[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#934380: marked as done (fetch-ldap-cert should have independent conditions for both host and LTSP chroot)

Your message dated Thu, 15 Aug 2019 14:38:33 +0000
with message-id <E1hyGtd-000Cqg-DT@fasolo.debian.org>
and subject line Bug#934380: fixed in debian-edu-config 2.10.67
has caused the Debian Bug report #934380,
regarding fetch-ldap-cert should have independent conditions for both host and LTSP chroot
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
934380: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=934380
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems
--- Begin Message --- 
Package: debian-edu-config
Version: 2.10.66
Severity: important

The fetch-ldap-cert script should make sure that the LDAP server 
certificate is only downloaded once for both host and chroot.

It used to have independent conditions for these two cases in pre Buster 
releases.

Now a global condition is used. If an LTSP chroot is re-generated or an 
additional one is created, these chroots would never contain the LDAP 
server certificate, i.e. the LDAP certificate will be fetched each time 
an LTSP client is booted. So to really fix #931413 independent 
conditions are needed.

Also, to be useful for the fixes for #332828 (Include the LDAP server 
certificate in initial LTSP chroot image) and #933183 (Provide Debian 
Edu RootCA certificate for download), some more changes are needed.

This change would fix all mentioned issues:

diff --git a/debian/debian-edu-config.fetch-ldap-cert b/debian/debian-edu-config.fetch-ldap-cert
index dfec40da..cc83a2e1 100755
--- a/debian/debian-edu-config.fetch-ldap-cert
+++ b/debian/debian-edu-config.fetch-ldap-cert
@@ -23,14 +23,15 @@ set -e
 
 CERTFILE=/etc/ssl/certs/debian-edu-server.crt
 BUNDLECRT=/etc/ssl/certs/debian-edu-bundle.crt
+ROOTCACRT=/etc/ssl/certs/Debian-Edu_rootCA.crt
 
 do_start() {
     # Locate LDAP server
     LDAPSERVER=$(debian-edu-ldapserver)
-
+    LDAPPORT=636 # ldaps
     ERROR=false
-    if [ -f /etc/nslcd.conf ] &&
-       grep -q /etc/ssl/certs/debian-edu-server.crt /etc/nslcd.conf ; then
+    if [ ! -f $CERTFILE ] &&  [ -f /etc/nslcd.conf ] &&
+        grep -q /etc/ssl/certs/debian-edu-server.crt /etc/nslcd.conf ; then
 	if [ -z "$LDAPSERVER" ] ; then
 	    msg="Failed to locate LDAP server"
 	    log_action_begin_msg "$msg"
@@ -39,18 +40,43 @@ do_start() {
 	    return 1
 	fi
 	[ "$VERBOSE" != no ] && log_action_begin_msg "Fetching LDAP SSL certificate."
-	if curl -f -k https://www.intern/debian-edu-bundle.crt > $BUNDLECRT ; then
-	    gnutls-cli --x509cafile $BUNDLECRT --save-cert=$CERTFILE.new ldap.intern < /dev/null
+	if echo | openssl s_client -connect "$LDAPSERVER:$LDAPPORT" 2>/dev/null | grep RootCA ; then
+	    if curl -sfk --head -o /dev/null https://www.intern ; then
+		if curl -k https://www.intern/Debian-Edu_rootCA.crt > $ROOTCACRT && \
+		    grep -q CERTIFICATE $ROOTCACRT ; then
+			gnutls-cli --x509cafile $ROOTCACRT --save-cert=$CERTFILE.new $LDAPSERVER < /dev/null
+			logger -t fetch-ldap-cert "Fetched rootCA certificate from www.intern."
+		    else
+			rm -f $ROOTCACRT
+			if curl -k https://www.intern/debian-edu-bundle.crt > $BUNDLECRT && \
+			    grep -q CERTIFICATE $BUNDLECRT ; then
+				gnutls-cli --x509cafile $BUNDLECRT --save-cert=$CERTFILE.new $LDAPSERVER < /dev/null
+				logger -t fetch-ldap-cert "Fetched bundle certificate from www.intern."
+		else
+		    rm -f $BUNDLECRT
+		    logger -t fetch-ldap-cert "Failed to fetch certificates from www.intern."
+		fi
+	    fi
+	    else
+		log_action_end_msg 1
+		logger -t fetch-ldap-cert "Failed to connect to www.intern, maybe the web server down."
+	        ERROR=true
+	    fi
 	else
 	    /usr/share/debian-edu-config/tools/ldap-server-getcert $LDAPSERVER > $CERTFILE.new
 	    chmod 644 $CERTFILE.new
+	    logger -t fetch-ldap-cert "Fetched pre Buster LDAP server certificate."
 	fi
 	if test -s $CERTFILE.new ; then
 	    mv $CERTFILE.new $CERTFILE
 	    [ "$VERBOSE" != no ] && log_action_end_msg 0
-	    logger -t fetch-ldap-cert "Fetched and verified LDAP SSL certificate from $LDAPSERVER."
+	    if [ -f $BUNDLECRT ] ; then
+	        logger -t fetch-ldap-cert "Fetched and verified LDAP SSL certificate from $LDAPSERVER."
+	    else
+	        logger -t fetch-ldap-cert "Fetched LDAP SSL certificate from $LDAPSERVER."
+	    fi
 	else
-	    rm $CERTFILE.new
+	    rm -f $CERTFILE.new
 	    log_action_end_msg 1
 	    logger -t fetch-ldap-cert "Failed to fetch LDAP SSL certificate from $LDAPSERVER."
 	    ERROR=true
@@ -64,10 +90,24 @@ do_start() {
 		log_action_begin_msg "Copying LDAP SSL certificate to ltsp-chroot $ltsp_chroot "
 		if test -s $CERTFILE; then
 		    cp $CERTFILE $ltsp_chroot$CERTFILE
+		[ "$VERBOSE" != no ] && log_action_end_msg 0
+		else
+		    log_action_end_msg 1
+		    ERROR=true
+		fi
+		log_action_begin_msg "Copying Debian Edu rootCA certificate to ltsp-chroot $ltsp_chroot "
+		if test -s $ROOTCACRT; then
+		    cp $ROOTCACRT $ltsp_chroot$ROOTCACRT
 		    [ "$VERBOSE" != no ] && log_action_end_msg 0
 		else
+		    log_action_begin_msg "Copying TLS certificate bundle to ltsp-chroot $ltsp_chroot "
+		    if test -s $BUNDLECRT; then
+			cp $BUNDLECRT $ltsp_chroot$BUNDLECRT
+			[ "$VERBOSE" != no ] && log_action_end_msg 0
+		    else
 		    log_action_end_msg 1
 		    ERROR=true
+		    fi
 		fi
 	    fi
 	done
@@ -79,13 +119,7 @@ do_start() {
 
 case "$1" in
     start)
-	# do absolutely nothing, if this host is already "attached" to
-	# a Debian Edu network
-	if [ -e /etc/ssl/certs/debian-edu-server.crt ]; then
-	    :
-	else
-	    do_start
-	fi
+	do_start
 	;;
     stop)
 	;;


Please test. (script is attached)

Wolfgang

#!/bin/sh
### BEGIN INIT INFO
# Provides:          fetch-ldap-cert
# Required-Start:    $local_fs $remote_fs
# Required-Stop:     $local_fs $remote_fs
# Should-Start:      $network $syslog $named slapd
# Default-Start:     2 3 4 5
# Default-Stop:
# Short-Description: Fetch LDAP SSL public key from the server
# Description:
#   Start before krb5-kdc to give slapd time to become operational
#   before krb5-kdc try to connect to the LDAP server as a workaround
#   for #589915.
# X-Start-Before:    isc-dhcp-server krb5-kdc nslcd
### END INIT INFO
#
# Author: Petter Reinholdtsen <pere@hungry.com>
# Date:   2007-06-09

set -e

. /lib/lsb/init-functions

CERTFILE=/etc/ssl/certs/debian-edu-server.crt
BUNDLECRT=/etc/ssl/certs/debian-edu-bundle.crt
ROOTCACRT=/etc/ssl/certs/Debian-Edu_rootCA.crt

do_start() {
    # Locate LDAP server
    LDAPSERVER=$(debian-edu-ldapserver)
    LDAPPORT=636 # ldaps
    ERROR=false
    if [ ! -f $CERTFILE ] &&  [ -f /etc/nslcd.conf ] &&
        grep -q /etc/ssl/certs/debian-edu-server.crt /etc/nslcd.conf ; then
	if [ -z "$LDAPSERVER" ] ; then
	    msg="Failed to locate LDAP server"
	    log_action_begin_msg "$msg"
	    log_action_end_msg 1
	    logger -t fetch-ldap-cert "$msg."
	    return 1
	fi
	[ "$VERBOSE" != no ] && log_action_begin_msg "Fetching LDAP SSL certificate."
	if echo | openssl s_client -connect "$LDAPSERVER:$LDAPPORT" 2>/dev/null | grep RootCA ; then
	    if curl -sfk --head -o /dev/null https://www.intern ; then
		if curl -k https://www.intern/Debian-Edu_rootCA.crt > $ROOTCACRT && \
		    grep -q CERTIFICATE $ROOTCACRT ; then
			gnutls-cli --x509cafile $ROOTCACRT --save-cert=$CERTFILE.new $LDAPSERVER < /dev/null
			logger -t fetch-ldap-cert "Fetched rootCA certificate from www.intern."
		    else
			rm -f $ROOTCACRT
			if curl -k https://www.intern/debian-edu-bundle.crt > $BUNDLECRT && \
			    grep -q CERTIFICATE $BUNDLECRT ; then
				gnutls-cli --x509cafile $BUNDLECRT --save-cert=$CERTFILE.new $LDAPSERVER < /dev/null
				logger -t fetch-ldap-cert "Fetched bundle certificate from www.intern."
		else
		    rm -f $BUNDLECRT
		    logger -t fetch-ldap-cert "Failed to fetch certificates from www.intern."
		fi
	    fi
	    else
		log_action_end_msg 1
		logger -t fetch-ldap-cert "Failed to connect to www.intern, maybe the web server down."
	        ERROR=true
	    fi
	else
	    /usr/share/debian-edu-config/tools/ldap-server-getcert $LDAPSERVER > $CERTFILE.new
	    chmod 644 $CERTFILE.new
	    logger -t fetch-ldap-cert "Fetched pre Buster LDAP server certificate."
	fi
	if test -s $CERTFILE.new ; then
	    mv $CERTFILE.new $CERTFILE
	    [ "$VERBOSE" != no ] && log_action_end_msg 0
	    if [ -f $BUNDLECRT ] ; then
	        logger -t fetch-ldap-cert "Fetched and verified LDAP SSL certificate from $LDAPSERVER."
	    else
	        logger -t fetch-ldap-cert "Fetched LDAP SSL certificate from $LDAPSERVER."
	    fi
	else
	    rm -f $CERTFILE.new
	    log_action_end_msg 1
	    logger -t fetch-ldap-cert "Failed to fetch LDAP SSL certificate from $LDAPSERVER."
	    ERROR=true
	fi
    fi
    if [ -d /opt/ltsp ] ; then
	for ltsp_chroot in `find /opt/ltsp/ -mindepth 1 -maxdepth 1 -type d`; do
	    if [ ! -f $ltsp_chroot$CERTFILE ] && [ -f $ltsp_chroot/etc/nslcd.conf ] &&
		grep -q /etc/ssl/certs/debian-edu-server.crt $ltsp_chroot/etc/nslcd.conf ; then
		[ "$VERBOSE" != no ] && 
		log_action_begin_msg "Copying LDAP SSL certificate to ltsp-chroot $ltsp_chroot "
		if test -s $CERTFILE; then
		    cp $CERTFILE $ltsp_chroot$CERTFILE
		[ "$VERBOSE" != no ] && log_action_end_msg 0
		else
		    log_action_end_msg 1
		    ERROR=true
		fi
		log_action_begin_msg "Copying Debian Edu rootCA certificate to ltsp-chroot $ltsp_chroot "
		if test -s $ROOTCACRT; then
		    cp $ROOTCACRT $ltsp_chroot$ROOTCACRT
		    [ "$VERBOSE" != no ] && log_action_end_msg 0
		else
		    log_action_begin_msg "Copying TLS certificate bundle to ltsp-chroot $ltsp_chroot "
		    if test -s $BUNDLECRT; then
			cp $BUNDLECRT $ltsp_chroot$BUNDLECRT
			[ "$VERBOSE" != no ] && log_action_end_msg 0
		    else
		    log_action_end_msg 1
		    ERROR=true
		    fi
		fi
	    fi
	done
    fi
    if $ERROR; then
	return 1
    fi
}

case "$1" in
    start)
	do_start
	;;
    stop)
	;;
    restart|force-reload)
	;;
    *)
	echo "Usage: $0 {start|stop|restart|force-reload}"
	exit 2
esac
exit 0

Attachment: signature.asc
Description: PGP signature


--- End Message ---
--- Begin Message --- 
Source: debian-edu-config
Source-Version: 2.10.67

We believe that the bug you reported is fixed in the latest version of
debian-edu-config, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 934380@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Holger Levsen <holger@debian.org> (supplier of updated debian-edu-config package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Thu, 15 Aug 2019 16:20:50 +0200
Source: debian-edu-config
Architecture: source
Version: 2.10.67
Distribution: unstable
Urgency: medium
Maintainer: Debian Edu Developers <debian-edu@lists.debian.org>
Changed-By: Holger Levsen <holger@debian.org>
Closes: 934380
Changes:
 debian-edu-config (2.10.67) unstable; urgency=medium
 .
   [ Wolfgang Schweer ]
   * Adjust debian/debian-edu-config.fetch-ldap-cert. (Closes: #934380)
     - Use independent conditions to make sure that the LDAP server certificate
       is only downloaded once for both host and LTSP chroot.
     - Add code to validate the LDAP server certificate in case the Debian Edu
       RootCA certificate is available for download.
 .
   [ Mike Gabriel ]
   * Code review debian-edu-config.fetch-ldap-cert:
     - White-space-only change: Fix broken and inconsistent indentations.
     - Fully inline-document fetch-ldap-cert script.
     - Add "-f" option to all curl calls that don't have it set so far.
       This assures that curl bails out with a non-zero exit code, if anything
       goes wrong while retrieving certificate files.
     - Also report a successful certificate verification if we verified the
       LDAP server certificate using the Debian Edu RootCA.
     - Really check that the LDAP server uses a certificate issued by the
       "Debian Edu RootCA", not just by (some) "RootCA".
     - Add 2x FIXME about BUNDLECRT file removal from host and from LTSP chroots.
     - LTSP chroot certificate copying: only log those actions, if they are
       actually about to happen..
     - Silence curl stderr and gnutls-cli stdout+stderr.
     - Certificate retrieval: Fix upgrade path for RootCA deployment. Re-run
       CERTFILE (and ROOTCACRT retrieval) until we have both on the client.
       This will lead to repetitive downloads of the CERTFILE on system boot.
       To get rid of this, people must upgrade their TJENERs from Debian Edu
       10.0 to 10.1. Then it will stop. This hack is necessary to assure
       distribution of the RootCA to all clients that don't have it, yet.
     - Detach dependency of ROOTCACRT chroot copying and BUNDLECRT chroot
       copying from chroot copying of the CERTFILE. The chroot may have the
       CERTFILE, but not the ROOTCACRT, yet. This assures a smooth upgrade
       path from Debian Edu 10.0 to Debian Edu 10.1.
     - Do a simple validity check if a directory under /opt/ltsp really is
       a chroot (and e.g. not the SquashFS images' directory).
Checksums-Sha1:
 3bd8da91b4e9c3dbdf61e357dcd12b0516398229 1918 debian-edu-config_2.10.67.dsc
 a54a2cfe07829975ee8a258e0afd44dbc9987531 344664 debian-edu-config_2.10.67.tar.xz
 87e735f6f2a8996b3852873742505b4e7515de69 5276 debian-edu-config_2.10.67_source.buildinfo
Checksums-Sha256:
 3b45bbe47a91000f13d4420d98a047f46b41e4b2758aa58b8bfe9235ddd94d41 1918 debian-edu-config_2.10.67.dsc
 7fd13aeeae687972269ad4a60dba3bb4671cd12d5e519965432d1774af28c76e 344664 debian-edu-config_2.10.67.tar.xz
 8df1a4f64d14c95622890593615d0675168ebd0c5590221940a6c820fc47b18b 5276 debian-edu-config_2.10.67_source.buildinfo
Files:
 a842b5853927c469bee3ce05a7878108 1918 misc optional debian-edu-config_2.10.67.dsc
 eed77fc54f4b09e828205c5a336ba81c 344664 misc optional debian-edu-config_2.10.67.tar.xz
 376de7c334d73b18d454c847e2de0acd 5276 misc optional debian-edu-config_2.10.67_source.buildinfo

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEEuL9UE3sJ01zwJv6dCRq4VgaaqhwFAl1VaooACgkQCRq4Vgaa
qhwnfQ/9Hw8QTdPD2t/qa3Af00eXx93Lxmtd2Fin6cMfMPkJxAaxZuGPS/eCp7Da
kedNOU2zrERFZfCIARyj2qRuGhqKFA6PQUWGdEcSVX/+wj9OACNpQSwYnwrLVkGo
hIIhZ7soNLYoLU78x4ouZ+LD5x7aVh3sy/7DJqQN4utdiwi/VHPMQl7g8mQefbEW
w0DeeM0wp+rAabb+2Rr1P1Fo25pC5M7daet+GFniM/c2wRZ6A1KalTYyJKt7J4n3
bS9kmEmrjcYNtun8O3O6h15Asd762N7hYsMDiBMmy5zgyLW+27hToLAJg74VYnwu
nL0mLRUykZcdyguAtLd0A8VZew/HEOrb9oQRBB+Fp0yntFxyUvAWd7UEvUjUtQjf
NVjvMIEOd2A3yjri1SiuGUyTZkphmbYAeE3spB1/9AvtWGOV3lLTL3I5/F8VcGDW
IvWbMvOojOy6Ulm7d2j28z2wTg7ECM4LWxFFkwuvDHc1a3fVEA5fNOw3k8IfABPZ
QZhoLOJTcDgdz0dHPMpf2Qw1eoNhYL5Xidg+cwIgDS8OZyPKxgwsWgAls9mvgXwd
KYOHVjLJ7yr1cQrYEt+JN1NAdWlisox36+KYbkKFMGnMDrR2leYtJEqN/ICh+kDM
mBYwyHuOSfnTbXefykmncbcEppulNs/N6vhqMwZRirgq7CsRo0A=
=QqbT
-----END PGP SIGNATURE-----

--- End Message ---
Reply to: