On Thu, Jul 25, 2019 at 08:26:22PM +0000, Holger Levsen wrote:
> hi, please include the bug in further mails on this topic
Thanks for the pointer, the missing mails have been quoted in the report
for bug #933183 tracking the Debian Edu RootCA file issue which has been
filed because this issue is independent from the fetch-ldap-cert one.
I've adjusted debian-edu-config.fetch-ldap-cert once more to catch all
possible use cases.
(1) If the rootCA file is available for download, this is logged:
Jul 27 12:13:17 am-0800276f4d92 systemd[1]: Starting LSB: Fetch LDAP SSL public key from the server...
Jul 27 12:13:17 am-0800276f4d92 fetch-ldap-cert[10654]: Fetching LDAP SSL certificate.... 0 s:C = NO, ST = Intern, L = Debian Edu Network, O = Debian Edu, OU = Debian Edu RootCA, CN = www.intern, emailAddress = postmaster@postoffice.intern
Jul 27 12:13:17 am-0800276f4d92 fetch-ldap-cert[10654]: i:C = NO, ST = Intern, L = Debian Edu Network, O = Debian Edu, OU = Debian Edu RootCA, CN = www.intern, emailAddress = postmaster@postoffice.intern
Jul 27 12:13:17 am-0800276f4d92 fetch-ldap-cert[10654]: subject=C = NO, ST = Intern, L = Debian Edu Network, O = Debian Edu, OU = Debian Edu RootCA, CN = www.intern, emailAddress = postmaster@postoffice.intern
Jul 27 12:13:17 am-0800276f4d92 fetch-ldap-cert[10654]: issuer=C = NO, ST = Intern, L = Debian Edu Network, O = Debian Edu, OU = Debian Edu RootCA, CN = www.intern, emailAddress = postmaster@postoffice.intern
Jul 27 12:13:17 am-0800276f4d92 fetch-ldap-cert[10654]: % Total % Received % Xferd Average Speed Time Time Time Current
Jul 27 12:13:17 am-0800276f4d92 fetch-ldap-cert[10654]: Dload Upload Total Spent Left Speed
Jul 27 12:13:17 am-0800276f4d92 fetch-ldap-cert[10654]: #015 0 0 0 0 0 0 0 0 --:--:-- --:--:-- --:--:-- 0#015100 1411 100 1411 0 0 125k 0 --:--:-- --:--:-- --:--:-- 125k
Jul 27 12:13:17 am-0800276f4d92 fetch-ldap-cert[10654]: Processed 1 CA certificate(s).
Jul 27 12:13:17 am-0800276f4d92 fetch-ldap-cert[10654]: Resolving 'tjener.intern:443'...
Jul 27 12:13:17 am-0800276f4d92 fetch-ldap-cert[10654]: Connecting to '10.0.2.2:443'...
Jul 27 12:13:17 am-0800276f4d92 fetch-ldap-cert[10654]: - Certificate type: X.509
Jul 27 12:13:17 am-0800276f4d92 fetch-ldap-cert[10654]: - Got a certificate list of 1 certificates.
Jul 27 12:13:17 am-0800276f4d92 fetch-ldap-cert[10654]: - Certificate[0] info:
Jul 27 12:13:17 am-0800276f4d92 fetch-ldap-cert[10654]: - subject `EMAIL=postmaster@postoffice.intern,CN=www.intern,OU=Debian Edu RootCA,O=Debian Edu,L=Debian Edu Network,ST=Intern,C=NO', issuer `EMAIL=postmaster@postoffice.intern,CN=www.intern,OU=Debian Edu RootCA,O=Debian Edu,L=Debian Edu Network,ST=Intern,C=NO', serial 0x535fb6ec31d07546625c3c70ecdebc7504d4b474, RSA key 2048 bits, signed using RSA-SHA256, activated `2019-07-25 12:47:43 UTC', expires `2029-07-22 12:47:43 UTC', pin-sha256="5csbdGcvLKNRIcP+0VKVXMk2qryYJ58VyKZmVG8cl5g="
Jul 27 12:13:17 am-0800276f4d92 fetch-ldap-cert[10654]: #011Public Key ID:
Jul 27 12:13:17 am-0800276f4d92 fetch-ldap-cert[10654]: #011#011sha1:7afc6650de5e8f22dde08519347fdfbc2c29717d
Jul 27 12:13:17 am-0800276f4d92 fetch-ldap-cert[10654]: #011#011sha256:e5cb1b74672f2ca35121c3fed152955cc936aabc98279f15c8a666546f1c9798
Jul 27 12:13:17 am-0800276f4d92 fetch-ldap-cert[10654]: #011Public Key PIN:
Jul 27 12:13:17 am-0800276f4d92 fetch-ldap-cert[10654]: #011#011pin-sha256:5csbdGcvLKNRIcP+0VKVXMk2qryYJ58VyKZmVG8cl5g=
Jul 27 12:13:17 am-0800276f4d92 fetch-ldap-cert[10654]: - Status: The certificate is trusted.
Jul 27 12:13:17 am-0800276f4d92 fetch-ldap-cert[10654]: - Description: (TLS1.3)-(ECDHE-SECP256R1)-(RSA-PSS-RSAE-SHA256)-(AES-256-GCM)
Jul 27 12:13:17 am-0800276f4d92 fetch-ldap-cert[10654]: - Options:
Jul 27 12:13:17 am-0800276f4d92 fetch-ldap-cert[10654]: - Handshake was completed
Jul 27 12:13:17 am-0800276f4d92 fetch-ldap-cert[10654]: - Simple Client Mode:
Jul 27 12:13:17 am-0800276f4d92 fetch-ldap-cert[10654]: - Peer has closed the GnuTLS connection
Jul 27 12:13:17 am-0800276f4d92 fetch-ldap-cert: Fetched rootCA certificate from www.intern.
Jul 27 12:13:17 am-0800276f4d92 fetch-ldap-cert[10654]: done.
Jul 27 12:13:17 am-0800276f4d92 fetch-ldap-cert: Fetched LDAP SSL certificate from tjener.intern.
Jul 27 12:13:17 am-0800276f4d92 fetch-ldap-cert[10654]: Copying LDAP SSL certificate to ltsp-chroot /opt/ltsp/i386 ...done.
Jul 27 12:13:17 am-0800276f4d92 fetch-ldap-cert[10654]: Copying Debian Edu rootCA certificate to ltsp-chroot /opt/ltsp/i386 ...done.
Jul 27 12:13:17 am-0800276f4d92 systemd[1]: Started LSB: Fetch LDAP SSL public key from the server.
(2) If only the bundle cert is available (updated client, main server
not yet), the log is:
Jul 27 12:28:32 am-0800276f4d92 systemd[1]: Starting LSB: Fetch LDAP SSL public key from the server...
Jul 27 12:28:32 am-0800276f4d92 fetch-ldap-cert[1966]: Fetching LDAP SSL certificate.... 0 s:C = NO, ST = Intern, L = Debian Edu Network, O = Debian Edu, OU = Debian Edu RootCA, CN = www.intern, emailAddress = postmaster@postoffice.intern
Jul 27 12:28:32 am-0800276f4d92 fetch-ldap-cert[1966]: i:C = NO, ST = Intern, L = Debian Edu Network, O = Debian Edu, OU = Debian Edu RootCA, CN = www.intern, emailAddress = postmaster@postoffice.intern
Jul 27 12:28:32 am-0800276f4d92 fetch-ldap-cert[1966]: subject=C = NO, ST = Intern, L = Debian Edu Network, O = Debian Edu, OU = Debian Edu RootCA, CN = www.intern, emailAddress = postmaster@postoffice.intern
Jul 27 12:28:32 am-0800276f4d92 fetch-ldap-cert[1966]: issuer=C = NO, ST = Intern, L = Debian Edu Network, O = Debian Edu, OU = Debian Edu RootCA, CN = www.intern, emailAddress = postmaster@postoffice.intern
Jul 27 12:28:32 am-0800276f4d92 fetch-ldap-cert[1966]: % Total % Received % Xferd Average Speed Time Time Time Current
Jul 27 12:28:32 am-0800276f4d92 fetch-ldap-cert[1966]: Dload Upload Total Spent Left Speed
Jul 27 12:28:32 am-0800276f4d92 fetch-ldap-cert[1966]: #015 0 0 0 0 0 0 0 0 --:--:-- --:--:-- --:--:-- 0#015100 296 100 296 0 0 14800 0 --:--:-- --:--:-- --:--:-- 14800
Jul 27 12:28:32 am-0800276f4d92 fetch-ldap-cert[1966]: % Total % Received % Xferd Average Speed Time Time Time Current
Jul 27 12:28:32 am-0800276f4d92 fetch-ldap-cert[1966]: Dload Upload Total Spent Left Speed
Jul 27 12:28:32 am-0800276f4d92 fetch-ldap-cert[1966]: #015 0 0 0 0 0 0 0 0 --:--:-- --:--:-- --:--:-- 0#015100 3460 100 3460 0 0 211k 0 --:--:-- --:--:-- --:--:-- 211k
Jul 27 12:28:32 am-0800276f4d92 fetch-ldap-cert[1966]: |<1>| There was a non-CA certificate in the trusted list: C=NO,ST=Intern,L=Debian Edu Network,O=Debian Edu,OU=Debian Edu RootCA,CN=www.intern,EMAIL=postmaster@postoffice.intern.
Jul 27 12:28:32 am-0800276f4d92 fetch-ldap-cert[1966]: Processed 2 CA certificate(s).
Jul 27 12:28:32 am-0800276f4d92 fetch-ldap-cert[1966]: Resolving 'tjener.intern:443'...
Jul 27 12:28:32 am-0800276f4d92 fetch-ldap-cert[1966]: Connecting to '10.0.2.2:443'...
Jul 27 12:28:32 am-0800276f4d92 fetch-ldap-cert[1966]: - Certificate type: X.509
Jul 27 12:28:32 am-0800276f4d92 fetch-ldap-cert[1966]: - Got a certificate list of 1 certificates.
Jul 27 12:28:32 am-0800276f4d92 fetch-ldap-cert[1966]: - Certificate[0] info:
Jul 27 12:28:32 am-0800276f4d92 fetch-ldap-cert[1966]: - subject `EMAIL=postmaster@postoffice.intern,CN=www.intern,OU=Debian Edu RootCA,O=Debian Edu,L=Debian Edu Network,ST=Intern,C=NO', issuer `EMAIL=postmaster@postoffice.intern,CN=www.intern,OU=Debian Edu RootCA,O=Debian Edu,L=Debian Edu Network,ST=Intern,C=NO', serial 0x535fb6ec31d07546625c3c70ecdebc7504d4b474, RSA key 2048 bits, signed using RSA-SHA256, activated `2019-07-25 12:47:43 UTC', expires `2029-07-22 12:47:43 UTC', pin-sha256="5csbdGcvLKNRIcP+0VKVXMk2qryYJ58VyKZmVG8cl5g="
Jul 27 12:28:32 am-0800276f4d92 fetch-ldap-cert[1966]: #011Public Key ID:
Jul 27 12:28:32 am-0800276f4d92 fetch-ldap-cert[1966]: #011#011sha1:7afc6650de5e8f22dde08519347fdfbc2c29717d
Jul 27 12:28:32 am-0800276f4d92 fetch-ldap-cert[1966]: #011#011sha256:e5cb1b74672f2ca35121c3fed152955cc936aabc98279f15c8a666546f1c9798
Jul 27 12:28:32 am-0800276f4d92 fetch-ldap-cert[1966]: #011Public Key PIN:
Jul 27 12:28:32 am-0800276f4d92 fetch-ldap-cert[1966]: #011#011pin-sha256:5csbdGcvLKNRIcP+0VKVXMk2qryYJ58VyKZmVG8cl5g=
Jul 27 12:28:32 am-0800276f4d92 fetch-ldap-cert[1966]: - Status: The certificate is trusted.
Jul 27 12:28:32 am-0800276f4d92 fetch-ldap-cert[1966]: - Description: (TLS1.3)-(ECDHE-SECP256R1)-(RSA-PSS-RSAE-SHA256)-(AES-256-GCM)
Jul 27 12:28:32 am-0800276f4d92 fetch-ldap-cert[1966]: - Options:
Jul 27 12:28:32 am-0800276f4d92 fetch-ldap-cert[1966]: - Handshake was completed
Jul 27 12:28:32 am-0800276f4d92 fetch-ldap-cert[1966]: - Simple Client Mode:
Jul 27 12:28:32 am-0800276f4d92 fetch-ldap-cert[1966]: - Peer has closed the GnuTLS connection
Jul 27 12:28:32 am-0800276f4d92 fetch-ldap-cert: Fetched bundle certificate from www.intern.
Jul 27 12:28:32 am-0800276f4d92 fetch-ldap-cert[1966]: done.
Jul 27 12:28:32 am-0800276f4d92 fetch-ldap-cert: Fetched and verified LDAP SSL certificate from tjener.intern.
Jul 27 12:28:32 am-0800276f4d92 fetch-ldap-cert[1966]: Copying LDAP SSL certificate to ltsp-chroot /opt/ltsp/i386 ...done.
Jul 27 12:28:32 am-0800276f4d92 fetch-ldap-cert[1966]: Copying Debian Edu rootCA certificate to ltsp-chroot /opt/ltsp/i386 ...Copying TLS certificate bundle to ltsp-chroot /opt/ltsp/i386 ...done.
Jul 27 12:28:32 am-0800276f4d92 systemd[1]: Started LSB: Fetch LDAP SSL public key from the server.
Jul 27 12:28:39 am-0800276f4d92 nslcd[1058]: [3c9869] <passwd="*"> request denied by validnames option
(3) Pre Buster main server, Buster client is also catched like before.
The diff of the script (which is also attached) is now like such:
diff --git a/debian/debian-edu-config.fetch-ldap-cert b/debian/debian-edu-config.fetch-ldap-cert
index dfec40da..1ee84443 100755
--- a/debian/debian-edu-config.fetch-ldap-cert
+++ b/debian/debian-edu-config.fetch-ldap-cert
@@ -23,14 +23,15 @@ set -e
CERTFILE=/etc/ssl/certs/debian-edu-server.crt
BUNDLECRT=/etc/ssl/certs/debian-edu-bundle.crt
+ROOTCACRT=/etc/ssl/certs/Debian-Edu_rootCA.crt
do_start() {
# Locate LDAP server
LDAPSERVER=$(debian-edu-ldapserver)
-
+ LDAPPORT=636 # ldaps
ERROR=false
- if [ -f /etc/nslcd.conf ] &&
- grep -q /etc/ssl/certs/debian-edu-server.crt /etc/nslcd.conf ; then
+ if [ ! -f $CERTFILE ] && [ -f /etc/nslcd.conf ] &&
+ grep -q /etc/ssl/certs/debian-edu-server.crt /etc/nslcd.conf ; then
if [ -z "$LDAPSERVER" ] ; then
msg="Failed to locate LDAP server"
log_action_begin_msg "$msg"
@@ -39,18 +40,43 @@ do_start() {
return 1
fi
[ "$VERBOSE" != no ] && log_action_begin_msg "Fetching LDAP SSL certificate."
- if curl -f -k https://www.intern/debian-edu-bundle.crt > $BUNDLECRT ; then
- gnutls-cli --x509cafile $BUNDLECRT --save-cert=$CERTFILE.new ldap.intern < /dev/null
+ if echo | openssl s_client -connect "$LDAPSERVER:$LDAPPORT" 2>/dev/null | grep RootCA ; then
+ if curl -sfk --head -o /dev/null https://www.intern ; then
+ if curl -k https://www.intern/Debian-Edu_rootCA.crt > $ROOTCACRT && \
+ grep -q CERTIFICATE $ROOTCACRT ; then
+ gnutls-cli --x509cafile $ROOTCACRT --save-cert=$CERTFILE.new $LDAPSERVER < /dev/null
+ logger -t fetch-ldap-cert "Fetched rootCA certificate from www.intern."
+ else
+ rm -f $ROOTCACRT
+ if curl -k https://www.intern/debian-edu-bundle.crt > $BUNDLECRT && \
+ grep -q CERTIFICATE $BUNDLECRT ; then
+ gnutls-cli --x509cafile $BUNDLECRT --save-cert=$CERTFILE.new $LDAPSERVER < /dev/null
+ logger -t fetch-ldap-cert "Fetched bundle certificate from www.intern."
+ else
+ rm -f $BUNDLECRT
+ logger -t fetch-ldap-cert "Failed to fetch certificates from www.intern."
+ fi
+ fi
+ else
+ log_action_end_msg 1
+ logger -t fetch-ldap-cert "Failed to connect to www.intern, maybe the web server down."
+ ERROR=true
+ fi
else
/usr/share/debian-edu-config/tools/ldap-server-getcert $LDAPSERVER > $CERTFILE.new
chmod 644 $CERTFILE.new
+ logger -t fetch-ldap-cert "Fetched pre Buster LDAP server certificate."
fi
if test -s $CERTFILE.new ; then
mv $CERTFILE.new $CERTFILE
[ "$VERBOSE" != no ] && log_action_end_msg 0
- logger -t fetch-ldap-cert "Fetched and verified LDAP SSL certificate from $LDAPSERVER."
+ if [ -f $BUNDLECRT ] ; then
+ logger -t fetch-ldap-cert "Fetched and verified LDAP SSL certificate from $LDAPSERVER."
+ else
+ logger -t fetch-ldap-cert "Fetched LDAP SSL certificate from $LDAPSERVER."
+ fi
else
- rm $CERTFILE.new
+ rm -f $CERTFILE.new
log_action_end_msg 1
logger -t fetch-ldap-cert "Failed to fetch LDAP SSL certificate from $LDAPSERVER."
ERROR=true
@@ -64,10 +90,24 @@ do_start() {
log_action_begin_msg "Copying LDAP SSL certificate to ltsp-chroot $ltsp_chroot "
if test -s $CERTFILE; then
cp $CERTFILE $ltsp_chroot$CERTFILE
+ [ "$VERBOSE" != no ] && log_action_end_msg 0
+ else
+ log_action_end_msg 1
+ ERROR=true
+ fi
+ log_action_begin_msg "Copying Debian Edu rootCA certificate to ltsp-chroot $ltsp_chroot "
+ if test -s $ROOTCACRT; then
+ cp $ROOTCACRT $ltsp_chroot$ROOTCACRT
[ "$VERBOSE" != no ] && log_action_end_msg 0
else
+ log_action_begin_msg "Copying TLS certificate bundle to ltsp-chroot $ltsp_chroot "
+ if test -s $BUNDLECRT; then
+ cp $BUNDLECRT $ltsp_chroot$BUNDLECRT
+ [ "$VERBOSE" != no ] && log_action_end_msg 0
+ else
log_action_end_msg 1
ERROR=true
+ fi
fi
fi
done
@@ -76,16 +116,9 @@ do_start() {
return 1
fi
}
-
case "$1" in
start)
- # do absolutely nothing, if this host is already "attached" to
- # a Debian Edu network
- if [ -e /etc/ssl/certs/debian-edu-server.crt ]; then
- :
- else
- do_start
- fi
+ do_start
;;
stop)
;;
#!/bin/sh
### BEGIN INIT INFO
# Provides: fetch-ldap-cert
# Required-Start: $local_fs $remote_fs
# Required-Stop: $local_fs $remote_fs
# Should-Start: $network $syslog $named slapd
# Default-Start: 2 3 4 5
# Default-Stop:
# Short-Description: Fetch LDAP SSL public key from the server
# Description:
# Start before krb5-kdc to give slapd time to become operational
# before krb5-kdc try to connect to the LDAP server as a workaround
# for #589915.
# X-Start-Before: isc-dhcp-server krb5-kdc nslcd
### END INIT INFO
#
# Author: Petter Reinholdtsen <pere@hungry.com>
# Date: 2007-06-09
set -e
. /lib/lsb/init-functions
CERTFILE=/etc/ssl/certs/debian-edu-server.crt
BUNDLECRT=/etc/ssl/certs/debian-edu-bundle.crt
ROOTCACRT=/etc/ssl/certs/Debian-Edu_rootCA.crt
do_start() {
# Locate LDAP server
LDAPSERVER=$(debian-edu-ldapserver)
LDAPPORT=636 # ldaps
ERROR=false
if [ ! -f $CERTFILE ] && [ -f /etc/nslcd.conf ] &&
grep -q /etc/ssl/certs/debian-edu-server.crt /etc/nslcd.conf ; then
if [ -z "$LDAPSERVER" ] ; then
msg="Failed to locate LDAP server"
log_action_begin_msg "$msg"
log_action_end_msg 1
logger -t fetch-ldap-cert "$msg."
return 1
fi
[ "$VERBOSE" != no ] && log_action_begin_msg "Fetching LDAP SSL certificate."
if echo | openssl s_client -connect "$LDAPSERVER:$LDAPPORT" 2>/dev/null | grep RootCA ; then
if curl -sfk --head -o /dev/null https://www.intern ; then
if curl -k https://www.intern/Debian-Edu_rootCA.crt > $ROOTCACRT && \
grep -q CERTIFICATE $ROOTCACRT ; then
gnutls-cli --x509cafile $ROOTCACRT --save-cert=$CERTFILE.new $LDAPSERVER < /dev/null
logger -t fetch-ldap-cert "Fetched rootCA certificate from www.intern."
else
rm -f $ROOTCACRT
if curl -k https://www.intern/debian-edu-bundle.crt > $BUNDLECRT && \
grep -q CERTIFICATE $BUNDLECRT ; then
gnutls-cli --x509cafile $BUNDLECRT --save-cert=$CERTFILE.new $LDAPSERVER < /dev/null
logger -t fetch-ldap-cert "Fetched bundle certificate from www.intern."
else
rm -f $BUNDLECRT
logger -t fetch-ldap-cert "Failed to fetch certificates from www.intern."
fi
fi
else
log_action_end_msg 1
logger -t fetch-ldap-cert "Failed to connect to www.intern, maybe the web server down."
ERROR=true
fi
else
/usr/share/debian-edu-config/tools/ldap-server-getcert $LDAPSERVER > $CERTFILE.new
chmod 644 $CERTFILE.new
logger -t fetch-ldap-cert "Fetched pre Buster LDAP server certificate."
fi
if test -s $CERTFILE.new ; then
mv $CERTFILE.new $CERTFILE
[ "$VERBOSE" != no ] && log_action_end_msg 0
if [ -f $BUNDLECRT ] ; then
logger -t fetch-ldap-cert "Fetched and verified LDAP SSL certificate from $LDAPSERVER."
else
logger -t fetch-ldap-cert "Fetched LDAP SSL certificate from $LDAPSERVER."
fi
else
rm -f $CERTFILE.new
log_action_end_msg 1
logger -t fetch-ldap-cert "Failed to fetch LDAP SSL certificate from $LDAPSERVER."
ERROR=true
fi
fi
if [ -d /opt/ltsp ] ; then
for ltsp_chroot in `find /opt/ltsp/ -mindepth 1 -maxdepth 1 -type d`; do
if [ ! -f $ltsp_chroot$CERTFILE ] && [ -f $ltsp_chroot/etc/nslcd.conf ] &&
grep -q /etc/ssl/certs/debian-edu-server.crt $ltsp_chroot/etc/nslcd.conf ; then
[ "$VERBOSE" != no ] &&
log_action_begin_msg "Copying LDAP SSL certificate to ltsp-chroot $ltsp_chroot "
if test -s $CERTFILE; then
cp $CERTFILE $ltsp_chroot$CERTFILE
[ "$VERBOSE" != no ] && log_action_end_msg 0
else
log_action_end_msg 1
ERROR=true
fi
log_action_begin_msg "Copying Debian Edu rootCA certificate to ltsp-chroot $ltsp_chroot "
if test -s $ROOTCACRT; then
cp $ROOTCACRT $ltsp_chroot$ROOTCACRT
[ "$VERBOSE" != no ] && log_action_end_msg 0
else
log_action_begin_msg "Copying TLS certificate bundle to ltsp-chroot $ltsp_chroot "
if test -s $BUNDLECRT; then
cp $BUNDLECRT $ltsp_chroot$BUNDLECRT
[ "$VERBOSE" != no ] && log_action_end_msg 0
else
log_action_end_msg 1
ERROR=true
fi
fi
fi
done
fi
if $ERROR; then
return 1
fi
}
case "$1" in
start)
do_start
;;
stop)
;;
restart|force-reload)
;;
*)
echo "Usage: $0 {start|stop|restart|force-reload}"
exit 2
esac
exit 0
Attachment:
signature.asc
Description: PGP signature