debian-Edu_rootCA.crt > > $ROOTCACRT && \ > + grep -q CERTIFICATE $ROOTCACRT ; then > + gnutls-cli --x509cafile $ROOTCACRT > --save-cert=$CERTFILE.new $LDAPSERVER < /dev/null > + logger -t fetch-ldap-cert "Fetched rootCA certificate > from www.intern." > + else > + rm -f $ROOTCACRT > + if curl -k https://www.intern/debian-edu-bundle.crt > > $BUNDLECRT && \ > + grep -q CERTIFICATE $BUNDLECRT ; then > + gnutls-cli --x509cafile $BUNDLECRT > --save-cert=$CERTFILE.new $LDAPSERVER < /dev/null > + logger -t fetch-ldap-cert "Fetched bundle > certificate from www.intern." > + else > + rm -f $BUNDLECRT > + logger -t fetch-ldap-cert "Failed to fetch certificates > from www.intern." > + fi > + fi > + else > + log_action_end_msg 1 > + logger -t fetch-ldap-cert "Failed to connect to www.intern, > maybe the web server down." > + ERROR=true > + fi > else > /usr/share/debian-edu-config/tools/ldap-server-getcert $LDAPSERVER > > $CERTFILE.new > chmod 644 $CERTFILE.new > + logger -t fetch-ldap-cert "Fetched pre Buster LDAP server > certificate." > fi > if test -s $CERTFILE.new ; then > mv $CERTFILE.new $CERTFILE > [ "$VERBOSE" != no ] && log_action_end_msg 0 > - logger -t fetch-ldap-cert "Fetched and verified LDAP SSL > certificate from $LDAPSERVER." > + if [ -f $BUNDLECRT ] ; then > + logger -t fetch-ldap-cert "Fetched and verified LDAP SSL > certificate from $LDAPSERVER." > + else > + logger -t fetch-ldap-cert "Fetched LDAP SSL certificate from > $LDAPSERVER." > + fi > else > - rm $CERTFILE.new > + rm -f $CERTFILE.new > log_action_end_msg 1 > logger -t fetch-ldap-cert "Failed to fetch LDAP SSL certificate > from $LDAPSERVER." > ERROR=true > @@ -64,10 +90,24 @@ do_start() { > log_action_begin_msg "Copying LDAP SSL certificate to > ltsp-chroot $ltsp_chroot " > if test -s $CERTFILE; then > cp $CERTFILE $ltsp_chroot$CERTFILE > + [ "$VERBOSE" != no ] && log_action_end_msg 0 > + else > + log_action_end_msg 1 > + ERROR=true > + fi > + log_action_begin_msg "Copying Debian Edu rootCA certificate to > ltsp-chroot $ltsp_chroot " > + if test -s $ROOTCACRT; then > + cp $ROOTCACRT $ltsp_chroot$ROOTCACRT > [ "$VERBOSE" != no ] && log_action_end_msg 0 > else > + log_action_begin_msg "Copying TLS certificate bundle to > ltsp-chroot $ltsp_chroot " > + if test -s $BUNDLECRT; then > + cp $BUNDLECRT $ltsp_chroot$BUNDLECRT > + [ "$VERBOSE" != no ] && log_action_end_msg 0 > + else > log_action_end_msg 1 > ERROR=true > + fi > fi > fi > done > @@ -76,16 +116,9 @@ do_start() { > return 1 > fi > } > - > case "$1" in > start) > - # do absolutely nothing, if this host is already "attached" to > - # a Debian Edu network > - if [ -e /etc/ssl/certs/debian-edu-server.crt ]; then > - : > - else > - do_start > - fi > + do_start > ;; > stop) > ;; > diff --git a/share/debian-edu-config/tools/create-debian-edu-certs > b/share/debian-edu-config/tools/create-debian-edu-certs > index 346f0bf4..93f345cf 100755 > --- a/share/debian-edu-config/tools/create-debian-edu-certs > +++ b/share/debian-edu-config/tools/create-debian-edu-certs > @@ -72,7 +72,9 @@ generate() { > # available via web-server. > cp /etc/ssl/certs/debian-edu-bundle.crt /etc/debian-edu/www > cp /etc/ssl/certs/debian-edu-bundle.pem /etc/debian-edu/www > + cp /etc/ssl/certs/Debian-Edu_rootCA.crt /etc/debian-edu/www > chmod 644 /etc/debian-edu/www/debian-edu-bundle.* > + chmod 644 /etc/debian-edu/www/Debian-Edu_rootCA.crt > logger -t create-debian-edu-certs "Certs with both .crt and .pem > extension made available in /etc/debian-edu/www." > } > > > > Wolfgang > #!/bin/sh > ### BEGIN INIT INFO > # Provides: fetch-ldap-cert > # Required-Start: $local_fs $remote_fs > # Required-Stop: $local_fs $remote_fs > # Should-Start: $network $syslog $named slapd > # Default-Start: 2 3 4 5 > # Default-Stop: > # Short-Description: Fetch LDAP SSL public key from the server > # Description: > # Start before krb5-kdc to give slapd time to become operational > # before krb5-kdc try to connect to the LDAP server as a workaround > # for #589915. > # X-Start-Before: isc-dhcp-server krb5-kdc nslcd > ### END INIT INFO > # > # Author: Petter Reinholdtsen <p...@hungry.com> > # Date: 2007-06-09 > > set -e > > . /lib/lsb/init-functions > > CERTFILE=/etc/ssl/certs/debian-edu-server.crt > BUNDLECRT=/etc/ssl/certs/debian-edu-bundle.crt > ROOTCACRT=/etc/ssl/certs/Debian-Edu_rootCA.crt > > do_start() { > # Locate LDAP server > LDAPSERVER=$(debian-edu-ldapserver) > LDAPPORT=636 # ldaps > ERROR=false > if [ ! -f $CERTFILE ] && [ -f /etc/nslcd.conf ] && > grep -q /etc/ssl/certs/debian-edu-server.crt /etc/nslcd.conf ; then > if [ -z "$LDAPSERVER" ] ; then > msg="Failed to locate LDAP server" > log_action_begin_msg "$msg" > log_action_end_msg 1 > logger -t fetch-ldap-cert "$msg." > return 1 > fi > [ "$VERBOSE" != no ] && log_action_begin_msg "Fetching LDAP SSL > certificate." > if echo | openssl s_client -connect "$LDAPSERVER:$LDAPPORT" 2>/dev/null > | grep RootCA ; then > if curl -sfk --head -o /dev/null https://www.intern ; then > if curl -k https://www.intern/Debian-Edu_rootCA.crt > > $ROOTCACRT && \ > grep -q CERTIFICATE $ROOTCACRT ; then > gnutls-cli --x509cafile $ROOTCACRT > --save-cert=$CERTFILE.new $LDAPSERVER < /dev/null > logger -t fetch-ldap-cert "Fetched rootCA certificate > from www.intern." > else > rm -f $ROOTCACRT > if curl -k https://www.intern/debian-edu-bundle.crt > > $BUNDLECRT && \ > grep -q CERTIFICATE $BUNDLECRT ; then > gnutls-cli --x509cafile $BUNDLECRT > --save-cert=$CERTFILE.new $LDAPSERVER < /dev/null > logger -t fetch-ldap-cert "Fetched bundle > certificate from www.intern." > else > rm -f $BUNDLECRT > logger -t fetch-ldap-cert "Failed to fetch certificates > from www.intern." > fi > fi > else > log_action_end_msg 1 > logger -t fetch-ldap-cert "Failed to connect to www.intern, > maybe the web server down." > ERROR=true > fi > else > /usr/share/debian-edu-config/tools/ldap-server-getcert $LDAPSERVER > > $CERTFILE.new > chmod 644 $CERTFILE.new > logger -t fetch-ldap-cert "Fetched pre Buster LDAP server > certificate." > fi > if test -s $CERTFILE.new ; then > mv $CERTFILE.new $CERTFILE > [ "$VERBOSE" != no ] && log_action_end_msg 0 > if [ -f $BUNDLECRT ] ; then > logger -t fetch-ldap-cert "Fetched and verified LDAP SSL > certificate from $LDAPSERVER." > else > logger -t fetch-ldap-cert "Fetched LDAP SSL certificate from > $LDAPSERVER." > fi > else > rm -f $CERTFILE.new > log_action_end_msg 1 > logger -t fetch-ldap-cert "Failed to fetch LDAP SSL certificate > from $LDAPSERVER." > ERROR=true > fi > fi > if [ -d /opt/ltsp ] ; then > for ltsp_chroot in `find /opt/ltsp/ -mindepth 1 -maxdepth 1 -type d`; do > if [ ! -f $ltsp_chroot$CERTFILE ] && [ -f > $ltsp_chroot/etc/nslcd.conf ] && > grep -q /etc/ssl/certs/debian-edu-server.crt > $ltsp_chroot/etc/nslcd.conf ; then > [ "$VERBOSE" != no ] && > log_action_begin_msg "Copying LDAP SSL certificate to > ltsp-chroot $ltsp_chroot " > if test -s $CERTFILE; then > cp $CERTFILE $ltsp_chroot$CERTFILE > [ "$VERBOSE" != no ] && log_action_end_msg 0 > else > log_action_end_msg 1 > ERROR=true > fi > log_action_begin_msg "Copying Debian Edu rootCA certificate to > ltsp-chroot $ltsp_chroot " > if test -s $ROOTCACRT; then > cp $ROOTCACRT $ltsp_chroot$ROOTCACRT > [ "$VERBOSE" != no ] && log_action_end_msg 0 > else > log_action_begin_msg "Copying TLS certificate bundle to > ltsp-chroot $ltsp_chroot " > if test -s $BUNDLECRT; then > cp $BUNDLECRT $ltsp_chroot$BUNDLECRT > [ "$VERBOSE" != no ] && log_action_end_msg 0 > else > log_action_end_msg 1 > ERROR=true > fi > fi > fi > done > fi > if $ERROR; then > return 1 > fi > } > case "$1" in > start) > do_start > ;; > stop) > ;; > restart|force-reload) > ;; > *) > echo "Usage: $0 {start|stop|restart|force-reload}" > exit 2 > esac > exit 0 -- tschau, Holger ------------------------------------------------------------------------------- holger@(debian|reproducible-builds|layer-acht).org PGP fingerprint: B8BF 5413 7B09 D35C F026 FE9D 091A B856 069A AA1C
signature.asc
Description: PGP signature