Re: Can snakeoil-on-ice work outside the main-server?

To: debian-edu@lists.debian.org
Subject: Re: Can snakeoil-on-ice work outside the main-server?
From: Oded Naveh <skilinux@gmail.com>
Date: Mon, 28 Dec 2009 01:09:51 +0200
Message-id: <200912280109.51482.skiliux@gmail.com>
In-reply-to: <20091227174657.GG12139@login1.uio.no>
References: <20091227174657.GG12139@login1.uio.no>

Hi Petter,

On Sunday 27 December 2009 19:46:57 Petter Reinholdtsen wrote:
> While trying to figure out
> <URL:http://bugs.skolelinux.org/show_bug.cgi?id=1409>, it occured to
> me that the approach taken in the snakeoil-on-ice script would only
> work when running on the main-server, and would only work if the users
> log in on the main-server (or a thin client / diskless workstation
> booting off the main-server).  On other machines, the symlink
> /etc/skel/.mozilla/firefox/debian-edu.default/cert_override.txt would
> point to a non-existing file.
>
> Did I misunderstand something?  If I am right, we need something like
> /etc/init.d/fetch-ldap-cert to make sure all clients have the web
> server certificate available when a user log in for the first time on
> that client.

The script snakeoil-on-ice should work outside the main server.
It only has to run once the certificate is created/replaced to produce the 
fingerprint and save it where Iceweasel will copy to all new profiles 
created.
It doesn't update or otherwise access users directories.

It should check if it's being ran on the main server then it access the 
certificate directly in /etc/ssl/certs/ssl-cert-snakeoil.pem,
else it fetches the certificate over the network using ssl and holds it in a 
temporary file, failing this too it returns an error and prints a message.

Here's the piece of code:

> # On main server read local certificate
> # otherwise fetch the certificate over ssl.
>
> if [[ $PROFILE =~ Main-Server ]]; then
>         CERT=/etc/ssl/certs/ssl-cert-snakeoil.pem;
> elif (ping -c 1 www > /dev/nul); then
>         CERT=$(tempfile -p fetch -s cert)
>         echo | openssl s_client -connect www:443 2>/dev/nul | sed -n
> '/-----BEGIN CERTIFICATE-----/,/-----END CERTIFICATE-----/p' > $CERT; else
>         echo 'can not find certificate'
>         exit 1;
> fi

During install the message should be saved in the log.
When invoked from cfengin it is ran late to allow the certificate to be 
created before.

Also it creates the stuff in /etc/skel on main server only, 
while /etc/iceweasel/profile/cert_override.txt is created on all profiles.

I believe the problem reported in bug #1409 is rather the exception not the 
rule, that installation had multiple issues.
However, since there was a similar problem reported in bug #1359, again with 
multiple issues (#1358, #1361, #1362), I suspect this has to do with having 
no network during installation or some network missconfiguration in the other 
case.

I think we must either investigate farther the case of installing without 
network connection or document that main server (or any server) should be 
installed while connected, I would expect they'll be operated on a network 
after all.

Odd.

Reply to:

References:
- Can snakeoil-on-ice work outside the main-server?
  - From: Petter Reinholdtsen <pere@hungry.com>

Prev by Date: Can snakeoil-on-ice work outside the main-server?
Next by Date: [Bug 1409] Iceweasel does not save exception rule for https://www/lwat
Previous by thread: Can snakeoil-on-ice work outside the main-server?
Next by thread: Bug#562837: [I18N:bg] Updated Bulgarian debconf translation
Index(es):
- Date
- Thread