hi, please include the bug in further mails on this topic and many thanks for all your work on it! Thanks!
On Thu, Jul 25, 2019 at 03:08:05PM +0200, Wolfgang Schweer wrote:
> On Wed, Jul 24, 2019 at 06:41:42PM +0200, Wolfgang Schweer wrote:
> > > Capturing curl issues by grepping for a 404 is IMHO incomplete. (Turn of
> > > Apache2 and you won't get the 404 and curl | grep ends in some untested
> > > realm).
> >
> > Good point; this should definitly be improved.
>
> See my proposal in the revised fetch-ldap-cert script, also attached.
>
> > > Furthermore, you operate on the bundle certificate file still for
> > > buster<->buster setups.
> > >
> > > Have you tested with distributing just the rootCA file to the clients?
> >
> > Yes, works like expected. But then, one more change needs to get into
> > 10.1 (share/debian-edu-config/tools/create-debian-edu-certs) and it
> > won't be easy to handle this change upon upgrades.
>
> The complete diff for all required changes (also for upgrading), fetch
> script included. Don't know if this is suitable for 10.1, though:
>
> diff --git a/cf3/cf.finalize b/cf3/cf.finalize
> index 5f3ee1b9..a4185128 100644
> --- a/cf3/cf.finalize
> +++ b/cf3/cf.finalize
> @@ -66,6 +66,8 @@ files:
> copy_from => local_cp("/etc/ssl/certs/debian-edu-server.crt");
> "/opt/ltsp/$(default_arch)/etc/ssl/certs/debian-edu-bundle.crt"
> copy_from => local_cp("/etc/ssl/certs/debian-edu-bundle.crt");
> + "/opt/ltsp/$(default_arch)/etc/ssl/certs/Debian-Edu_rootCA.crt"
> + copy_from => local_cp("/etc/ssl/certs/Debian-Edu_rootCA.crt");
>
> commands:
>
> @@ -124,12 +126,21 @@ commands:
>
> # Adjust certificate rights to make them accessible.
>
> + debian.server.installation::
> +
> + "/bin/chmod 0644 /etc/debian-edu/www/Debian-Edu_rootCA.crt"
> + contain => in_shell;
> +
> debian.ltspclient.installation::
>
> "/bin/chmod 0644 /etc/ssl/certs/debian-edu*.crt"
> contain => in_shell;
> + "/bin/chmod 0644 /etc/ssl/certs/Debian-Edu_rootCA.crt"
> + contain => in_shell;
> "/bin/chmod 0644 /opt/ltsp/*/etc/ssl/certs/debian-edu*.crt"
> contain => in_shell;
> + "/bin/chmod 0644 /opt/ltsp/*/etc/ssl/certs/Debian-Edu_rootCA.crt"
> + contain => in_shell;
>
> # Note that 'ltsp-update-image --config-nbd' is needed to generate the
> image and
> # to configure NBD; adjust rights to make the image available for the NBD
> server.
> diff --git a/cf3/cf.workarounds b/cf3/cf.workarounds
> index 716ed817..671459af 100644
> --- a/cf3/cf.workarounds
> +++ b/cf3/cf.workarounds
> @@ -33,6 +33,12 @@ files:
> link_from => ln_s("/usr/share/debian-edu-config/edu-firefox-nfs"),
> move_obstructions => "true";
>
> + # Provide Debian Edu RootCA pub key as download.
> +
> + debian.server.installation::
> + "/etc/debian-edu/www/Debian-Edu_rootCA.crt"
> + copy_from => local_cp("/etc/ssl/certs/Debian-Edu_rootCA.crt");
> +
> commands:
>
> debian.xfce.(ltspclient|ltspserver).installation::
> diff --git a/debian/debian-edu-config.fetch-ldap-cert
> b/debian/debian-edu-config.fetch-ldap-cert
> index dfec40da..1ee84443 100755
> --- a/debian/debian-edu-config.fetch-ldap-cert
> +++ b/debian/debian-edu-config.fetch-ldap-cert
> @@ -23,14 +23,15 @@ set -e
>
> CERTFILE=/etc/ssl/certs/debian-edu-server.crt
> BUNDLECRT=/etc/ssl/certs/debian-edu-bundle.crt
> +ROOTCACRT=/etc/ssl/certs/Debian-Edu_rootCA.crt
>
> do_start() {
> # Locate LDAP server
> LDAPSERVER=$(debian-edu-ldapserver)
> -
> + LDAPPORT=636 # ldaps
> ERROR=false
> - if [ -f /etc/nslcd.conf ] &&
> - grep -q /etc/ssl/certs/debian-edu-server.crt /etc/nslcd.conf ; then
> + if [ ! -f $CERTFILE ] && [ -f /etc/nslcd.conf ] &&
> + grep -q /etc/ssl/certs/debian-edu-server.crt /etc/nslcd.conf ; then
> if [ -z "$LDAPSERVER" ] ; then
> msg="Failed to locate LDAP server"
> log_action_begin_msg "$msg"
> @@ -39,18 +40,43 @@ do_start() {
> return 1
> fi
> [ "$VERBOSE" != no ] && log_action_begin_msg "Fetching LDAP SSL
> certificate."
> - if curl -f -k https://www.intern/debian-edu-bundle.crt > $BUNDLECRT ;
> then
> - gnutls-cli --x509cafile $BUNDLECRT --save-cert=$CERTFILE.new
> ldap.intern < /dev/null
> + if echo | openssl s_client -connect "$LDAPSERVER:$LDAPPORT" 2>/dev/null
> | grep RootCA ; then
> + if curl -sfk --head -o /dev/null https://www.intern ; then
> + if curl -k https://www.intern/Debian-Edu_rootCA.crt >
> $ROOTCACRT && \
> + grep -q CERTIFICATE $ROOTCACRT ; then
> + gnutls-cli --x509cafile $ROOTCACRT
> --save-cert=$CERTFILE.new $LDAPSERVER < /dev/null
> + logger -t fetch-ldap-cert "Fetched rootCA certificate
> from www.intern."
> + else
> + rm -f $ROOTCACRT
> + if curl -k https://www.intern/debian-edu-bundle.crt >
> $BUNDLECRT && \
> + grep -q CERTIFICATE $BUNDLECRT ; then
> + gnutls-cli --x509cafile $BUNDLECRT
> --save-cert=$CERTFILE.new $LDAPSERVER < /dev/null
> + logger -t fetch-ldap-cert "Fetched bundle
> certificate from www.intern."
> + else
> + rm -f $BUNDLECRT
> + logger -t fetch-ldap-cert "Failed to fetch certificates
> from www.intern."
> + fi
> + fi
> + else
> + log_action_end_msg 1
> + logger -t fetch-ldap-cert "Failed to connect to www.intern,
> maybe the web server down."
> + ERROR=true
> + fi
> else
> /usr/share/debian-edu-config/tools/ldap-server-getcert $LDAPSERVER
> > $CERTFILE.new
> chmod 644 $CERTFILE.new
> + logger -t fetch-ldap-cert "Fetched pre Buster LDAP server
> certificate."
> fi
> if test -s $CERTFILE.new ; then
> mv $CERTFILE.new $CERTFILE
> [ "$VERBOSE" != no ] && log_action_end_msg 0
> - logger -t fetch-ldap-cert "Fetched and verified LDAP SSL
> certificate from $LDAPSERVER."
> + if [ -f $BUNDLECRT ] ; then
> + logger -t fetch-ldap-cert "Fetched and verified LDAP SSL
> certificate from $LDAPSERVER."
> + else
> + logger -t fetch-ldap-cert "Fetched LDAP SSL certificate from
> $LDAPSERVER."
> + fi
> else
> - rm $CERTFILE.new
> + rm -f $CERTFILE.new
> log_action_end_msg 1
> logger -t fetch-ldap-cert "Failed to fetch LDAP SSL certificate
> from $LDAPSERVER."
> ERROR=true
> @@ -64,10 +90,24 @@ do_start() {
> log_action_begin_msg "Copying LDAP SSL certificate to
> ltsp-chroot $ltsp_chroot "
> if test -s $CERTFILE; then
> cp $CERTFILE $ltsp_chroot$CERTFILE
> + [ "$VERBOSE" != no ] && log_action_end_msg 0
> + else
> + log_action_end_msg 1
> + ERROR=true
> + fi
> + log_action_begin_msg "Copying Debian Edu rootCA certificate to
> ltsp-chroot $ltsp_chroot "
> + if test -s $ROOTCACRT; then
> + cp $ROOTCACRT $ltsp_chroot$ROOTCACRT
> [ "$VERBOSE" != no ] && log_action_end_msg 0
> else
> + log_action_begin_msg "Copying TLS certificate bundle to
> ltsp-chroot $ltsp_chroot "
> + if test -s $BUNDLECRT; then
> + cp $BUNDLECRT $ltsp_chroot$BUNDLECRT
> + [ "$VERBOSE" != no ] && log_action_end_msg 0
> + else
> log_action_end_msg 1
> ERROR=true
> + fi
> fi
> fi
> done
> @@ -76,16 +116,9 @@ do_start() {
> return 1
> fi
> }
> -
> case "$1" in
> start)
> - # do absolutely nothing, if this host is already "attached" to
> - # a Debian Edu network
> - if [ -e /etc/ssl/certs/debian-edu-server.crt ]; then
> - :
> - else
> - do_start
> - fi
> + do_start
> ;;
> stop)
> ;;
> diff --git a/share/debian-edu-config/tools/create-debian-edu-certs
> b/share/debian-edu-config/tools/create-debian-edu-certs
> index 346f0bf4..93f345cf 100755
> --- a/share/debian-edu-config/tools/create-debian-edu-certs
> +++ b/share/debian-edu-config/tools/create-debian-edu-certs
> @@ -72,7 +72,9 @@ generate() {
> # available via web-server.
> cp /etc/ssl/certs/debian-edu-bundle.crt /etc/debian-edu/www
> cp /etc/ssl/certs/debian-edu-bundle.pem /etc/debian-edu/www
> + cp /etc/ssl/certs/Debian-Edu_rootCA.crt /etc/debian-edu/www
> chmod 644 /etc/debian-edu/www/debian-edu-bundle.*
> + chmod 644 /etc/debian-edu/www/Debian-Edu_rootCA.crt
> logger -t create-debian-edu-certs "Certs with both .crt and .pem
> extension made available in /etc/debian-edu/www."
> }
>
>
>
> Wolfgang
> #!/bin/sh
> ### BEGIN INIT INFO
> # Provides: fetch-ldap-cert
> # Required-Start: $local_fs $remote_fs
> # Required-Stop: $local_fs $remote_fs
> # Should-Start: $network $syslog $named slapd
> # Default-Start: 2 3 4 5
> # Default-Stop:
> # Short-Description: Fetch LDAP SSL public key from the server
> # Description:
> # Start before krb5-kdc to give slapd time to become operational
> # before krb5-kdc try to connect to the LDAP server as a workaround
> # for #589915.
> # X-Start-Before: isc-dhcp-server krb5-kdc nslcd
> ### END INIT INFO
> #
> # Author: Petter Reinholdtsen <[email protected]>
> # Date: 2007-06-09
>
> set -e
>
> . /lib/lsb/init-functions
>
> CERTFILE=/etc/ssl/certs/debian-edu-server.crt
> BUNDLECRT=/etc/ssl/certs/debian-edu-bundle.crt
> ROOTCACRT=/etc/ssl/certs/Debian-Edu_rootCA.crt
>
> do_start() {
> # Locate LDAP server
> LDAPSERVER=$(debian-edu-ldapserver)
> LDAPPORT=636 # ldaps
> ERROR=false
> if [ ! -f $CERTFILE ] && [ -f /etc/nslcd.conf ] &&
> grep -q /etc/ssl/certs/debian-edu-server.crt /etc/nslcd.conf ; then
> if [ -z "$LDAPSERVER" ] ; then
> msg="Failed to locate LDAP server"
> log_action_begin_msg "$msg"
> log_action_end_msg 1
> logger -t fetch-ldap-cert "$msg."
> return 1
> fi
> [ "$VERBOSE" != no ] && log_action_begin_msg "Fetching LDAP SSL
> certificate."
> if echo | openssl s_client -connect "$LDAPSERVER:$LDAPPORT" 2>/dev/null
> | grep RootCA ; then
> if curl -sfk --head -o /dev/null https://www.intern ; then
> if curl -k https://www.intern/Debian-Edu_rootCA.crt >
> $ROOTCACRT && \
> grep -q CERTIFICATE $ROOTCACRT ; then
> gnutls-cli --x509cafile $ROOTCACRT
> --save-cert=$CERTFILE.new $LDAPSERVER < /dev/null
> logger -t fetch-ldap-cert "Fetched rootCA certificate
> from www.intern."
> else
> rm -f $ROOTCACRT
> if curl -k https://www.intern/debian-edu-bundle.crt >
> $BUNDLECRT && \
> grep -q CERTIFICATE $BUNDLECRT ; then
> gnutls-cli --x509cafile $BUNDLECRT
> --save-cert=$CERTFILE.new $LDAPSERVER < /dev/null
> logger -t fetch-ldap-cert "Fetched bundle
> certificate from www.intern."
> else
> rm -f $BUNDLECRT
> logger -t fetch-ldap-cert "Failed to fetch certificates
> from www.intern."
> fi
> fi
> else
> log_action_end_msg 1
> logger -t fetch-ldap-cert "Failed to connect to www.intern,
> maybe the web server down."
> ERROR=true
> fi
> else
> /usr/share/debian-edu-config/tools/ldap-server-getcert $LDAPSERVER
> > $CERTFILE.new
> chmod 644 $CERTFILE.new
> logger -t fetch-ldap-cert "Fetched pre Buster LDAP server
> certificate."
> fi
> if test -s $CERTFILE.new ; then
> mv $CERTFILE.new $CERTFILE
> [ "$VERBOSE" != no ] && log_action_end_msg 0
> if [ -f $BUNDLECRT ] ; then
> logger -t fetch-ldap-cert "Fetched and verified LDAP SSL
> certificate from $LDAPSERVER."
> else
> logger -t fetch-ldap-cert "Fetched LDAP SSL certificate from
> $LDAPSERVER."
> fi
> else
> rm -f $CERTFILE.new
> log_action_end_msg 1
> logger -t fetch-ldap-cert "Failed to fetch LDAP SSL certificate
> from $LDAPSERVER."
> ERROR=true
> fi
> fi
> if [ -d /opt/ltsp ] ; then
> for ltsp_chroot in `find /opt/ltsp/ -mindepth 1 -maxdepth 1 -type d`; do
> if [ ! -f $ltsp_chroot$CERTFILE ] && [ -f
> $ltsp_chroot/etc/nslcd.conf ] &&
> grep -q /etc/ssl/certs/debian-edu-server.crt
> $ltsp_chroot/etc/nslcd.conf ; then
> [ "$VERBOSE" != no ] &&
> log_action_begin_msg "Copying LDAP SSL certificate to
> ltsp-chroot $ltsp_chroot "
> if test -s $CERTFILE; then
> cp $CERTFILE $ltsp_chroot$CERTFILE
> [ "$VERBOSE" != no ] && log_action_end_msg 0
> else
> log_action_end_msg 1
> ERROR=true
> fi
> log_action_begin_msg "Copying Debian Edu rootCA certificate to
> ltsp-chroot $ltsp_chroot "
> if test -s $ROOTCACRT; then
> cp $ROOTCACRT $ltsp_chroot$ROOTCACRT
> [ "$VERBOSE" != no ] && log_action_end_msg 0
> else
> log_action_begin_msg "Copying TLS certificate bundle to
> ltsp-chroot $ltsp_chroot "
> if test -s $BUNDLECRT; then
> cp $BUNDLECRT $ltsp_chroot$BUNDLECRT
> [ "$VERBOSE" != no ] && log_action_end_msg 0
> else
> log_action_end_msg 1
> ERROR=true
> fi
> fi
> fi
> done
> fi
> if $ERROR; then
> return 1
> fi
> }
> case "$1" in
> start)
> do_start
> ;;
> stop)
> ;;
> restart|force-reload)
> ;;
> *)
> echo "Usage: $0 {start|stop|restart|force-reload}"
> exit 2
> esac
> exit 0
--
tschau,
Holger
-------------------------------------------------------------------------------
holger@(debian|reproducible-builds|layer-acht).org
PGP fingerprint: B8BF 5413 7B09 D35C F026 FE9D 091A B856 069A AA1C
signature.asc
Description: PGP signature

