Bug#951070: debian-edu-config: make Debian-Edu_rootCA available via /etc/ssl/certs/ca-certificates.crt

Wed, 12 Feb 2020 10:52:12 -0800 

Missing script now attached.

Wolfgang

        #!/bin/sh
### BEGIN INIT INFO
# Provides:          fetch-ldap-cert
# Required-Start:    $local_fs $remote_fs
# Required-Stop:     $local_fs $remote_fs
# Should-Start:      $network $syslog $named slapd
# Default-Start:     2 3 4 5
# Default-Stop:
# Short-Description: Fetch LDAP SSL public key from the server
# Description:
#   Start before krb5-kdc to give slapd time to become operational
#   before krb5-kdc try to connect to the LDAP server as a workaround
#   for #589915.
# X-Start-Before:    isc-dhcp-server krb5-kdc nslcd
### END INIT INFO
#
# Author: Petter Reinholdtsen <p...@hungry.com>
# Date:   2007-06-09

set -ex

. /lib/lsb/init-functions

BUNDLECRT=/etc/ssl/certs/debian-edu-bundle.crt
ROOTCACRT=/etc/ssl/certs/Debian-Edu_rootCA.crt
LOCALCACRT=/usr/local/share/ca-certificates/Debian-Edu_rootCA.crt

do_start() {

        ERROR=false

        # Remove no longer used certificate file
        rm -f $BUNDLECRT

        # RootCA cert retrieval
        if [ ! -f $LOCALCACRT ]  ; then
                # Since Debian Edu 10, the RootCA file is distributed
                # over http (always via the host serving www.intern, by 
default: TJENER)
                #
                # We do an availability check for the webserver first, to 
provide proper
                # error reporting (see below). So, the following check merely 
discovers,
                # if the webserver is online at all.
                if curl -sfk --head -o /dev/null https://www.intern 
2>/dev/null; then
                        # Now let's see if the webserver has the "Debian Edu 
RootCA" file.
                        # This has been the case for Debian Edu main servers 
(TJENER) since
                        # Debian Edu 10.1.
                        if curl -fk https://www.intern/Debian-Edu_rootCA.crt 1> 
$LOCALCACRT | \
                                tee $ROOTCACRT 2>/dev/null && \
                                grep -q CERTIFICATE $LOCALCACRT ; then
                                # Integrate the rootCA certificate into 
/etc/ssl/certs/ca-certificates
                                update-ca-certificates
                                logger -t fetch-ldap-cert "Deploy the Debian 
Edu rootCA certificate fetched from www.intern systemwide."
                        else
                                # Drop the ROOTCACRT file, as it probably only 
contains some 404 http
                                # error message in html.
                                rm -f $LOCALCACRT
                                logger -t fetch-ldap-cert "Failed to fetch 
rootCA certificate from www.intern."
                        fi
                else
                        # Report an error, if www.intern is down http-wise. 
This can happen and is probably
                        # a temporary problem that needs an admin to fix it.
                        log_action_end_msg 1
                        logger -t fetch-ldap-cert "Failed to connect to 
www.intern, maybe the web server is down."
                        ERROR=true
                fi
        fi

        if $ERROR; then
                return 1
        fi
}

case "$1" in
        start)
                do_start
                ;;
        stop)
                ;;
        restart|force-reload)
                ;;
        *)
                echo "Usage: $0 {start|stop|restart|force-reload}"
                exit 2
esac
exit 0

Attachment: signature.asc
Description: PGP signature

Reply via email to