On Mon, Jul 22, 2019 at 07:38:53PM +0000, Holger Levsen wrote: > On Mon, Jul 22, 2019 at 06:32:47PM +0000, Mike Gabriel wrote: > > The school I can test this on is currently powered down due to maintenance > > work on the electric wiring in the building that hosts the server chamber. > > It's on the list... > > do you have an ETA for this? > > currently the next point release is planned for August 31 or September > 7... We should really get this into 10.1; as the real world test date appears to be uncertain, I've now tested the fetch-ldap-script in two virtual Edu networks with buster and stretch workstations against both buster and pre buster main servers. Everything works like expected; see logs from various scenarios further below to get the picture. (Compared to my previous version there are a few cosmetic changes, also logging has been improved a bit.) This is the diff against the current version in Git: diff --git a/debian/debian-edu-config.fetch-ldap-cert b/debian/debian-edu-config.fetch-ldap-cert index dfec40da..4a4f5585 100755 --- a/debian/debian-edu-config.fetch-ldap-cert +++ b/debian/debian-edu-config.fetch-ldap-cert @@ -27,10 +27,10 @@ BUNDLECRT=/etc/ssl/certs/debian-edu-bundle.crt do_start() { # Locate LDAP server LDAPSERVER=$(debian-edu-ldapserver) - + LDAPPORT=636 # ldaps ERROR=false - if [ -f /etc/nslcd.conf ] && - grep -q /etc/ssl/certs/debian-edu-server.crt /etc/nslcd.conf ; then + if [ ! -f $CERTFILE ] && [ -f /etc/nslcd.conf ] && + grep -q /etc/ssl/certs/debian-edu-server.crt /etc/nslcd.conf ; then if [ -z "$LDAPSERVER" ] ; then msg="Failed to locate LDAP server" log_action_begin_msg "$msg" @@ -39,18 +39,30 @@ do_start() { return 1 fi [ "$VERBOSE" != no ] && log_action_begin_msg "Fetching LDAP SSL certificate." - if curl -f -k https://www.intern/debian-edu-bundle.crt > $BUNDLECRT ; then - gnutls-cli --x509cafile $BUNDLECRT --save-cert=$CERTFILE.new ldap.intern < /dev/null + if echo | openssl s_client -connect "$LDAPSERVER:$LDAPPORT" 2>/dev/null | grep RootCA ; then + if curl -k https://www.intern/debian-edu-bundle.crt > $BUNDLECRT && \ + grep -v -q 404 $BUNDLECRT ; then + gnutls-cli --x509cafile $BUNDLECRT --save-cert=$CERTFILE.new $LDAPSERVER < /dev/null + logger -t fetch-ldap-cert "Fetched bundle certificate from www.intern." + else + rm $BUNDLECRT + logger -t fetch-ldap-cert "Failed to fetch bundle certificate from www.intern." + fi else /usr/share/debian-edu-config/tools/ldap-server-getcert $LDAPSERVER > $CERTFILE.new chmod 644 $CERTFILE.new + logger -t fetch-ldap-cert "Fetched pre Buster LDAP server certificate." fi if test -s $CERTFILE.new ; then mv $CERTFILE.new $CERTFILE [ "$VERBOSE" != no ] && log_action_end_msg 0 - logger -t fetch-ldap-cert "Fetched and verified LDAP SSL certificate from $LDAPSERVER." + if [ -f $BUNDLECRT ] ; then + logger -t fetch-ldap-cert "Fetched and verified LDAP SSL certificate from $LDAPSERVER." + else + logger -t fetch-ldap-cert "Fetched LDAP SSL certificate from $LDAPSERVER." + fi else - rm $CERTFILE.new + rm -f $CERTFILE.new log_action_end_msg 1 logger -t fetch-ldap-cert "Failed to fetch LDAP SSL certificate from $LDAPSERVER." ERROR=true @@ -64,6 +76,14 @@ do_start() { log_action_begin_msg "Copying LDAP SSL certificate to ltsp-chroot $ltsp_chroot " if test -s $CERTFILE; then cp $CERTFILE $ltsp_chroot$CERTFILE + [ "$VERBOSE" != no ] && log_action_end_msg 0 + else + log_action_end_msg 1 + ERROR=true + fi + log_action_begin_msg "Copying TLS certificate bundle to ltsp-chroot $ltsp_chroot " + if test -s $BUNDLECRT; then + cp $BUNDLECRT $ltsp_chroot$BUNDLECRT [ "$VERBOSE" != no ] && log_action_end_msg 0 else log_action_end_msg 1 @@ -76,16 +96,9 @@ do_start() { return 1 fi } - case "$1" in start) - # do absolutely nothing, if this host is already "attached" to - # a Debian Edu network - if [ -e /etc/ssl/certs/debian-edu-server.crt ]; then - : - else - do_start - fi + do_start ;; stop) ;; In all test cases the existing certificates have been removed, then 'service fetch-ldap-cert' has been run twice. The logs are from the first run. After the second one I checked if the certificates not been fetched again. They had stayed untouched. I can also confirm that authentication actually worked afterwards. (1) stretch workstation against buster main server Jul 24 14:24:25 ws9mate systemd[1]: Starting LSB: Fetch LDAP SSL public key from the server... Jul 24 14:24:25 ws9mate fetch-ldap-cert[2103]: Fetching LDAP SSL certificate....done. Jul 24 14:24:25 ws9mate fetch-ldap-cert: Fetched LDAP SSL certificate from ldap. Jul 24 14:24:25 ws9mate systemd[1]: Started LSB: Fetch LDAP SSL public key from the server. (2) buster workstation against jessie main server Jul 24 12:57:15 am-080027dbce36 systemd[1]: Starting LSB: Fetch LDAP SSL public key from the server... Jul 24 12:57:15 am-080027dbce36 fetch-ldap-cert: Fetched pre Buster LDAP server certificate. Jul 24 12:57:15 am-080027dbce36 fetch-ldap-cert[1998]: Fetching LDAP SSL certificate....done. Jul 24 12:57:15 am-080027dbce36 fetch-ldap-cert: Fetched LDAP SSL certificate from ldap.intern. Jul 24 12:57:15 am-080027dbce36 systemd[1]: Started LSB: Fetch LDAP SSL public key from the server. (3) buster workstation against buster main server Jul 24 13:20:15 am-0800276f4d92 systemd[1]: Starting LSB: Fetch LDAP SSL public key from the server... Jul 24 13:20:16 am-0800276f4d92 fetch-ldap-cert[1968]: Fetching LDAP SSL certificate.... 0 s:C = NO, ST = Intern, L = Debian Edu Network, O = Debian Edu, OU = Debian Edu RootCA, CN = www.intern, emailAddress = postmaster@postoffice.intern Jul 24 13:20:16 am-0800276f4d92 fetch-ldap-cert[1968]: i:C = NO, ST = Intern, L = Debian Edu Network, O = Debian Edu, OU = Debian Edu RootCA, CN = www.intern, emailAddress = postmaster@postoffice.intern Jul 24 13:20:16 am-0800276f4d92 fetch-ldap-cert[1968]: subject=C = NO, ST = Intern, L = Debian Edu Network, O = Debian Edu, OU = Debian Edu RootCA, CN = www.intern, emailAddress = postmaster@postoffice.intern Jul 24 13:20:16 am-0800276f4d92 fetch-ldap-cert[1968]: issuer=C = NO, ST = Intern, L = Debian Edu Network, O = Debian Edu, OU = Debian Edu RootCA, CN = www.intern, emailAddress = postmaster@postoffice.intern Jul 24 13:20:16 am-0800276f4d92 fetch-ldap-cert[1968]: % Total % Received % Xferd Average Speed Time Time Time Current Jul 24 13:20:16 am-0800276f4d92 fetch-ldap-cert[1968]: Dload Upload Total Spent Left Speed Jul 24 13:20:16 am-0800276f4d92 fetch-ldap-cert[1968]: #015 0 0 0 0 0 0 0 0 --:--:-- --:--:-- --:--:-- 0#015100 3460 100 3460 0 0 259k 0 --:--:-- --:--:-- --:--:-- 259k Jul 24 13:20:16 am-0800276f4d92 fetch-ldap-cert[1968]: |<1>| There was a non-CA certificate in the trusted list: C=NO,ST=Intern,L=Debian Edu Network,O=Debian Edu,OU=Debian Edu RootCA,CN=www.intern,EMAIL=postmaster@postoffice.intern. Jul 24 13:20:16 am-0800276f4d92 fetch-ldap-cert[1968]: Processed 2 CA certificate(s). Jul 24 13:20:16 am-0800276f4d92 fetch-ldap-cert[1968]: Resolving 'tjener.intern:443'... Jul 24 13:20:16 am-0800276f4d92 fetch-ldap-cert[1968]: Connecting to '10.0.2.2:443'... Jul 24 13:20:16 am-0800276f4d92 fetch-ldap-cert[1968]: - Certificate type: X.509 Jul 24 13:20:16 am-0800276f4d92 fetch-ldap-cert[1968]: - Got a certificate list of 1 certificates. Jul 24 13:20:16 am-0800276f4d92 fetch-ldap-cert[1968]: - Certificate[0] info: Jul 24 13:20:16 am-0800276f4d92 fetch-ldap-cert[1968]: - subject `EMAIL=postmaster@postoffice.intern,CN=www.intern,OU=Debian Edu RootCA,O=Debian Edu,L=Debian Edu Network,ST=Intern,C=NO', issuer `EMAIL=postmaster@postoffice.intern,CN=www.intern,OU=Debian Edu RootCA,O=Debian Edu,L=Debian Edu Network,ST=Intern,C=NO', serial 0x535fb6ec31d07546625c3c70ecdebc7504d4b473, RSA key 2048 bits, signed using RSA-SHA256, activated `2019-07-22 07:57:32 UTC', expires `2029-07-19 07:57:32 UTC', pin-sha256="jlFjHURnQF3eoxKPHJSzs3FO3JIJL7vjlLPHIm1X8CU=" Jul 24 13:20:16 am-0800276f4d92 fetch-ldap-cert[1968]: #011Public Key ID: Jul 24 13:20:16 am-0800276f4d92 fetch-ldap-cert[1968]: #011#011sha1:374487a04ac5ed79838f1e112e49677b11c46e70 Jul 24 13:20:16 am-0800276f4d92 fetch-ldap-cert[1968]: #011#011sha256:8e51631d4467405ddea3128f1c94b3b3714edc92092fbbe394b3c7226d57f025 Jul 24 13:20:16 am-0800276f4d92 fetch-ldap-cert[1968]: #011Public Key PIN: Jul 24 13:20:16 am-0800276f4d92 fetch-ldap-cert[1968]: #011#011pin-sha256:jlFjHURnQF3eoxKPHJSzs3FO3JIJL7vjlLPHIm1X8CU= Jul 24 13:20:16 am-0800276f4d92 fetch-ldap-cert[1968]: - Status: The certificate is trusted. Jul 24 13:20:16 am-0800276f4d92 fetch-ldap-cert[1968]: - Description: (TLS1.3)-(ECDHE-SECP256R1)-(RSA-PSS-RSAE-SHA256)-(AES-256-GCM) Jul 24 13:20:16 am-0800276f4d92 fetch-ldap-cert[1968]: - Options: Jul 24 13:20:16 am-0800276f4d92 fetch-ldap-cert[1968]: - Handshake was completed Jul 24 13:20:16 am-0800276f4d92 fetch-ldap-cert[1968]: - Simple Client Mode: Jul 24 13:20:16 am-0800276f4d92 fetch-ldap-cert[1968]: - Peer has closed the GnuTLS connection Jul 24 13:20:16 am-0800276f4d92 fetch-ldap-cert: Fetched bundle certificate from www.intern. Jul 24 13:20:16 am-0800276f4d92 fetch-ldap-cert[1968]: done. Jul 24 13:20:16 am-0800276f4d92 fetch-ldap-cert: Fetched and verified LDAP SSL certificate from tjener.intern. Jul 24 13:20:16 am-0800276f4d92 fetch-ldap-cert[1968]: Copying LDAP SSL certificate to ltsp-chroot /opt/ltsp/i386 ...done. Jul 24 13:20:16 am-0800276f4d92 fetch-ldap-cert[1968]: Copying TLS certificate bundle to ltsp-chroot /opt/ltsp/i386 ...done. Jul 24 13:20:16 am-0800276f4d92 systemd[1]: Started LSB: Fetch LDAP SSL public key from the server. (4) similar to (3) but with the bundle certificate made unavailable (just to check if a failure is reported) Jul 24 13:26:24 am-0800276f4d92 systemd[1]: Starting LSB: Fetch LDAP SSL public key from the server... Jul 24 13:26:24 am-0800276f4d92 fetch-ldap-cert[2185]: Fetching LDAP SSL certificate.... 0 s:C = NO, ST = Intern, L = Debian Edu Network, O = Debian Edu, OU = Debian Edu RootCA, CN = www.intern, emailAddress = postmaster@postoffice.intern Jul 24 13:26:24 am-0800276f4d92 fetch-ldap-cert[2185]: i:C = NO, ST = Intern, L = Debian Edu Network, O = Debian Edu, OU = Debian Edu RootCA, CN = www.intern, emailAddress = postmaster@postoffice.intern Jul 24 13:26:24 am-0800276f4d92 fetch-ldap-cert[2185]: subject=C = NO, ST = Intern, L = Debian Edu Network, O = Debian Edu, OU = Debian Edu RootCA, CN = www.intern, emailAddress = postmaster@postoffice.intern Jul 24 13:26:24 am-0800276f4d92 fetch-ldap-cert[2185]: issuer=C = NO, ST = Intern, L = Debian Edu Network, O = Debian Edu, OU = Debian Edu RootCA, CN = www.intern, emailAddress = postmaster@postoffice.intern Jul 24 13:26:24 am-0800276f4d92 fetch-ldap-cert[2185]: % Total % Received % Xferd Average Speed Time Time Time Current Jul 24 13:26:24 am-0800276f4d92 fetch-ldap-cert[2185]: Dload Upload Total Spent Left Speed Jul 24 13:26:24 am-0800276f4d92 fetch-ldap-cert[2185]: #015 0 0 0 0 0 0 0 0 --:--:-- --:--:-- --:--:-- 0#015100 296 100 296 0 0 26909 0 --:--:-- --:--:-- --:--:-- 26909 Jul 24 13:26:24 am-0800276f4d92 fetch-ldap-cert[2185]: *** Fatal error: Error in the certificate. Jul 24 13:26:24 am-0800276f4d92 fetch-ldap-cert[2185]: Processed 0 CA certificate(s). Jul 24 13:26:24 am-0800276f4d92 fetch-ldap-cert[2185]: Resolving 'tjener.intern:443'... Jul 24 13:26:24 am-0800276f4d92 fetch-ldap-cert[2185]: Connecting to '10.0.2.2:443'... Jul 24 13:26:24 am-0800276f4d92 fetch-ldap-cert[2185]: - Certificate type: X.509 Jul 24 13:26:24 am-0800276f4d92 fetch-ldap-cert[2185]: - Got a certificate list of 1 certificates. Jul 24 13:26:24 am-0800276f4d92 fetch-ldap-cert[2185]: - Certificate[0] info: Jul 24 13:26:24 am-0800276f4d92 fetch-ldap-cert[2185]: - subject `EMAIL=postmaster@postoffice.intern,CN=www.intern,OU=Debian Edu RootCA,O=Debian Edu,L=Debian Edu Network,ST=Intern,C=NO', issuer `EMAIL=postmaster@postoffice.intern,CN=www.intern,OU=Debian Edu RootCA,O=Debian Edu,L=Debian Edu Network,ST=Intern,C=NO', serial 0x535fb6ec31d07546625c3c70ecdebc7504d4b473, RSA key 2048 bits, signed using RSA-SHA256, activated `2019-07-22 07:57:32 UTC', expires `2029-07-19 07:57:32 UTC', pin-sha256="jlFjHURnQF3eoxKPHJSzs3FO3JIJL7vjlLPHIm1X8CU=" Jul 24 13:26:24 am-0800276f4d92 fetch-ldap-cert[2185]: #011Public Key ID: Jul 24 13:26:24 am-0800276f4d92 fetch-ldap-cert[2185]: #011#011sha1:374487a04ac5ed79838f1e112e49677b11c46e70 Jul 24 13:26:24 am-0800276f4d92 fetch-ldap-cert[2185]: #011#011sha256:8e51631d4467405ddea3128f1c94b3b3714edc92092fbbe394b3c7226d57f025 Jul 24 13:26:24 am-0800276f4d92 fetch-ldap-cert[2185]: #011Public Key PIN: Jul 24 13:26:24 am-0800276f4d92 fetch-ldap-cert[2185]: #011#011pin-sha256:jlFjHURnQF3eoxKPHJSzs3FO3JIJL7vjlLPHIm1X8CU= Jul 24 13:26:24 am-0800276f4d92 fetch-ldap-cert[2185]: - Status: The certificate is NOT trusted. The certificate issuer is unknown. Jul 24 13:26:24 am-0800276f4d92 fetch-ldap-cert[2185]: *** PKI verification of server certificate failed... Jul 24 13:26:24 am-0800276f4d92 systemd[1]: fetch-ldap-cert.service: Control process exited, code=exited, status=1/FAILURE Jul 24 13:26:24 am-0800276f4d92 systemd[1]: fetch-ldap-cert.service: Failed with result 'exit-code'. Jul 24 13:26:24 am-0800276f4d92 systemd[1]: Failed to start LSB: Fetch LDAP SSL public key from the server. If no one shouts I'll commit the script with a delay of two days... Wolfgang
Attachment:
signature.asc
Description: PGP signature