Your message dated Thu, 15 Aug 2019 14:38:33 +0000
with message-id <e1hygtd-000cqg...@fasolo.debian.org>
and subject line Bug#934380: fixed in debian-edu-config 2.10.67
has caused the Debian Bug report #934380,
regarding fetch-ldap-cert should have independent conditions for both host and
LTSP chroot
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)
--
934380: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=934380
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: debian-edu-config
Version: 2.10.66
Severity: important
The fetch-ldap-cert script should make sure that the LDAP server
certificate is only downloaded once for both host and chroot.
It used to have independent conditions for these two cases in pre Buster
releases.
Now a global condition is used. If an LTSP chroot is re-generated or an
additional one is created, these chroots would never contain the LDAP
server certificate, i.e. the LDAP certificate will be fetched each time
an LTSP client is booted. So to really fix #931413 independent
conditions are needed.
Also, to be useful for the fixes for #332828 (Include the LDAP server
certificate in initial LTSP chroot image) and #933183 (Provide Debian
Edu RootCA certificate for download), some more changes are needed.
This change would fix all mentioned issues:
diff --git a/debian/debian-edu-config.fetch-ldap-cert
b/debian/debian-edu-config.fetch-ldap-cert
index dfec40da..cc83a2e1 100755
--- a/debian/debian-edu-config.fetch-ldap-cert
+++ b/debian/debian-edu-config.fetch-ldap-cert
@@ -23,14 +23,15 @@ set -e
CERTFILE=/etc/ssl/certs/debian-edu-server.crt
BUNDLECRT=/etc/ssl/certs/debian-edu-bundle.crt
+ROOTCACRT=/etc/ssl/certs/Debian-Edu_rootCA.crt
do_start() {
# Locate LDAP server
LDAPSERVER=$(debian-edu-ldapserver)
-
+ LDAPPORT=636 # ldaps
ERROR=false
- if [ -f /etc/nslcd.conf ] &&
- grep -q /etc/ssl/certs/debian-edu-server.crt /etc/nslcd.conf ; then
+ if [ ! -f $CERTFILE ] && [ -f /etc/nslcd.conf ] &&
+ grep -q /etc/ssl/certs/debian-edu-server.crt /etc/nslcd.conf ; then
if [ -z "$LDAPSERVER" ] ; then
msg="Failed to locate LDAP server"
log_action_begin_msg "$msg"
@@ -39,18 +40,43 @@ do_start() {
return 1
fi
[ "$VERBOSE" != no ] && log_action_begin_msg "Fetching LDAP SSL
certificate."
- if curl -f -k https://www.intern/debian-edu-bundle.crt > $BUNDLECRT ;
then
- gnutls-cli --x509cafile $BUNDLECRT --save-cert=$CERTFILE.new
ldap.intern < /dev/null
+ if echo | openssl s_client -connect "$LDAPSERVER:$LDAPPORT" 2>/dev/null
| grep RootCA ; then
+ if curl -sfk --head -o /dev/null https://www.intern ; then
+ if curl -k https://www.intern/Debian-Edu_rootCA.crt >
$ROOTCACRT && \
+ grep -q CERTIFICATE $ROOTCACRT ; then
+ gnutls-cli --x509cafile $ROOTCACRT
--save-cert=$CERTFILE.new $LDAPSERVER < /dev/null
+ logger -t fetch-ldap-cert "Fetched rootCA certificate
from www.intern."
+ else
+ rm -f $ROOTCACRT
+ if curl -k https://www.intern/debian-edu-bundle.crt >
$BUNDLECRT && \
+ grep -q CERTIFICATE $BUNDLECRT ; then
+ gnutls-cli --x509cafile $BUNDLECRT
--save-cert=$CERTFILE.new $LDAPSERVER < /dev/null
+ logger -t fetch-ldap-cert "Fetched bundle
certificate from www.intern."
+ else
+ rm -f $BUNDLECRT
+ logger -t fetch-ldap-cert "Failed to fetch certificates
from www.intern."
+ fi
+ fi
+ else
+ log_action_end_msg 1
+ logger -t fetch-ldap-cert "Failed to connect to www.intern,
maybe the web server down."
+ ERROR=true
+ fi
else
/usr/share/debian-edu-config/tools/ldap-server-getcert $LDAPSERVER
> $CERTFILE.new
chmod 644 $CERTFILE.new
+ logger -t fetch-ldap-cert "Fetched pre Buster LDAP server
certificate."
fi
if test -s $CERTFILE.new ; then
mv $CERTFILE.new $CERTFILE
[ "$VERBOSE" != no ] && log_action_end_msg 0
- logger -t fetch-ldap-cert "Fetched and verified LDAP SSL
certificate from $LDAPSERVER."
+ if [ -f $BUNDLECRT ] ; then
+ logger -t fetch-ldap-cert "Fetched and verified LDAP SSL
certificate from $LDAPSERVER."
+ else
+ logger -t fetch-ldap-cert "Fetched LDAP SSL certificate from
$LDAPSERVER."
+ fi
else
- rm $CERTFILE.new
+ rm -f $CERTFILE.new
log_action_end_msg 1
logger -t fetch-ldap-cert "Failed to fetch LDAP SSL certificate
from $LDAPSERVER."
ERROR=true
@@ -64,10 +90,24 @@ do_start() {
log_action_begin_msg "Copying LDAP SSL certificate to
ltsp-chroot $ltsp_chroot "
if test -s $CERTFILE; then
cp $CERTFILE $ltsp_chroot$CERTFILE
+ [ "$VERBOSE" != no ] && log_action_end_msg 0
+ else
+ log_action_end_msg 1
+ ERROR=true
+ fi
+ log_action_begin_msg "Copying Debian Edu rootCA certificate to
ltsp-chroot $ltsp_chroot "
+ if test -s $ROOTCACRT; then
+ cp $ROOTCACRT $ltsp_chroot$ROOTCACRT
[ "$VERBOSE" != no ] && log_action_end_msg 0
else
+ log_action_begin_msg "Copying TLS certificate bundle to
ltsp-chroot $ltsp_chroot "
+ if test -s $BUNDLECRT; then
+ cp $BUNDLECRT $ltsp_chroot$BUNDLECRT
+ [ "$VERBOSE" != no ] && log_action_end_msg 0
+ else
log_action_end_msg 1
ERROR=true
+ fi
fi
fi
done
@@ -79,13 +119,7 @@ do_start() {
case "$1" in
start)
- # do absolutely nothing, if this host is already "attached" to
- # a Debian Edu network
- if [ -e /etc/ssl/certs/debian-edu-server.crt ]; then
- :
- else
- do_start
- fi
+ do_start
;;
stop)
;;
Please test. (script is attached)
Wolfgang
#!/bin/sh
### BEGIN INIT INFO
# Provides: fetch-ldap-cert
# Required-Start: $local_fs $remote_fs
# Required-Stop: $local_fs $remote_fs
# Should-Start: $network $syslog $named slapd
# Default-Start: 2 3 4 5
# Default-Stop:
# Short-Description: Fetch LDAP SSL public key from the server
# Description:
# Start before krb5-kdc to give slapd time to become operational
# before krb5-kdc try to connect to the LDAP server as a workaround
# for #589915.
# X-Start-Before: isc-dhcp-server krb5-kdc nslcd
### END INIT INFO
#
# Author: Petter Reinholdtsen <p...@hungry.com>
# Date: 2007-06-09
set -e
. /lib/lsb/init-functions
CERTFILE=/etc/ssl/certs/debian-edu-server.crt
BUNDLECRT=/etc/ssl/certs/debian-edu-bundle.crt
ROOTCACRT=/etc/ssl/certs/Debian-Edu_rootCA.crt
do_start() {
# Locate LDAP server
LDAPSERVER=$(debian-edu-ldapserver)
LDAPPORT=636 # ldaps
ERROR=false
if [ ! -f $CERTFILE ] && [ -f /etc/nslcd.conf ] &&
grep -q /etc/ssl/certs/debian-edu-server.crt /etc/nslcd.conf ; then
if [ -z "$LDAPSERVER" ] ; then
msg="Failed to locate LDAP server"
log_action_begin_msg "$msg"
log_action_end_msg 1
logger -t fetch-ldap-cert "$msg."
return 1
fi
[ "$VERBOSE" != no ] && log_action_begin_msg "Fetching LDAP SSL
certificate."
if echo | openssl s_client -connect "$LDAPSERVER:$LDAPPORT" 2>/dev/null
| grep RootCA ; then
if curl -sfk --head -o /dev/null https://www.intern ; then
if curl -k https://www.intern/Debian-Edu_rootCA.crt >
$ROOTCACRT && \
grep -q CERTIFICATE $ROOTCACRT ; then
gnutls-cli --x509cafile $ROOTCACRT
--save-cert=$CERTFILE.new $LDAPSERVER < /dev/null
logger -t fetch-ldap-cert "Fetched rootCA certificate
from www.intern."
else
rm -f $ROOTCACRT
if curl -k https://www.intern/debian-edu-bundle.crt >
$BUNDLECRT && \
grep -q CERTIFICATE $BUNDLECRT ; then
gnutls-cli --x509cafile $BUNDLECRT
--save-cert=$CERTFILE.new $LDAPSERVER < /dev/null
logger -t fetch-ldap-cert "Fetched bundle
certificate from www.intern."
else
rm -f $BUNDLECRT
logger -t fetch-ldap-cert "Failed to fetch certificates
from www.intern."
fi
fi
else
log_action_end_msg 1
logger -t fetch-ldap-cert "Failed to connect to www.intern,
maybe the web server down."
ERROR=true
fi
else
/usr/share/debian-edu-config/tools/ldap-server-getcert $LDAPSERVER
> $CERTFILE.new
chmod 644 $CERTFILE.new
logger -t fetch-ldap-cert "Fetched pre Buster LDAP server
certificate."
fi
if test -s $CERTFILE.new ; then
mv $CERTFILE.new $CERTFILE
[ "$VERBOSE" != no ] && log_action_end_msg 0
if [ -f $BUNDLECRT ] ; then
logger -t fetch-ldap-cert "Fetched and verified LDAP SSL
certificate from $LDAPSERVER."
else
logger -t fetch-ldap-cert "Fetched LDAP SSL certificate from
$LDAPSERVER."
fi
else
rm -f $CERTFILE.new
log_action_end_msg 1
logger -t fetch-ldap-cert "Failed to fetch LDAP SSL certificate
from $LDAPSERVER."
ERROR=true
fi
fi
if [ -d /opt/ltsp ] ; then
for ltsp_chroot in `find /opt/ltsp/ -mindepth 1 -maxdepth 1 -type d`; do
if [ ! -f $ltsp_chroot$CERTFILE ] && [ -f
$ltsp_chroot/etc/nslcd.conf ] &&
grep -q /etc/ssl/certs/debian-edu-server.crt
$ltsp_chroot/etc/nslcd.conf ; then
[ "$VERBOSE" != no ] &&
log_action_begin_msg "Copying LDAP SSL certificate to
ltsp-chroot $ltsp_chroot "
if test -s $CERTFILE; then
cp $CERTFILE $ltsp_chroot$CERTFILE
[ "$VERBOSE" != no ] && log_action_end_msg 0
else
log_action_end_msg 1
ERROR=true
fi
log_action_begin_msg "Copying Debian Edu rootCA certificate to
ltsp-chroot $ltsp_chroot "
if test -s $ROOTCACRT; then
cp $ROOTCACRT $ltsp_chroot$ROOTCACRT
[ "$VERBOSE" != no ] && log_action_end_msg 0
else
log_action_begin_msg "Copying TLS certificate bundle to
ltsp-chroot $ltsp_chroot "
if test -s $BUNDLECRT; then
cp $BUNDLECRT $ltsp_chroot$BUNDLECRT
[ "$VERBOSE" != no ] && log_action_end_msg 0
else
log_action_end_msg 1
ERROR=true
fi
fi
fi
done
fi
if $ERROR; then
return 1
fi
}
case "$1" in
start)
do_start
;;
stop)
;;
restart|force-reload)
;;
*)
echo "Usage: $0 {start|stop|restart|force-reload}"
exit 2
esac
exit 0
signature.asc
Description: PGP signature
--- End Message ---
--- Begin Message ---
Source: debian-edu-config
Source-Version: 2.10.67
We believe that the bug you reported is fixed in the latest version of
debian-edu-config, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 934...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Holger Levsen <hol...@debian.org> (supplier of updated debian-edu-config
package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Thu, 15 Aug 2019 16:20:50 +0200
Source: debian-edu-config
Architecture: source
Version: 2.10.67
Distribution: unstable
Urgency: medium
Maintainer: Debian Edu Developers <debian-edu@lists.debian.org>
Changed-By: Holger Levsen <hol...@debian.org>
Closes: 934380
Changes:
debian-edu-config (2.10.67) unstable; urgency=medium
.
[ Wolfgang Schweer ]
* Adjust debian/debian-edu-config.fetch-ldap-cert. (Closes: #934380)
- Use independent conditions to make sure that the LDAP server certificate
is only downloaded once for both host and LTSP chroot.
- Add code to validate the LDAP server certificate in case the Debian Edu
RootCA certificate is available for download.
.
[ Mike Gabriel ]
* Code review debian-edu-config.fetch-ldap-cert:
- White-space-only change: Fix broken and inconsistent indentations.
- Fully inline-document fetch-ldap-cert script.
- Add "-f" option to all curl calls that don't have it set so far.
This assures that curl bails out with a non-zero exit code, if anything
goes wrong while retrieving certificate files.
- Also report a successful certificate verification if we verified the
LDAP server certificate using the Debian Edu RootCA.
- Really check that the LDAP server uses a certificate issued by the
"Debian Edu RootCA", not just by (some) "RootCA".
- Add 2x FIXME about BUNDLECRT file removal from host and from LTSP
chroots.
- LTSP chroot certificate copying: only log those actions, if they are
actually about to happen..
- Silence curl stderr and gnutls-cli stdout+stderr.
- Certificate retrieval: Fix upgrade path for RootCA deployment. Re-run
CERTFILE (and ROOTCACRT retrieval) until we have both on the client.
This will lead to repetitive downloads of the CERTFILE on system boot.
To get rid of this, people must upgrade their TJENERs from Debian Edu
10.0 to 10.1. Then it will stop. This hack is necessary to assure
distribution of the RootCA to all clients that don't have it, yet.
- Detach dependency of ROOTCACRT chroot copying and BUNDLECRT chroot
copying from chroot copying of the CERTFILE. The chroot may have the
CERTFILE, but not the ROOTCACRT, yet. This assures a smooth upgrade
path from Debian Edu 10.0 to Debian Edu 10.1.
- Do a simple validity check if a directory under /opt/ltsp really is
a chroot (and e.g. not the SquashFS images' directory).
Checksums-Sha1:
3bd8da91b4e9c3dbdf61e357dcd12b0516398229 1918 debian-edu-config_2.10.67.dsc
a54a2cfe07829975ee8a258e0afd44dbc9987531 344664
debian-edu-config_2.10.67.tar.xz
87e735f6f2a8996b3852873742505b4e7515de69 5276
debian-edu-config_2.10.67_source.buildinfo
Checksums-Sha256:
3b45bbe47a91000f13d4420d98a047f46b41e4b2758aa58b8bfe9235ddd94d41 1918
debian-edu-config_2.10.67.dsc
7fd13aeeae687972269ad4a60dba3bb4671cd12d5e519965432d1774af28c76e 344664
debian-edu-config_2.10.67.tar.xz
8df1a4f64d14c95622890593615d0675168ebd0c5590221940a6c820fc47b18b 5276
debian-edu-config_2.10.67_source.buildinfo
Files:
a842b5853927c469bee3ce05a7878108 1918 misc optional
debian-edu-config_2.10.67.dsc
eed77fc54f4b09e828205c5a336ba81c 344664 misc optional
debian-edu-config_2.10.67.tar.xz
376de7c334d73b18d454c847e2de0acd 5276 misc optional
debian-edu-config_2.10.67_source.buildinfo
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEEuL9UE3sJ01zwJv6dCRq4VgaaqhwFAl1VaooACgkQCRq4Vgaa
qhwnfQ/9Hw8QTdPD2t/qa3Af00eXx93Lxmtd2Fin6cMfMPkJxAaxZuGPS/eCp7Da
kedNOU2zrERFZfCIARyj2qRuGhqKFA6PQUWGdEcSVX/+wj9OACNpQSwYnwrLVkGo
hIIhZ7soNLYoLU78x4ouZ+LD5x7aVh3sy/7DJqQN4utdiwi/VHPMQl7g8mQefbEW
w0DeeM0wp+rAabb+2Rr1P1Fo25pC5M7daet+GFniM/c2wRZ6A1KalTYyJKt7J4n3
bS9kmEmrjcYNtun8O3O6h15Asd762N7hYsMDiBMmy5zgyLW+27hToLAJg74VYnwu
nL0mLRUykZcdyguAtLd0A8VZew/HEOrb9oQRBB+Fp0yntFxyUvAWd7UEvUjUtQjf
NVjvMIEOd2A3yjri1SiuGUyTZkphmbYAeE3spB1/9AvtWGOV3lLTL3I5/F8VcGDW
IvWbMvOojOy6Ulm7d2j28z2wTg7ECM4LWxFFkwuvDHc1a3fVEA5fNOw3k8IfABPZ
QZhoLOJTcDgdz0dHPMpf2Qw1eoNhYL5Xidg+cwIgDS8OZyPKxgwsWgAls9mvgXwd
KYOHVjLJ7yr1cQrYEt+JN1NAdWlisox36+KYbkKFMGnMDrR2leYtJEqN/ICh+kDM
mBYwyHuOSfnTbXefykmncbcEppulNs/N6vhqMwZRirgq7CsRo0A=
=QqbT
-----END PGP SIGNATURE-----
--- End Message ---
