[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Bug#931413: [debian-edu-commits] [Git][debian-edu/debian-edu-config][master] debian/debian-edu-config.fetch-ldap-cert: Retrieve TJENER's PKI server...

On Mon, Jul 22, 2019 at 07:38:53PM +0000, Holger Levsen wrote:
> On Mon, Jul 22, 2019 at 06:32:47PM +0000, Mike Gabriel wrote:
> > The school I can test this on is currently powered down due to maintenance
> > work on the electric wiring in the building that hosts the server chamber.
> > It's on the list...
> 
> do you have an ETA for this?
> 
> currently the next point release is planned for August 31 or September
> 7...

We should really get this into 10.1; as the real world test date appears 
to be uncertain, I've now tested the fetch-ldap-script in two virtual Edu 
networks with buster and stretch workstations against both buster and 
pre buster main servers. Everything works like expected; see logs from 
various scenarios further below to get the picture.

(Compared to my previous version there are a few cosmetic changes, also 
logging has been improved a bit.)

This is the diff against the current version in Git: 

diff --git a/debian/debian-edu-config.fetch-ldap-cert b/debian/debian-edu-config.fetch-ldap-cert
index dfec40da..4a4f5585 100755
--- a/debian/debian-edu-config.fetch-ldap-cert
+++ b/debian/debian-edu-config.fetch-ldap-cert
@@ -27,10 +27,10 @@ BUNDLECRT=/etc/ssl/certs/debian-edu-bundle.crt
 do_start() {
     # Locate LDAP server
     LDAPSERVER=$(debian-edu-ldapserver)
-
+    LDAPPORT=636 # ldaps
     ERROR=false
-    if [ -f /etc/nslcd.conf ] &&
-       grep -q /etc/ssl/certs/debian-edu-server.crt /etc/nslcd.conf ; then
+    if [ ! -f $CERTFILE ] &&  [ -f /etc/nslcd.conf ] &&
+        grep -q /etc/ssl/certs/debian-edu-server.crt /etc/nslcd.conf ; then
 	if [ -z "$LDAPSERVER" ] ; then
 	    msg="Failed to locate LDAP server"
 	    log_action_begin_msg "$msg"
@@ -39,18 +39,30 @@ do_start() {
 	    return 1
 	fi
 	[ "$VERBOSE" != no ] && log_action_begin_msg "Fetching LDAP SSL certificate."
-	if curl -f -k https://www.intern/debian-edu-bundle.crt > $BUNDLECRT ; then
-	    gnutls-cli --x509cafile $BUNDLECRT --save-cert=$CERTFILE.new ldap.intern < /dev/null
+	if echo | openssl s_client -connect "$LDAPSERVER:$LDAPPORT" 2>/dev/null | grep RootCA ; then
+	    if curl -k https://www.intern/debian-edu-bundle.crt > $BUNDLECRT && \
+		grep -v -q 404 $BUNDLECRT ; then
+		gnutls-cli --x509cafile $BUNDLECRT --save-cert=$CERTFILE.new $LDAPSERVER < /dev/null
+		logger -t fetch-ldap-cert "Fetched bundle certificate from www.intern."
+	    else
+		rm $BUNDLECRT
+		logger -t fetch-ldap-cert "Failed to fetch bundle certificate from www.intern."
+	    fi
 	else
 	    /usr/share/debian-edu-config/tools/ldap-server-getcert $LDAPSERVER > $CERTFILE.new
 	    chmod 644 $CERTFILE.new
+	    logger -t fetch-ldap-cert "Fetched pre Buster LDAP server certificate."
 	fi
 	if test -s $CERTFILE.new ; then
 	    mv $CERTFILE.new $CERTFILE
 	    [ "$VERBOSE" != no ] && log_action_end_msg 0
-	    logger -t fetch-ldap-cert "Fetched and verified LDAP SSL certificate from $LDAPSERVER."
+	    if [ -f $BUNDLECRT ] ; then
+	        logger -t fetch-ldap-cert "Fetched and verified LDAP SSL certificate from $LDAPSERVER."
+	    else
+	        logger -t fetch-ldap-cert "Fetched LDAP SSL certificate from $LDAPSERVER."
+	    fi
 	else
-	    rm $CERTFILE.new
+	    rm -f $CERTFILE.new
 	    log_action_end_msg 1
 	    logger -t fetch-ldap-cert "Failed to fetch LDAP SSL certificate from $LDAPSERVER."
 	    ERROR=true
@@ -64,6 +76,14 @@ do_start() {
 		log_action_begin_msg "Copying LDAP SSL certificate to ltsp-chroot $ltsp_chroot "
 		if test -s $CERTFILE; then
 		    cp $CERTFILE $ltsp_chroot$CERTFILE
+		[ "$VERBOSE" != no ] && log_action_end_msg 0
+		else
+		    log_action_end_msg 1
+		    ERROR=true
+		fi
+		log_action_begin_msg "Copying TLS certificate bundle to ltsp-chroot $ltsp_chroot "
+		if test -s $BUNDLECRT; then
+		    cp $BUNDLECRT $ltsp_chroot$BUNDLECRT
 		    [ "$VERBOSE" != no ] && log_action_end_msg 0
 		else
 		    log_action_end_msg 1
@@ -76,16 +96,9 @@ do_start() {
 	return 1
     fi
 }
-
 case "$1" in
     start)
-	# do absolutely nothing, if this host is already "attached" to
-	# a Debian Edu network
-	if [ -e /etc/ssl/certs/debian-edu-server.crt ]; then
-	    :
-	else
-	    do_start
-	fi
+	do_start
 	;;
     stop)
 	;;


In all test cases the existing certificates have been removed, then 
'service fetch-ldap-cert' has been run twice. The logs are from the 
first run. After the second one I checked if the certificates not been 
fetched again. They had stayed untouched. I can also confirm that 
authentication actually worked afterwards.

(1) stretch workstation against buster main server

Jul 24 14:24:25 ws9mate systemd[1]: Starting LSB: Fetch LDAP SSL public key from the server...
Jul 24 14:24:25 ws9mate fetch-ldap-cert[2103]: Fetching LDAP SSL certificate....done.
Jul 24 14:24:25 ws9mate fetch-ldap-cert: Fetched LDAP SSL certificate from ldap.
Jul 24 14:24:25 ws9mate systemd[1]: Started LSB: Fetch LDAP SSL public key from the server.

(2) buster workstation against jessie main server 

Jul 24 12:57:15 am-080027dbce36 systemd[1]: Starting LSB: Fetch LDAP SSL public key from the server...
Jul 24 12:57:15 am-080027dbce36 fetch-ldap-cert: Fetched pre Buster LDAP server certificate.
Jul 24 12:57:15 am-080027dbce36 fetch-ldap-cert[1998]: Fetching LDAP SSL certificate....done.
Jul 24 12:57:15 am-080027dbce36 fetch-ldap-cert: Fetched LDAP SSL certificate from ldap.intern.
Jul 24 12:57:15 am-080027dbce36 systemd[1]: Started LSB: Fetch LDAP SSL public key from the server.

(3) buster workstation against buster main server

Jul 24 13:20:15 am-0800276f4d92 systemd[1]: Starting LSB: Fetch LDAP SSL public key from the server...
Jul 24 13:20:16 am-0800276f4d92 fetch-ldap-cert[1968]: Fetching LDAP SSL certificate.... 0 s:C = NO, ST = Intern, L = Debian Edu Network, O = Debian Edu, OU = Debian Edu RootCA, CN = www.intern, emailAddress = postmaster@postoffice.intern
Jul 24 13:20:16 am-0800276f4d92 fetch-ldap-cert[1968]:    i:C = NO, ST = Intern, L = Debian Edu Network, O = Debian Edu, OU = Debian Edu RootCA, CN = www.intern, emailAddress = postmaster@postoffice.intern
Jul 24 13:20:16 am-0800276f4d92 fetch-ldap-cert[1968]: subject=C = NO, ST = Intern, L = Debian Edu Network, O = Debian Edu, OU = Debian Edu RootCA, CN = www.intern, emailAddress = postmaster@postoffice.intern
Jul 24 13:20:16 am-0800276f4d92 fetch-ldap-cert[1968]: issuer=C = NO, ST = Intern, L = Debian Edu Network, O = Debian Edu, OU = Debian Edu RootCA, CN = www.intern, emailAddress = postmaster@postoffice.intern
Jul 24 13:20:16 am-0800276f4d92 fetch-ldap-cert[1968]:   % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
Jul 24 13:20:16 am-0800276f4d92 fetch-ldap-cert[1968]:                                  Dload  Upload   Total   Spent    Left  Speed
Jul 24 13:20:16 am-0800276f4d92 fetch-ldap-cert[1968]: #015  0     0    0     0    0     0      0      0 --:--:-- --:--:-- --:--:--     0#015100  3460  100  3460    0     0   259k      0 --:--:-- --:--:-- --:--:--  259k
Jul 24 13:20:16 am-0800276f4d92 fetch-ldap-cert[1968]: |<1>| There was a non-CA certificate in the trusted list: C=NO,ST=Intern,L=Debian Edu Network,O=Debian Edu,OU=Debian Edu RootCA,CN=www.intern,EMAIL=postmaster@postoffice.intern.
Jul 24 13:20:16 am-0800276f4d92 fetch-ldap-cert[1968]: Processed 2 CA certificate(s).
Jul 24 13:20:16 am-0800276f4d92 fetch-ldap-cert[1968]: Resolving 'tjener.intern:443'...
Jul 24 13:20:16 am-0800276f4d92 fetch-ldap-cert[1968]: Connecting to '10.0.2.2:443'...
Jul 24 13:20:16 am-0800276f4d92 fetch-ldap-cert[1968]: - Certificate type: X.509
Jul 24 13:20:16 am-0800276f4d92 fetch-ldap-cert[1968]: - Got a certificate list of 1 certificates.
Jul 24 13:20:16 am-0800276f4d92 fetch-ldap-cert[1968]: - Certificate[0] info:
Jul 24 13:20:16 am-0800276f4d92 fetch-ldap-cert[1968]:  - subject `EMAIL=postmaster@postoffice.intern,CN=www.intern,OU=Debian Edu RootCA,O=Debian Edu,L=Debian Edu Network,ST=Intern,C=NO', issuer `EMAIL=postmaster@postoffice.intern,CN=www.intern,OU=Debian Edu RootCA,O=Debian Edu,L=Debian Edu Network,ST=Intern,C=NO', serial 0x535fb6ec31d07546625c3c70ecdebc7504d4b473, RSA key 2048 bits, signed using RSA-SHA256, activated `2019-07-22 07:57:32 UTC', expires `2029-07-19 07:57:32 UTC', pin-sha256="jlFjHURnQF3eoxKPHJSzs3FO3JIJL7vjlLPHIm1X8CU="
Jul 24 13:20:16 am-0800276f4d92 fetch-ldap-cert[1968]: #011Public Key ID:
Jul 24 13:20:16 am-0800276f4d92 fetch-ldap-cert[1968]: #011#011sha1:374487a04ac5ed79838f1e112e49677b11c46e70
Jul 24 13:20:16 am-0800276f4d92 fetch-ldap-cert[1968]: #011#011sha256:8e51631d4467405ddea3128f1c94b3b3714edc92092fbbe394b3c7226d57f025
Jul 24 13:20:16 am-0800276f4d92 fetch-ldap-cert[1968]: #011Public Key PIN:
Jul 24 13:20:16 am-0800276f4d92 fetch-ldap-cert[1968]: #011#011pin-sha256:jlFjHURnQF3eoxKPHJSzs3FO3JIJL7vjlLPHIm1X8CU=
Jul 24 13:20:16 am-0800276f4d92 fetch-ldap-cert[1968]: - Status: The certificate is trusted.
Jul 24 13:20:16 am-0800276f4d92 fetch-ldap-cert[1968]: - Description: (TLS1.3)-(ECDHE-SECP256R1)-(RSA-PSS-RSAE-SHA256)-(AES-256-GCM)
Jul 24 13:20:16 am-0800276f4d92 fetch-ldap-cert[1968]: - Options:
Jul 24 13:20:16 am-0800276f4d92 fetch-ldap-cert[1968]: - Handshake was completed
Jul 24 13:20:16 am-0800276f4d92 fetch-ldap-cert[1968]: - Simple Client Mode:
Jul 24 13:20:16 am-0800276f4d92 fetch-ldap-cert[1968]: - Peer has closed the GnuTLS connection
Jul 24 13:20:16 am-0800276f4d92 fetch-ldap-cert: Fetched bundle certificate from www.intern.
Jul 24 13:20:16 am-0800276f4d92 fetch-ldap-cert[1968]: done.
Jul 24 13:20:16 am-0800276f4d92 fetch-ldap-cert: Fetched and verified LDAP SSL certificate from tjener.intern.
Jul 24 13:20:16 am-0800276f4d92 fetch-ldap-cert[1968]: Copying LDAP SSL certificate to ltsp-chroot /opt/ltsp/i386 ...done.
Jul 24 13:20:16 am-0800276f4d92 fetch-ldap-cert[1968]: Copying TLS certificate bundle to ltsp-chroot /opt/ltsp/i386 ...done.
Jul 24 13:20:16 am-0800276f4d92 systemd[1]: Started LSB: Fetch LDAP SSL public key from the server.

(4) similar to (3) but with the bundle certificate made unavailable 
    (just to check if a failure is reported)

Jul 24 13:26:24 am-0800276f4d92 systemd[1]: Starting LSB: Fetch LDAP SSL public key from the server...
Jul 24 13:26:24 am-0800276f4d92 fetch-ldap-cert[2185]: Fetching LDAP SSL certificate.... 0 s:C = NO, ST = Intern, L = Debian Edu Network, O = Debian Edu, OU = Debian Edu RootCA, CN = www.intern, emailAddress = postmaster@postoffice.intern
Jul 24 13:26:24 am-0800276f4d92 fetch-ldap-cert[2185]:    i:C = NO, ST = Intern, L = Debian Edu Network, O = Debian Edu, OU = Debian Edu RootCA, CN = www.intern, emailAddress = postmaster@postoffice.intern
Jul 24 13:26:24 am-0800276f4d92 fetch-ldap-cert[2185]: subject=C = NO, ST = Intern, L = Debian Edu Network, O = Debian Edu, OU = Debian Edu RootCA, CN = www.intern, emailAddress = postmaster@postoffice.intern
Jul 24 13:26:24 am-0800276f4d92 fetch-ldap-cert[2185]: issuer=C = NO, ST = Intern, L = Debian Edu Network, O = Debian Edu, OU = Debian Edu RootCA, CN = www.intern, emailAddress = postmaster@postoffice.intern
Jul 24 13:26:24 am-0800276f4d92 fetch-ldap-cert[2185]:   % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
Jul 24 13:26:24 am-0800276f4d92 fetch-ldap-cert[2185]:                                  Dload  Upload   Total   Spent    Left  Speed
Jul 24 13:26:24 am-0800276f4d92 fetch-ldap-cert[2185]: #015  0     0    0     0    0     0      0      0 --:--:-- --:--:-- --:--:--     0#015100   296  100   296    0     0  26909      0 --:--:-- --:--:-- --:--:-- 26909
Jul 24 13:26:24 am-0800276f4d92 fetch-ldap-cert[2185]: *** Fatal error: Error in the certificate.
Jul 24 13:26:24 am-0800276f4d92 fetch-ldap-cert[2185]: Processed 0 CA certificate(s).
Jul 24 13:26:24 am-0800276f4d92 fetch-ldap-cert[2185]: Resolving 'tjener.intern:443'...
Jul 24 13:26:24 am-0800276f4d92 fetch-ldap-cert[2185]: Connecting to '10.0.2.2:443'...
Jul 24 13:26:24 am-0800276f4d92 fetch-ldap-cert[2185]: - Certificate type: X.509
Jul 24 13:26:24 am-0800276f4d92 fetch-ldap-cert[2185]: - Got a certificate list of 1 certificates.
Jul 24 13:26:24 am-0800276f4d92 fetch-ldap-cert[2185]: - Certificate[0] info:
Jul 24 13:26:24 am-0800276f4d92 fetch-ldap-cert[2185]:  - subject `EMAIL=postmaster@postoffice.intern,CN=www.intern,OU=Debian Edu RootCA,O=Debian Edu,L=Debian Edu Network,ST=Intern,C=NO', issuer `EMAIL=postmaster@postoffice.intern,CN=www.intern,OU=Debian Edu RootCA,O=Debian Edu,L=Debian Edu Network,ST=Intern,C=NO', serial 0x535fb6ec31d07546625c3c70ecdebc7504d4b473, RSA key 2048 bits, signed using RSA-SHA256, activated `2019-07-22 07:57:32 UTC', expires `2029-07-19 07:57:32 UTC', pin-sha256="jlFjHURnQF3eoxKPHJSzs3FO3JIJL7vjlLPHIm1X8CU="
Jul 24 13:26:24 am-0800276f4d92 fetch-ldap-cert[2185]: #011Public Key ID:
Jul 24 13:26:24 am-0800276f4d92 fetch-ldap-cert[2185]: #011#011sha1:374487a04ac5ed79838f1e112e49677b11c46e70
Jul 24 13:26:24 am-0800276f4d92 fetch-ldap-cert[2185]: #011#011sha256:8e51631d4467405ddea3128f1c94b3b3714edc92092fbbe394b3c7226d57f025
Jul 24 13:26:24 am-0800276f4d92 fetch-ldap-cert[2185]: #011Public Key PIN:
Jul 24 13:26:24 am-0800276f4d92 fetch-ldap-cert[2185]: #011#011pin-sha256:jlFjHURnQF3eoxKPHJSzs3FO3JIJL7vjlLPHIm1X8CU=
Jul 24 13:26:24 am-0800276f4d92 fetch-ldap-cert[2185]: - Status: The certificate is NOT trusted. The certificate issuer is unknown.
Jul 24 13:26:24 am-0800276f4d92 fetch-ldap-cert[2185]: *** PKI verification of server certificate failed...
Jul 24 13:26:24 am-0800276f4d92 systemd[1]: fetch-ldap-cert.service: Control process exited, code=exited, status=1/FAILURE
Jul 24 13:26:24 am-0800276f4d92 systemd[1]: fetch-ldap-cert.service: Failed with result 'exit-code'.
Jul 24 13:26:24 am-0800276f4d92 systemd[1]: Failed to start LSB: Fetch LDAP SSL public key from the server.

If no one shouts I'll commit the script with a delay of two days...

Wolfgang

Attachment: signature.asc
Description: PGP signature

Reply to: