On Wed, Jul 24, 2019 at 06:41:42PM +0200, Wolfgang Schweer wrote:
> > Capturing curl issues by grepping for a 404 is IMHO incomplete. (Turn of
> > Apache2 and you won't get the 404 and curl | grep ends in some untested
> > realm).
>
> Good point; this should definitly be improved.
See my proposal in the revised fetch-ldap-cert script, also attached.
> > Furthermore, you operate on the bundle certificate file still for
> > buster<->buster setups.
> >
> > Have you tested with distributing just the rootCA file to the clients?
>
> Yes, works like expected. But then, one more change needs to get into
> 10.1 (share/debian-edu-config/tools/create-debian-edu-certs) and it
> won't be easy to handle this change upon upgrades.
The complete diff for all required changes (also for upgrading), fetch
script included. Don't know if this is suitable for 10.1, though:
diff --git a/cf3/cf.finalize b/cf3/cf.finalize
index 5f3ee1b9..a4185128 100644
--- a/cf3/cf.finalize
+++ b/cf3/cf.finalize
@@ -66,6 +66,8 @@ files:
copy_from => local_cp("/etc/ssl/certs/debian-edu-server.crt");
"/opt/ltsp/$(default_arch)/etc/ssl/certs/debian-edu-bundle.crt"
copy_from => local_cp("/etc/ssl/certs/debian-edu-bundle.crt");
+ "/opt/ltsp/$(default_arch)/etc/ssl/certs/Debian-Edu_rootCA.crt"
+ copy_from => local_cp("/etc/ssl/certs/Debian-Edu_rootCA.crt");
commands:
@@ -124,12 +126,21 @@ commands:
# Adjust certificate rights to make them accessible.
+ debian.server.installation::
+
+ "/bin/chmod 0644 /etc/debian-edu/www/Debian-Edu_rootCA.crt"
+ contain => in_shell;
+
debian.ltspclient.installation::
"/bin/chmod 0644 /etc/ssl/certs/debian-edu*.crt"
contain => in_shell;
+ "/bin/chmod 0644 /etc/ssl/certs/Debian-Edu_rootCA.crt"
+ contain => in_shell;
"/bin/chmod 0644 /opt/ltsp/*/etc/ssl/certs/debian-edu*.crt"
contain => in_shell;
+ "/bin/chmod 0644 /opt/ltsp/*/etc/ssl/certs/Debian-Edu_rootCA.crt"
+ contain => in_shell;
# Note that 'ltsp-update-image --config-nbd' is needed to generate the image and
# to configure NBD; adjust rights to make the image available for the NBD server.
diff --git a/cf3/cf.workarounds b/cf3/cf.workarounds
index 716ed817..671459af 100644
--- a/cf3/cf.workarounds
+++ b/cf3/cf.workarounds
@@ -33,6 +33,12 @@ files:
link_from => ln_s("/usr/share/debian-edu-config/edu-firefox-nfs"),
move_obstructions => "true";
+ # Provide Debian Edu RootCA pub key as download.
+
+ debian.server.installation::
+ "/etc/debian-edu/www/Debian-Edu_rootCA.crt"
+ copy_from => local_cp("/etc/ssl/certs/Debian-Edu_rootCA.crt");
+
commands:
debian.xfce.(ltspclient|ltspserver).installation::
diff --git a/debian/debian-edu-config.fetch-ldap-cert b/debian/debian-edu-config.fetch-ldap-cert
index dfec40da..1ee84443 100755
--- a/debian/debian-edu-config.fetch-ldap-cert
+++ b/debian/debian-edu-config.fetch-ldap-cert
@@ -23,14 +23,15 @@ set -e
CERTFILE=/etc/ssl/certs/debian-edu-server.crt
BUNDLECRT=/etc/ssl/certs/debian-edu-bundle.crt
+ROOTCACRT=/etc/ssl/certs/Debian-Edu_rootCA.crt
do_start() {
# Locate LDAP server
LDAPSERVER=$(debian-edu-ldapserver)
-
+ LDAPPORT=636 # ldaps
ERROR=false
- if [ -f /etc/nslcd.conf ] &&
- grep -q /etc/ssl/certs/debian-edu-server.crt /etc/nslcd.conf ; then
+ if [ ! -f $CERTFILE ] && [ -f /etc/nslcd.conf ] &&
+ grep -q /etc/ssl/certs/debian-edu-server.crt /etc/nslcd.conf ; then
if [ -z "$LDAPSERVER" ] ; then
msg="Failed to locate LDAP server"
log_action_begin_msg "$msg"
@@ -39,18 +40,43 @@ do_start() {
return 1
fi
[ "$VERBOSE" != no ] && log_action_begin_msg "Fetching LDAP SSL certificate."
- if curl -f -k https://www.intern/debian-edu-bundle.crt > $BUNDLECRT ; then
- gnutls-cli --x509cafile $BUNDLECRT --save-cert=$CERTFILE.new ldap.intern < /dev/null
+ if echo | openssl s_client -connect "$LDAPSERVER:$LDAPPORT" 2>/dev/null | grep RootCA ; then
+ if curl -sfk --head -o /dev/null https://www.intern ; then
+ if curl -k https://www.intern/Debian-Edu_rootCA.crt > $ROOTCACRT && \
+ grep -q CERTIFICATE $ROOTCACRT ; then
+ gnutls-cli --x509cafile $ROOTCACRT --save-cert=$CERTFILE.new $LDAPSERVER < /dev/null
+ logger -t fetch-ldap-cert "Fetched rootCA certificate from www.intern."
+ else
+ rm -f $ROOTCACRT
+ if curl -k https://www.intern/debian-edu-bundle.crt > $BUNDLECRT && \
+ grep -q CERTIFICATE $BUNDLECRT ; then
+ gnutls-cli --x509cafile $BUNDLECRT --save-cert=$CERTFILE.new $LDAPSERVER < /dev/null
+ logger -t fetch-ldap-cert "Fetched bundle certificate from www.intern."
+ else
+ rm -f $BUNDLECRT
+ logger -t fetch-ldap-cert "Failed to fetch certificates from www.intern."
+ fi
+ fi
+ else
+ log_action_end_msg 1
+ logger -t fetch-ldap-cert "Failed to connect to www.intern, maybe the web server down."
+ ERROR=true
+ fi
else
/usr/share/debian-edu-config/tools/ldap-server-getcert $LDAPSERVER > $CERTFILE.new
chmod 644 $CERTFILE.new
+ logger -t fetch-ldap-cert "Fetched pre Buster LDAP server certificate."
fi
if test -s $CERTFILE.new ; then
mv $CERTFILE.new $CERTFILE
[ "$VERBOSE" != no ] && log_action_end_msg 0
- logger -t fetch-ldap-cert "Fetched and verified LDAP SSL certificate from $LDAPSERVER."
+ if [ -f $BUNDLECRT ] ; then
+ logger -t fetch-ldap-cert "Fetched and verified LDAP SSL certificate from $LDAPSERVER."
+ else
+ logger -t fetch-ldap-cert "Fetched LDAP SSL certificate from $LDAPSERVER."
+ fi
else
- rm $CERTFILE.new
+ rm -f $CERTFILE.new
log_action_end_msg 1
logger -t fetch-ldap-cert "Failed to fetch LDAP SSL certificate from $LDAPSERVER."
ERROR=true
@@ -64,10 +90,24 @@ do_start() {
log_action_begin_msg "Copying LDAP SSL certificate to ltsp-chroot $ltsp_chroot "
if test -s $CERTFILE; then
cp $CERTFILE $ltsp_chroot$CERTFILE
+ [ "$VERBOSE" != no ] && log_action_end_msg 0
+ else
+ log_action_end_msg 1
+ ERROR=true
+ fi
+ log_action_begin_msg "Copying Debian Edu rootCA certificate to ltsp-chroot $ltsp_chroot "
+ if test -s $ROOTCACRT; then
+ cp $ROOTCACRT $ltsp_chroot$ROOTCACRT
[ "$VERBOSE" != no ] && log_action_end_msg 0
else
+ log_action_begin_msg "Copying TLS certificate bundle to ltsp-chroot $ltsp_chroot "
+ if test -s $BUNDLECRT; then
+ cp $BUNDLECRT $ltsp_chroot$BUNDLECRT
+ [ "$VERBOSE" != no ] && log_action_end_msg 0
+ else
log_action_end_msg 1
ERROR=true
+ fi
fi
fi
done
@@ -76,16 +116,9 @@ do_start() {
return 1
fi
}
-
case "$1" in
start)
- # do absolutely nothing, if this host is already "attached" to
- # a Debian Edu network
- if [ -e /etc/ssl/certs/debian-edu-server.crt ]; then
- :
- else
- do_start
- fi
+ do_start
;;
stop)
;;
diff --git a/share/debian-edu-config/tools/create-debian-edu-certs b/share/debian-edu-config/tools/create-debian-edu-certs
index 346f0bf4..93f345cf 100755
--- a/share/debian-edu-config/tools/create-debian-edu-certs
+++ b/share/debian-edu-config/tools/create-debian-edu-certs
@@ -72,7 +72,9 @@ generate() {
# available via web-server.
cp /etc/ssl/certs/debian-edu-bundle.crt /etc/debian-edu/www
cp /etc/ssl/certs/debian-edu-bundle.pem /etc/debian-edu/www
+ cp /etc/ssl/certs/Debian-Edu_rootCA.crt /etc/debian-edu/www
chmod 644 /etc/debian-edu/www/debian-edu-bundle.*
+ chmod 644 /etc/debian-edu/www/Debian-Edu_rootCA.crt
logger -t create-debian-edu-certs "Certs with both .crt and .pem extension made available in /etc/debian-edu/www."
}
Wolfgang
#!/bin/sh
### BEGIN INIT INFO
# Provides: fetch-ldap-cert
# Required-Start: $local_fs $remote_fs
# Required-Stop: $local_fs $remote_fs
# Should-Start: $network $syslog $named slapd
# Default-Start: 2 3 4 5
# Default-Stop:
# Short-Description: Fetch LDAP SSL public key from the server
# Description:
# Start before krb5-kdc to give slapd time to become operational
# before krb5-kdc try to connect to the LDAP server as a workaround
# for #589915.
# X-Start-Before: isc-dhcp-server krb5-kdc nslcd
### END INIT INFO
#
# Author: Petter Reinholdtsen <pere@hungry.com>
# Date: 2007-06-09
set -e
. /lib/lsb/init-functions
CERTFILE=/etc/ssl/certs/debian-edu-server.crt
BUNDLECRT=/etc/ssl/certs/debian-edu-bundle.crt
ROOTCACRT=/etc/ssl/certs/Debian-Edu_rootCA.crt
do_start() {
# Locate LDAP server
LDAPSERVER=$(debian-edu-ldapserver)
LDAPPORT=636 # ldaps
ERROR=false
if [ ! -f $CERTFILE ] && [ -f /etc/nslcd.conf ] &&
grep -q /etc/ssl/certs/debian-edu-server.crt /etc/nslcd.conf ; then
if [ -z "$LDAPSERVER" ] ; then
msg="Failed to locate LDAP server"
log_action_begin_msg "$msg"
log_action_end_msg 1
logger -t fetch-ldap-cert "$msg."
return 1
fi
[ "$VERBOSE" != no ] && log_action_begin_msg "Fetching LDAP SSL certificate."
if echo | openssl s_client -connect "$LDAPSERVER:$LDAPPORT" 2>/dev/null | grep RootCA ; then
if curl -sfk --head -o /dev/null https://www.intern ; then
if curl -k https://www.intern/Debian-Edu_rootCA.crt > $ROOTCACRT && \
grep -q CERTIFICATE $ROOTCACRT ; then
gnutls-cli --x509cafile $ROOTCACRT --save-cert=$CERTFILE.new $LDAPSERVER < /dev/null
logger -t fetch-ldap-cert "Fetched rootCA certificate from www.intern."
else
rm -f $ROOTCACRT
if curl -k https://www.intern/debian-edu-bundle.crt > $BUNDLECRT && \
grep -q CERTIFICATE $BUNDLECRT ; then
gnutls-cli --x509cafile $BUNDLECRT --save-cert=$CERTFILE.new $LDAPSERVER < /dev/null
logger -t fetch-ldap-cert "Fetched bundle certificate from www.intern."
else
rm -f $BUNDLECRT
logger -t fetch-ldap-cert "Failed to fetch certificates from www.intern."
fi
fi
else
log_action_end_msg 1
logger -t fetch-ldap-cert "Failed to connect to www.intern, maybe the web server down."
ERROR=true
fi
else
/usr/share/debian-edu-config/tools/ldap-server-getcert $LDAPSERVER > $CERTFILE.new
chmod 644 $CERTFILE.new
logger -t fetch-ldap-cert "Fetched pre Buster LDAP server certificate."
fi
if test -s $CERTFILE.new ; then
mv $CERTFILE.new $CERTFILE
[ "$VERBOSE" != no ] && log_action_end_msg 0
if [ -f $BUNDLECRT ] ; then
logger -t fetch-ldap-cert "Fetched and verified LDAP SSL certificate from $LDAPSERVER."
else
logger -t fetch-ldap-cert "Fetched LDAP SSL certificate from $LDAPSERVER."
fi
else
rm -f $CERTFILE.new
log_action_end_msg 1
logger -t fetch-ldap-cert "Failed to fetch LDAP SSL certificate from $LDAPSERVER."
ERROR=true
fi
fi
if [ -d /opt/ltsp ] ; then
for ltsp_chroot in `find /opt/ltsp/ -mindepth 1 -maxdepth 1 -type d`; do
if [ ! -f $ltsp_chroot$CERTFILE ] && [ -f $ltsp_chroot/etc/nslcd.conf ] &&
grep -q /etc/ssl/certs/debian-edu-server.crt $ltsp_chroot/etc/nslcd.conf ; then
[ "$VERBOSE" != no ] &&
log_action_begin_msg "Copying LDAP SSL certificate to ltsp-chroot $ltsp_chroot "
if test -s $CERTFILE; then
cp $CERTFILE $ltsp_chroot$CERTFILE
[ "$VERBOSE" != no ] && log_action_end_msg 0
else
log_action_end_msg 1
ERROR=true
fi
log_action_begin_msg "Copying Debian Edu rootCA certificate to ltsp-chroot $ltsp_chroot "
if test -s $ROOTCACRT; then
cp $ROOTCACRT $ltsp_chroot$ROOTCACRT
[ "$VERBOSE" != no ] && log_action_end_msg 0
else
log_action_begin_msg "Copying TLS certificate bundle to ltsp-chroot $ltsp_chroot "
if test -s $BUNDLECRT; then
cp $BUNDLECRT $ltsp_chroot$BUNDLECRT
[ "$VERBOSE" != no ] && log_action_end_msg 0
else
log_action_end_msg 1
ERROR=true
fi
fi
fi
done
fi
if $ERROR; then
return 1
fi
}
case "$1" in
start)
do_start
;;
stop)
;;
restart|force-reload)
;;
*)
echo "Usage: $0 {start|stop|restart|force-reload}"
exit 2
esac
exit 0
Attachment:
signature.asc
Description: PGP signature