On Thu, Jul 25, 2019 at 08:26:22PM +0000, Holger Levsen wrote: > hi, please include the bug in further mails on this topic
Thanks for the pointer, the missing mails have been quoted in the report for bug #933183 tracking the Debian Edu RootCA file issue which has been filed because this issue is independent from the fetch-ldap-cert one. I've adjusted debian-edu-config.fetch-ldap-cert once more to catch all possible use cases. (1) If the rootCA file is available for download, this is logged: Jul 27 12:13:17 am-0800276f4d92 systemd[1]: Starting LSB: Fetch LDAP SSL public key from the server... Jul 27 12:13:17 am-0800276f4d92 fetch-ldap-cert[10654]: Fetching LDAP SSL certificate.... 0 s:C = NO, ST = Intern, L = Debian Edu Network, O = Debian Edu, OU = Debian Edu RootCA, CN = www.intern, emailAddress = postmaster@postoffice.intern Jul 27 12:13:17 am-0800276f4d92 fetch-ldap-cert[10654]: i:C = NO, ST = Intern, L = Debian Edu Network, O = Debian Edu, OU = Debian Edu RootCA, CN = www.intern, emailAddress = postmaster@postoffice.intern Jul 27 12:13:17 am-0800276f4d92 fetch-ldap-cert[10654]: subject=C = NO, ST = Intern, L = Debian Edu Network, O = Debian Edu, OU = Debian Edu RootCA, CN = www.intern, emailAddress = postmaster@postoffice.intern Jul 27 12:13:17 am-0800276f4d92 fetch-ldap-cert[10654]: issuer=C = NO, ST = Intern, L = Debian Edu Network, O = Debian Edu, OU = Debian Edu RootCA, CN = www.intern, emailAddress = postmaster@postoffice.intern Jul 27 12:13:17 am-0800276f4d92 fetch-ldap-cert[10654]: % Total % Received % Xferd Average Speed Time Time Time Current Jul 27 12:13:17 am-0800276f4d92 fetch-ldap-cert[10654]: Dload Upload Total Spent Left Speed Jul 27 12:13:17 am-0800276f4d92 fetch-ldap-cert[10654]: #015 0 0 0 0 0 0 0 0 --:--:-- --:--:-- --:--:-- 0#015100 1411 100 1411 0 0 125k 0 --:--:-- --:--:-- --:--:-- 125k Jul 27 12:13:17 am-0800276f4d92 fetch-ldap-cert[10654]: Processed 1 CA certificate(s). Jul 27 12:13:17 am-0800276f4d92 fetch-ldap-cert[10654]: Resolving 'tjener.intern:443'... Jul 27 12:13:17 am-0800276f4d92 fetch-ldap-cert[10654]: Connecting to '10.0.2.2:443'... Jul 27 12:13:17 am-0800276f4d92 fetch-ldap-cert[10654]: - Certificate type: X.509 Jul 27 12:13:17 am-0800276f4d92 fetch-ldap-cert[10654]: - Got a certificate list of 1 certificates. Jul 27 12:13:17 am-0800276f4d92 fetch-ldap-cert[10654]: - Certificate[0] info: Jul 27 12:13:17 am-0800276f4d92 fetch-ldap-cert[10654]: - subject `EMAIL=postmaster@postoffice.intern,CN=www.intern,OU=Debian Edu RootCA,O=Debian Edu,L=Debian Edu Network,ST=Intern,C=NO', issuer `EMAIL=postmaster@postoffice.intern,CN=www.intern,OU=Debian Edu RootCA,O=Debian Edu,L=Debian Edu Network,ST=Intern,C=NO', serial 0x535fb6ec31d07546625c3c70ecdebc7504d4b474, RSA key 2048 bits, signed using RSA-SHA256, activated `2019-07-25 12:47:43 UTC', expires `2029-07-22 12:47:43 UTC', pin-sha256="5csbdGcvLKNRIcP+0VKVXMk2qryYJ58VyKZmVG8cl5g=" Jul 27 12:13:17 am-0800276f4d92 fetch-ldap-cert[10654]: #011Public Key ID: Jul 27 12:13:17 am-0800276f4d92 fetch-ldap-cert[10654]: #011#011sha1:7afc6650de5e8f22dde08519347fdfbc2c29717d Jul 27 12:13:17 am-0800276f4d92 fetch-ldap-cert[10654]: #011#011sha256:e5cb1b74672f2ca35121c3fed152955cc936aabc98279f15c8a666546f1c9798 Jul 27 12:13:17 am-0800276f4d92 fetch-ldap-cert[10654]: #011Public Key PIN: Jul 27 12:13:17 am-0800276f4d92 fetch-ldap-cert[10654]: #011#011pin-sha256:5csbdGcvLKNRIcP+0VKVXMk2qryYJ58VyKZmVG8cl5g= Jul 27 12:13:17 am-0800276f4d92 fetch-ldap-cert[10654]: - Status: The certificate is trusted. Jul 27 12:13:17 am-0800276f4d92 fetch-ldap-cert[10654]: - Description: (TLS1.3)-(ECDHE-SECP256R1)-(RSA-PSS-RSAE-SHA256)-(AES-256-GCM) Jul 27 12:13:17 am-0800276f4d92 fetch-ldap-cert[10654]: - Options: Jul 27 12:13:17 am-0800276f4d92 fetch-ldap-cert[10654]: - Handshake was completed Jul 27 12:13:17 am-0800276f4d92 fetch-ldap-cert[10654]: - Simple Client Mode: Jul 27 12:13:17 am-0800276f4d92 fetch-ldap-cert[10654]: - Peer has closed the GnuTLS connection Jul 27 12:13:17 am-0800276f4d92 fetch-ldap-cert: Fetched rootCA certificate from www.intern. Jul 27 12:13:17 am-0800276f4d92 fetch-ldap-cert[10654]: done. Jul 27 12:13:17 am-0800276f4d92 fetch-ldap-cert: Fetched LDAP SSL certificate from tjener.intern. Jul 27 12:13:17 am-0800276f4d92 fetch-ldap-cert[10654]: Copying LDAP SSL certificate to ltsp-chroot /opt/ltsp/i386 ...done. Jul 27 12:13:17 am-0800276f4d92 fetch-ldap-cert[10654]: Copying Debian Edu rootCA certificate to ltsp-chroot /opt/ltsp/i386 ...done. Jul 27 12:13:17 am-0800276f4d92 systemd[1]: Started LSB: Fetch LDAP SSL public key from the server. (2) If only the bundle cert is available (updated client, main server not yet), the log is: Jul 27 12:28:32 am-0800276f4d92 systemd[1]: Starting LSB: Fetch LDAP SSL public key from the server... Jul 27 12:28:32 am-0800276f4d92 fetch-ldap-cert[1966]: Fetching LDAP SSL certificate.... 0 s:C = NO, ST = Intern, L = Debian Edu Network, O = Debian Edu, OU = Debian Edu RootCA, CN = www.intern, emailAddress = postmaster@postoffice.intern Jul 27 12:28:32 am-0800276f4d92 fetch-ldap-cert[1966]: i:C = NO, ST = Intern, L = Debian Edu Network, O = Debian Edu, OU = Debian Edu RootCA, CN = www.intern, emailAddress = postmaster@postoffice.intern Jul 27 12:28:32 am-0800276f4d92 fetch-ldap-cert[1966]: subject=C = NO, ST = Intern, L = Debian Edu Network, O = Debian Edu, OU = Debian Edu RootCA, CN = www.intern, emailAddress = postmaster@postoffice.intern Jul 27 12:28:32 am-0800276f4d92 fetch-ldap-cert[1966]: issuer=C = NO, ST = Intern, L = Debian Edu Network, O = Debian Edu, OU = Debian Edu RootCA, CN = www.intern, emailAddress = postmaster@postoffice.intern Jul 27 12:28:32 am-0800276f4d92 fetch-ldap-cert[1966]: % Total % Received % Xferd Average Speed Time Time Time Current Jul 27 12:28:32 am-0800276f4d92 fetch-ldap-cert[1966]: Dload Upload Total Spent Left Speed Jul 27 12:28:32 am-0800276f4d92 fetch-ldap-cert[1966]: #015 0 0 0 0 0 0 0 0 --:--:-- --:--:-- --:--:-- 0#015100 296 100 296 0 0 14800 0 --:--:-- --:--:-- --:--:-- 14800 Jul 27 12:28:32 am-0800276f4d92 fetch-ldap-cert[1966]: % Total % Received % Xferd Average Speed Time Time Time Current Jul 27 12:28:32 am-0800276f4d92 fetch-ldap-cert[1966]: Dload Upload Total Spent Left Speed Jul 27 12:28:32 am-0800276f4d92 fetch-ldap-cert[1966]: #015 0 0 0 0 0 0 0 0 --:--:-- --:--:-- --:--:-- 0#015100 3460 100 3460 0 0 211k 0 --:--:-- --:--:-- --:--:-- 211k Jul 27 12:28:32 am-0800276f4d92 fetch-ldap-cert[1966]: |<1>| There was a non-CA certificate in the trusted list: C=NO,ST=Intern,L=Debian Edu Network,O=Debian Edu,OU=Debian Edu RootCA,CN=www.intern,EMAIL=postmaster@postoffice.intern. Jul 27 12:28:32 am-0800276f4d92 fetch-ldap-cert[1966]: Processed 2 CA certificate(s). Jul 27 12:28:32 am-0800276f4d92 fetch-ldap-cert[1966]: Resolving 'tjener.intern:443'... Jul 27 12:28:32 am-0800276f4d92 fetch-ldap-cert[1966]: Connecting to '10.0.2.2:443'... Jul 27 12:28:32 am-0800276f4d92 fetch-ldap-cert[1966]: - Certificate type: X.509 Jul 27 12:28:32 am-0800276f4d92 fetch-ldap-cert[1966]: - Got a certificate list of 1 certificates. Jul 27 12:28:32 am-0800276f4d92 fetch-ldap-cert[1966]: - Certificate[0] info: Jul 27 12:28:32 am-0800276f4d92 fetch-ldap-cert[1966]: - subject `EMAIL=postmaster@postoffice.intern,CN=www.intern,OU=Debian Edu RootCA,O=Debian Edu,L=Debian Edu Network,ST=Intern,C=NO', issuer `EMAIL=postmaster@postoffice.intern,CN=www.intern,OU=Debian Edu RootCA,O=Debian Edu,L=Debian Edu Network,ST=Intern,C=NO', serial 0x535fb6ec31d07546625c3c70ecdebc7504d4b474, RSA key 2048 bits, signed using RSA-SHA256, activated `2019-07-25 12:47:43 UTC', expires `2029-07-22 12:47:43 UTC', pin-sha256="5csbdGcvLKNRIcP+0VKVXMk2qryYJ58VyKZmVG8cl5g=" Jul 27 12:28:32 am-0800276f4d92 fetch-ldap-cert[1966]: #011Public Key ID: Jul 27 12:28:32 am-0800276f4d92 fetch-ldap-cert[1966]: #011#011sha1:7afc6650de5e8f22dde08519347fdfbc2c29717d Jul 27 12:28:32 am-0800276f4d92 fetch-ldap-cert[1966]: #011#011sha256:e5cb1b74672f2ca35121c3fed152955cc936aabc98279f15c8a666546f1c9798 Jul 27 12:28:32 am-0800276f4d92 fetch-ldap-cert[1966]: #011Public Key PIN: Jul 27 12:28:32 am-0800276f4d92 fetch-ldap-cert[1966]: #011#011pin-sha256:5csbdGcvLKNRIcP+0VKVXMk2qryYJ58VyKZmVG8cl5g= Jul 27 12:28:32 am-0800276f4d92 fetch-ldap-cert[1966]: - Status: The certificate is trusted. Jul 27 12:28:32 am-0800276f4d92 fetch-ldap-cert[1966]: - Description: (TLS1.3)-(ECDHE-SECP256R1)-(RSA-PSS-RSAE-SHA256)-(AES-256-GCM) Jul 27 12:28:32 am-0800276f4d92 fetch-ldap-cert[1966]: - Options: Jul 27 12:28:32 am-0800276f4d92 fetch-ldap-cert[1966]: - Handshake was completed Jul 27 12:28:32 am-0800276f4d92 fetch-ldap-cert[1966]: - Simple Client Mode: Jul 27 12:28:32 am-0800276f4d92 fetch-ldap-cert[1966]: - Peer has closed the GnuTLS connection Jul 27 12:28:32 am-0800276f4d92 fetch-ldap-cert: Fetched bundle certificate from www.intern. Jul 27 12:28:32 am-0800276f4d92 fetch-ldap-cert[1966]: done. Jul 27 12:28:32 am-0800276f4d92 fetch-ldap-cert: Fetched and verified LDAP SSL certificate from tjener.intern. Jul 27 12:28:32 am-0800276f4d92 fetch-ldap-cert[1966]: Copying LDAP SSL certificate to ltsp-chroot /opt/ltsp/i386 ...done. Jul 27 12:28:32 am-0800276f4d92 fetch-ldap-cert[1966]: Copying Debian Edu rootCA certificate to ltsp-chroot /opt/ltsp/i386 ...Copying TLS certificate bundle to ltsp-chroot /opt/ltsp/i386 ...done. Jul 27 12:28:32 am-0800276f4d92 systemd[1]: Started LSB: Fetch LDAP SSL public key from the server. Jul 27 12:28:39 am-0800276f4d92 nslcd[1058]: [3c9869] <passwd="*"> request denied by validnames option (3) Pre Buster main server, Buster client is also catched like before. The diff of the script (which is also attached) is now like such: diff --git a/debian/debian-edu-config.fetch-ldap-cert b/debian/debian-edu-config.fetch-ldap-cert index dfec40da..1ee84443 100755 --- a/debian/debian-edu-config.fetch-ldap-cert +++ b/debian/debian-edu-config.fetch-ldap-cert @@ -23,14 +23,15 @@ set -e CERTFILE=/etc/ssl/certs/debian-edu-server.crt BUNDLECRT=/etc/ssl/certs/debian-edu-bundle.crt +ROOTCACRT=/etc/ssl/certs/Debian-Edu_rootCA.crt do_start() { # Locate LDAP server LDAPSERVER=$(debian-edu-ldapserver) - + LDAPPORT=636 # ldaps ERROR=false - if [ -f /etc/nslcd.conf ] && - grep -q /etc/ssl/certs/debian-edu-server.crt /etc/nslcd.conf ; then + if [ ! -f $CERTFILE ] && [ -f /etc/nslcd.conf ] && + grep -q /etc/ssl/certs/debian-edu-server.crt /etc/nslcd.conf ; then if [ -z "$LDAPSERVER" ] ; then msg="Failed to locate LDAP server" log_action_begin_msg "$msg" @@ -39,18 +40,43 @@ do_start() { return 1 fi [ "$VERBOSE" != no ] && log_action_begin_msg "Fetching LDAP SSL certificate." - if curl -f -k https://www.intern/debian-edu-bundle.crt > $BUNDLECRT ; then - gnutls-cli --x509cafile $BUNDLECRT --save-cert=$CERTFILE.new ldap.intern < /dev/null + if echo | openssl s_client -connect "$LDAPSERVER:$LDAPPORT" 2>/dev/null | grep RootCA ; then + if curl -sfk --head -o /dev/null https://www.intern ; then + if curl -k https://www.intern/Debian-Edu_rootCA.crt > $ROOTCACRT && \ + grep -q CERTIFICATE $ROOTCACRT ; then + gnutls-cli --x509cafile $ROOTCACRT --save-cert=$CERTFILE.new $LDAPSERVER < /dev/null + logger -t fetch-ldap-cert "Fetched rootCA certificate from www.intern." + else + rm -f $ROOTCACRT + if curl -k https://www.intern/debian-edu-bundle.crt > $BUNDLECRT && \ + grep -q CERTIFICATE $BUNDLECRT ; then + gnutls-cli --x509cafile $BUNDLECRT --save-cert=$CERTFILE.new $LDAPSERVER < /dev/null + logger -t fetch-ldap-cert "Fetched bundle certificate from www.intern." + else + rm -f $BUNDLECRT + logger -t fetch-ldap-cert "Failed to fetch certificates from www.intern." + fi + fi + else + log_action_end_msg 1 + logger -t fetch-ldap-cert "Failed to connect to www.intern, maybe the web server down." + ERROR=true + fi else /usr/share/debian-edu-config/tools/ldap-server-getcert $LDAPSERVER > $CERTFILE.new chmod 644 $CERTFILE.new + logger -t fetch-ldap-cert "Fetched pre Buster LDAP server certificate." fi if test -s $CERTFILE.new ; then mv $CERTFILE.new $CERTFILE [ "$VERBOSE" != no ] && log_action_end_msg 0 - logger -t fetch-ldap-cert "Fetched and verified LDAP SSL certificate from $LDAPSERVER." + if [ -f $BUNDLECRT ] ; then + logger -t fetch-ldap-cert "Fetched and verified LDAP SSL certificate from $LDAPSERVER." + else + logger -t fetch-ldap-cert "Fetched LDAP SSL certificate from $LDAPSERVER." + fi else - rm $CERTFILE.new + rm -f $CERTFILE.new log_action_end_msg 1 logger -t fetch-ldap-cert "Failed to fetch LDAP SSL certificate from $LDAPSERVER." ERROR=true @@ -64,10 +90,24 @@ do_start() { log_action_begin_msg "Copying LDAP SSL certificate to ltsp-chroot $ltsp_chroot " if test -s $CERTFILE; then cp $CERTFILE $ltsp_chroot$CERTFILE + [ "$VERBOSE" != no ] && log_action_end_msg 0 + else + log_action_end_msg 1 + ERROR=true + fi + log_action_begin_msg "Copying Debian Edu rootCA certificate to ltsp-chroot $ltsp_chroot " + if test -s $ROOTCACRT; then + cp $ROOTCACRT $ltsp_chroot$ROOTCACRT [ "$VERBOSE" != no ] && log_action_end_msg 0 else + log_action_begin_msg "Copying TLS certificate bundle to ltsp-chroot $ltsp_chroot " + if test -s $BUNDLECRT; then + cp $BUNDLECRT $ltsp_chroot$BUNDLECRT + [ "$VERBOSE" != no ] && log_action_end_msg 0 + else log_action_end_msg 1 ERROR=true + fi fi fi done @@ -76,16 +116,9 @@ do_start() { return 1 fi } - case "$1" in start) - # do absolutely nothing, if this host is already "attached" to - # a Debian Edu network - if [ -e /etc/ssl/certs/debian-edu-server.crt ]; then - : - else - do_start - fi + do_start ;; stop) ;;
#!/bin/sh ### BEGIN INIT INFO # Provides: fetch-ldap-cert # Required-Start: $local_fs $remote_fs # Required-Stop: $local_fs $remote_fs # Should-Start: $network $syslog $named slapd # Default-Start: 2 3 4 5 # Default-Stop: # Short-Description: Fetch LDAP SSL public key from the server # Description: # Start before krb5-kdc to give slapd time to become operational # before krb5-kdc try to connect to the LDAP server as a workaround # for #589915. # X-Start-Before: isc-dhcp-server krb5-kdc nslcd ### END INIT INFO # # Author: Petter Reinholdtsen <p...@hungry.com> # Date: 2007-06-09 set -e . /lib/lsb/init-functions CERTFILE=/etc/ssl/certs/debian-edu-server.crt BUNDLECRT=/etc/ssl/certs/debian-edu-bundle.crt ROOTCACRT=/etc/ssl/certs/Debian-Edu_rootCA.crt do_start() { # Locate LDAP server LDAPSERVER=$(debian-edu-ldapserver) LDAPPORT=636 # ldaps ERROR=false if [ ! -f $CERTFILE ] && [ -f /etc/nslcd.conf ] && grep -q /etc/ssl/certs/debian-edu-server.crt /etc/nslcd.conf ; then if [ -z "$LDAPSERVER" ] ; then msg="Failed to locate LDAP server" log_action_begin_msg "$msg" log_action_end_msg 1 logger -t fetch-ldap-cert "$msg." return 1 fi [ "$VERBOSE" != no ] && log_action_begin_msg "Fetching LDAP SSL certificate." if echo | openssl s_client -connect "$LDAPSERVER:$LDAPPORT" 2>/dev/null | grep RootCA ; then if curl -sfk --head -o /dev/null https://www.intern ; then if curl -k https://www.intern/Debian-Edu_rootCA.crt > $ROOTCACRT && \ grep -q CERTIFICATE $ROOTCACRT ; then gnutls-cli --x509cafile $ROOTCACRT --save-cert=$CERTFILE.new $LDAPSERVER < /dev/null logger -t fetch-ldap-cert "Fetched rootCA certificate from www.intern." else rm -f $ROOTCACRT if curl -k https://www.intern/debian-edu-bundle.crt > $BUNDLECRT && \ grep -q CERTIFICATE $BUNDLECRT ; then gnutls-cli --x509cafile $BUNDLECRT --save-cert=$CERTFILE.new $LDAPSERVER < /dev/null logger -t fetch-ldap-cert "Fetched bundle certificate from www.intern." else rm -f $BUNDLECRT logger -t fetch-ldap-cert "Failed to fetch certificates from www.intern." fi fi else log_action_end_msg 1 logger -t fetch-ldap-cert "Failed to connect to www.intern, maybe the web server down." ERROR=true fi else /usr/share/debian-edu-config/tools/ldap-server-getcert $LDAPSERVER > $CERTFILE.new chmod 644 $CERTFILE.new logger -t fetch-ldap-cert "Fetched pre Buster LDAP server certificate." fi if test -s $CERTFILE.new ; then mv $CERTFILE.new $CERTFILE [ "$VERBOSE" != no ] && log_action_end_msg 0 if [ -f $BUNDLECRT ] ; then logger -t fetch-ldap-cert "Fetched and verified LDAP SSL certificate from $LDAPSERVER." else logger -t fetch-ldap-cert "Fetched LDAP SSL certificate from $LDAPSERVER." fi else rm -f $CERTFILE.new log_action_end_msg 1 logger -t fetch-ldap-cert "Failed to fetch LDAP SSL certificate from $LDAPSERVER." ERROR=true fi fi if [ -d /opt/ltsp ] ; then for ltsp_chroot in `find /opt/ltsp/ -mindepth 1 -maxdepth 1 -type d`; do if [ ! -f $ltsp_chroot$CERTFILE ] && [ -f $ltsp_chroot/etc/nslcd.conf ] && grep -q /etc/ssl/certs/debian-edu-server.crt $ltsp_chroot/etc/nslcd.conf ; then [ "$VERBOSE" != no ] && log_action_begin_msg "Copying LDAP SSL certificate to ltsp-chroot $ltsp_chroot " if test -s $CERTFILE; then cp $CERTFILE $ltsp_chroot$CERTFILE [ "$VERBOSE" != no ] && log_action_end_msg 0 else log_action_end_msg 1 ERROR=true fi log_action_begin_msg "Copying Debian Edu rootCA certificate to ltsp-chroot $ltsp_chroot " if test -s $ROOTCACRT; then cp $ROOTCACRT $ltsp_chroot$ROOTCACRT [ "$VERBOSE" != no ] && log_action_end_msg 0 else log_action_begin_msg "Copying TLS certificate bundle to ltsp-chroot $ltsp_chroot " if test -s $BUNDLECRT; then cp $BUNDLECRT $ltsp_chroot$BUNDLECRT [ "$VERBOSE" != no ] && log_action_end_msg 0 else log_action_end_msg 1 ERROR=true fi fi fi done fi if $ERROR; then return 1 fi } case "$1" in start) do_start ;; stop) ;; restart|force-reload) ;; *) echo "Usage: $0 {start|stop|restart|force-reload}" exit 2 esac exit 0
signature.asc
Description: PGP signature