On Wed, Jul 24, 2019 at 06:41:42PM +0200, Wolfgang Schweer wrote: > > Capturing curl issues by grepping for a 404 is IMHO incomplete. (Turn of > > Apache2 and you won't get the 404 and curl | grep ends in some untested > > realm). > > Good point; this should definitly be improved. See my proposal in the revised fetch-ldap-cert script, also attached. > > Furthermore, you operate on the bundle certificate file still for > > buster<->buster setups. > > > > Have you tested with distributing just the rootCA file to the clients? > > Yes, works like expected. But then, one more change needs to get into > 10.1 (share/debian-edu-config/tools/create-debian-edu-certs) and it > won't be easy to handle this change upon upgrades. The complete diff for all required changes (also for upgrading), fetch script included. Don't know if this is suitable for 10.1, though: diff --git a/cf3/cf.finalize b/cf3/cf.finalize index 5f3ee1b9..a4185128 100644 --- a/cf3/cf.finalize +++ b/cf3/cf.finalize @@ -66,6 +66,8 @@ files: copy_from => local_cp("/etc/ssl/certs/debian-edu-server.crt"); "/opt/ltsp/$(default_arch)/etc/ssl/certs/debian-edu-bundle.crt" copy_from => local_cp("/etc/ssl/certs/debian-edu-bundle.crt"); + "/opt/ltsp/$(default_arch)/etc/ssl/certs/Debian-Edu_rootCA.crt" + copy_from => local_cp("/etc/ssl/certs/Debian-Edu_rootCA.crt"); commands: @@ -124,12 +126,21 @@ commands: # Adjust certificate rights to make them accessible. + debian.server.installation:: + + "/bin/chmod 0644 /etc/debian-edu/www/Debian-Edu_rootCA.crt" + contain => in_shell; + debian.ltspclient.installation:: "/bin/chmod 0644 /etc/ssl/certs/debian-edu*.crt" contain => in_shell; + "/bin/chmod 0644 /etc/ssl/certs/Debian-Edu_rootCA.crt" + contain => in_shell; "/bin/chmod 0644 /opt/ltsp/*/etc/ssl/certs/debian-edu*.crt" contain => in_shell; + "/bin/chmod 0644 /opt/ltsp/*/etc/ssl/certs/Debian-Edu_rootCA.crt" + contain => in_shell; # Note that 'ltsp-update-image --config-nbd' is needed to generate the image and # to configure NBD; adjust rights to make the image available for the NBD server. diff --git a/cf3/cf.workarounds b/cf3/cf.workarounds index 716ed817..671459af 100644 --- a/cf3/cf.workarounds +++ b/cf3/cf.workarounds @@ -33,6 +33,12 @@ files: link_from => ln_s("/usr/share/debian-edu-config/edu-firefox-nfs"), move_obstructions => "true"; + # Provide Debian Edu RootCA pub key as download. + + debian.server.installation:: + "/etc/debian-edu/www/Debian-Edu_rootCA.crt" + copy_from => local_cp("/etc/ssl/certs/Debian-Edu_rootCA.crt"); + commands: debian.xfce.(ltspclient|ltspserver).installation:: diff --git a/debian/debian-edu-config.fetch-ldap-cert b/debian/debian-edu-config.fetch-ldap-cert index dfec40da..1ee84443 100755 --- a/debian/debian-edu-config.fetch-ldap-cert +++ b/debian/debian-edu-config.fetch-ldap-cert @@ -23,14 +23,15 @@ set -e CERTFILE=/etc/ssl/certs/debian-edu-server.crt BUNDLECRT=/etc/ssl/certs/debian-edu-bundle.crt +ROOTCACRT=/etc/ssl/certs/Debian-Edu_rootCA.crt do_start() { # Locate LDAP server LDAPSERVER=$(debian-edu-ldapserver) - + LDAPPORT=636 # ldaps ERROR=false - if [ -f /etc/nslcd.conf ] && - grep -q /etc/ssl/certs/debian-edu-server.crt /etc/nslcd.conf ; then + if [ ! -f $CERTFILE ] && [ -f /etc/nslcd.conf ] && + grep -q /etc/ssl/certs/debian-edu-server.crt /etc/nslcd.conf ; then if [ -z "$LDAPSERVER" ] ; then msg="Failed to locate LDAP server" log_action_begin_msg "$msg" @@ -39,18 +40,43 @@ do_start() { return 1 fi [ "$VERBOSE" != no ] && log_action_begin_msg "Fetching LDAP SSL certificate." - if curl -f -k https://www.intern/debian-edu-bundle.crt > $BUNDLECRT ; then - gnutls-cli --x509cafile $BUNDLECRT --save-cert=$CERTFILE.new ldap.intern < /dev/null + if echo | openssl s_client -connect "$LDAPSERVER:$LDAPPORT" 2>/dev/null | grep RootCA ; then + if curl -sfk --head -o /dev/null https://www.intern ; then + if curl -k https://www.intern/Debian-Edu_rootCA.crt > $ROOTCACRT && \ + grep -q CERTIFICATE $ROOTCACRT ; then + gnutls-cli --x509cafile $ROOTCACRT --save-cert=$CERTFILE.new $LDAPSERVER < /dev/null + logger -t fetch-ldap-cert "Fetched rootCA certificate from www.intern." + else + rm -f $ROOTCACRT + if curl -k https://www.intern/debian-edu-bundle.crt > $BUNDLECRT && \ + grep -q CERTIFICATE $BUNDLECRT ; then + gnutls-cli --x509cafile $BUNDLECRT --save-cert=$CERTFILE.new $LDAPSERVER < /dev/null + logger -t fetch-ldap-cert "Fetched bundle certificate from www.intern." + else + rm -f $BUNDLECRT + logger -t fetch-ldap-cert "Failed to fetch certificates from www.intern." + fi + fi + else + log_action_end_msg 1 + logger -t fetch-ldap-cert "Failed to connect to www.intern, maybe the web server down." + ERROR=true + fi else /usr/share/debian-edu-config/tools/ldap-server-getcert $LDAPSERVER > $CERTFILE.new chmod 644 $CERTFILE.new + logger -t fetch-ldap-cert "Fetched pre Buster LDAP server certificate." fi if test -s $CERTFILE.new ; then mv $CERTFILE.new $CERTFILE [ "$VERBOSE" != no ] && log_action_end_msg 0 - logger -t fetch-ldap-cert "Fetched and verified LDAP SSL certificate from $LDAPSERVER." + if [ -f $BUNDLECRT ] ; then + logger -t fetch-ldap-cert "Fetched and verified LDAP SSL certificate from $LDAPSERVER." + else + logger -t fetch-ldap-cert "Fetched LDAP SSL certificate from $LDAPSERVER." + fi else - rm $CERTFILE.new + rm -f $CERTFILE.new log_action_end_msg 1 logger -t fetch-ldap-cert "Failed to fetch LDAP SSL certificate from $LDAPSERVER." ERROR=true @@ -64,10 +90,24 @@ do_start() { log_action_begin_msg "Copying LDAP SSL certificate to ltsp-chroot $ltsp_chroot " if test -s $CERTFILE; then cp $CERTFILE $ltsp_chroot$CERTFILE + [ "$VERBOSE" != no ] && log_action_end_msg 0 + else + log_action_end_msg 1 + ERROR=true + fi + log_action_begin_msg "Copying Debian Edu rootCA certificate to ltsp-chroot $ltsp_chroot " + if test -s $ROOTCACRT; then + cp $ROOTCACRT $ltsp_chroot$ROOTCACRT [ "$VERBOSE" != no ] && log_action_end_msg 0 else + log_action_begin_msg "Copying TLS certificate bundle to ltsp-chroot $ltsp_chroot " + if test -s $BUNDLECRT; then + cp $BUNDLECRT $ltsp_chroot$BUNDLECRT + [ "$VERBOSE" != no ] && log_action_end_msg 0 + else log_action_end_msg 1 ERROR=true + fi fi fi done @@ -76,16 +116,9 @@ do_start() { return 1 fi } - case "$1" in start) - # do absolutely nothing, if this host is already "attached" to - # a Debian Edu network - if [ -e /etc/ssl/certs/debian-edu-server.crt ]; then - : - else - do_start - fi + do_start ;; stop) ;; diff --git a/share/debian-edu-config/tools/create-debian-edu-certs b/share/debian-edu-config/tools/create-debian-edu-certs index 346f0bf4..93f345cf 100755 --- a/share/debian-edu-config/tools/create-debian-edu-certs +++ b/share/debian-edu-config/tools/create-debian-edu-certs @@ -72,7 +72,9 @@ generate() { # available via web-server. cp /etc/ssl/certs/debian-edu-bundle.crt /etc/debian-edu/www cp /etc/ssl/certs/debian-edu-bundle.pem /etc/debian-edu/www + cp /etc/ssl/certs/Debian-Edu_rootCA.crt /etc/debian-edu/www chmod 644 /etc/debian-edu/www/debian-edu-bundle.* + chmod 644 /etc/debian-edu/www/Debian-Edu_rootCA.crt logger -t create-debian-edu-certs "Certs with both .crt and .pem extension made available in /etc/debian-edu/www." } Wolfgang
#!/bin/sh ### BEGIN INIT INFO # Provides: fetch-ldap-cert # Required-Start: $local_fs $remote_fs # Required-Stop: $local_fs $remote_fs # Should-Start: $network $syslog $named slapd # Default-Start: 2 3 4 5 # Default-Stop: # Short-Description: Fetch LDAP SSL public key from the server # Description: # Start before krb5-kdc to give slapd time to become operational # before krb5-kdc try to connect to the LDAP server as a workaround # for #589915. # X-Start-Before: isc-dhcp-server krb5-kdc nslcd ### END INIT INFO # # Author: Petter Reinholdtsen <pere@hungry.com> # Date: 2007-06-09 set -e . /lib/lsb/init-functions CERTFILE=/etc/ssl/certs/debian-edu-server.crt BUNDLECRT=/etc/ssl/certs/debian-edu-bundle.crt ROOTCACRT=/etc/ssl/certs/Debian-Edu_rootCA.crt do_start() { # Locate LDAP server LDAPSERVER=$(debian-edu-ldapserver) LDAPPORT=636 # ldaps ERROR=false if [ ! -f $CERTFILE ] && [ -f /etc/nslcd.conf ] && grep -q /etc/ssl/certs/debian-edu-server.crt /etc/nslcd.conf ; then if [ -z "$LDAPSERVER" ] ; then msg="Failed to locate LDAP server" log_action_begin_msg "$msg" log_action_end_msg 1 logger -t fetch-ldap-cert "$msg." return 1 fi [ "$VERBOSE" != no ] && log_action_begin_msg "Fetching LDAP SSL certificate." if echo | openssl s_client -connect "$LDAPSERVER:$LDAPPORT" 2>/dev/null | grep RootCA ; then if curl -sfk --head -o /dev/null https://www.intern ; then if curl -k https://www.intern/Debian-Edu_rootCA.crt > $ROOTCACRT && \ grep -q CERTIFICATE $ROOTCACRT ; then gnutls-cli --x509cafile $ROOTCACRT --save-cert=$CERTFILE.new $LDAPSERVER < /dev/null logger -t fetch-ldap-cert "Fetched rootCA certificate from www.intern." else rm -f $ROOTCACRT if curl -k https://www.intern/debian-edu-bundle.crt > $BUNDLECRT && \ grep -q CERTIFICATE $BUNDLECRT ; then gnutls-cli --x509cafile $BUNDLECRT --save-cert=$CERTFILE.new $LDAPSERVER < /dev/null logger -t fetch-ldap-cert "Fetched bundle certificate from www.intern." else rm -f $BUNDLECRT logger -t fetch-ldap-cert "Failed to fetch certificates from www.intern." fi fi else log_action_end_msg 1 logger -t fetch-ldap-cert "Failed to connect to www.intern, maybe the web server down." ERROR=true fi else /usr/share/debian-edu-config/tools/ldap-server-getcert $LDAPSERVER > $CERTFILE.new chmod 644 $CERTFILE.new logger -t fetch-ldap-cert "Fetched pre Buster LDAP server certificate." fi if test -s $CERTFILE.new ; then mv $CERTFILE.new $CERTFILE [ "$VERBOSE" != no ] && log_action_end_msg 0 if [ -f $BUNDLECRT ] ; then logger -t fetch-ldap-cert "Fetched and verified LDAP SSL certificate from $LDAPSERVER." else logger -t fetch-ldap-cert "Fetched LDAP SSL certificate from $LDAPSERVER." fi else rm -f $CERTFILE.new log_action_end_msg 1 logger -t fetch-ldap-cert "Failed to fetch LDAP SSL certificate from $LDAPSERVER." ERROR=true fi fi if [ -d /opt/ltsp ] ; then for ltsp_chroot in `find /opt/ltsp/ -mindepth 1 -maxdepth 1 -type d`; do if [ ! -f $ltsp_chroot$CERTFILE ] && [ -f $ltsp_chroot/etc/nslcd.conf ] && grep -q /etc/ssl/certs/debian-edu-server.crt $ltsp_chroot/etc/nslcd.conf ; then [ "$VERBOSE" != no ] && log_action_begin_msg "Copying LDAP SSL certificate to ltsp-chroot $ltsp_chroot " if test -s $CERTFILE; then cp $CERTFILE $ltsp_chroot$CERTFILE [ "$VERBOSE" != no ] && log_action_end_msg 0 else log_action_end_msg 1 ERROR=true fi log_action_begin_msg "Copying Debian Edu rootCA certificate to ltsp-chroot $ltsp_chroot " if test -s $ROOTCACRT; then cp $ROOTCACRT $ltsp_chroot$ROOTCACRT [ "$VERBOSE" != no ] && log_action_end_msg 0 else log_action_begin_msg "Copying TLS certificate bundle to ltsp-chroot $ltsp_chroot " if test -s $BUNDLECRT; then cp $BUNDLECRT $ltsp_chroot$BUNDLECRT [ "$VERBOSE" != no ] && log_action_end_msg 0 else log_action_end_msg 1 ERROR=true fi fi fi done fi if $ERROR; then return 1 fi } case "$1" in start) do_start ;; stop) ;; restart|force-reload) ;; *) echo "Usage: $0 {start|stop|restart|force-reload}" exit 2 esac exit 0
Attachment:
signature.asc
Description: PGP signature