Bug#933183: marked as done (debian-edu-config: should provide Debian Edu RootCA certificate (pub key) for download to improve security)

To: Mike Gabriel <sunweaver@debian.org>
Subject: Bug#933183: marked as done (debian-edu-config: should provide Debian Edu RootCA certificate (pub key) for download to improve security)
From: "Debian Bug Tracking System" <owner@bugs.debian.org>
Date: Mon, 26 Aug 2019 20:48:44 +0000
Message-id: <[🔎] handler.933183.D933183.156685230215570.ackdone@bugs.debian.org>
Reply-to: 933183@bugs.debian.org
References: <E1i2LrI-000H4I-KP@fasolo.debian.org> <20190727112220.GA17213@star>

Your message dated Mon, 26 Aug 2019 20:45:00 +0000
with message-id <E1i2LrI-000H4I-KP@fasolo.debian.org>
and subject line Bug#933183: fixed in debian-edu-config 2.10.65+deb10u1
has caused the Debian Bug report #933183,
regarding debian-edu-config: should provide Debian Edu RootCA certificate (pub key) for download to improve security
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
933183: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=933183
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems

--- Begin Message ---

To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: debian-edu-config: should provide Debian Edu RootCA certificate (pub key) for download to improve security
From: Wolfgang Schweer <w.schweer@gmx.de>
Date: Sat, 27 Jul 2019 13:22:20 +0200
Message-id: <20190727112220.GA17213@star>

Package: debian-edu-config
Version: 2.10.65
Severity: important

While working on fixing #931413, Mike Gabriel pointed out that (instead
of using a bundled certificate) the Debian Edu RootCA certificate should
be used to verify the LDAP SSL certificate. This RootCA file is atm
unavailable for download inside the internal Debian Edu network and should
be added.

=====================

Quoting the relevant information from the discussion on the Edu mailing 
list (accidently those mails were not Cc'd to #931413) just for the sake 
of completeness:

On Mon, Jul 22, 2019 at 07:38:53PM +0000, Holger Levsen wrote:
> On Mon, Jul 22, 2019 at 06:32:47PM +0000, Mike Gabriel wrote:
> > The school I can test this on is currently powered down due to maintenance
> > work on the electric wiring in the building that hosts the server chamber.
> > It's on the list...
> 
> do you have an ETA for this?
> 
> currently the next point release is planned for August 31 or September
> 7...

We should really get this into 10.1; as the real world test date appears 
to be uncertain, I've now tested the fetch-ldap-script in two virtual Edu 
networks with buster and stretch workstations against both buster and 
pre buster main servers. Everything works like expected; see logs from 
various scenarios further below to get the picture.

(Compared to my previous version there are a few cosmetic changes, also 
logging has been improved a bit.)

This is the diff against the current version in Git: 

diff --git a/debian/debian-edu-config.fetch-ldap-cert b/debian/debian-edu-config.fetch-ldap-cert
index dfec40da..4a4f5585 100755
--- a/debian/debian-edu-config.fetch-ldap-cert
+++ b/debian/debian-edu-config.fetch-ldap-cert
@@ -27,10 +27,10 @@ BUNDLECRT=/etc/ssl/certs/debian-edu-bundle.crt
 do_start() {
     # Locate LDAP server
     LDAPSERVER=$(debian-edu-ldapserver)
-
+    LDAPPORT=636 # ldaps
     ERROR=false
-    if [ -f /etc/nslcd.conf ] &&
-       grep -q /etc/ssl/certs/debian-edu-server.crt /etc/nslcd.conf ; then
+    if [ ! -f $CERTFILE ] &&  [ -f /etc/nslcd.conf ] &&
+        grep -q /etc/ssl/certs/debian-edu-server.crt /etc/nslcd.conf ; then
 	if [ -z "$LDAPSERVER" ] ; then
 	    msg="Failed to locate LDAP server"
 	    log_action_begin_msg "$msg"
@@ -39,18 +39,30 @@ do_start() {
 	    return 1
 	fi
 	[ "$VERBOSE" != no ] && log_action_begin_msg "Fetching LDAP SSL certificate."
-	if curl -f -k https://www.intern/debian-edu-bundle.crt > $BUNDLECRT ; then
-	    gnutls-cli --x509cafile $BUNDLECRT --save-cert=$CERTFILE.new ldap.intern < /dev/null
+	if echo | openssl s_client -connect "$LDAPSERVER:$LDAPPORT" 2>/dev/null | grep RootCA ; then
+	    if curl -k https://www.intern/debian-edu-bundle.crt > $BUNDLECRT && \
+		grep -v -q 404 $BUNDLECRT ; then
+		gnutls-cli --x509cafile $BUNDLECRT --save-cert=$CERTFILE.new $LDAPSERVER < /dev/null
+		logger -t fetch-ldap-cert "Fetched bundle certificate from www.intern."
+	    else
+		rm $BUNDLECRT
+		logger -t fetch-ldap-cert "Failed to fetch bundle certificate from www.intern."
+	    fi
 	else
 	    /usr/share/debian-edu-config/tools/ldap-server-getcert $LDAPSERVER > $CERTFILE.new
 	    chmod 644 $CERTFILE.new
+	    logger -t fetch-ldap-cert "Fetched pre Buster LDAP server certificate."
 	fi
 	if test -s $CERTFILE.new ; then
 	    mv $CERTFILE.new $CERTFILE
 	    [ "$VERBOSE" != no ] && log_action_end_msg 0
-	    logger -t fetch-ldap-cert "Fetched and verified LDAP SSL certificate from $LDAPSERVER."
+	    if [ -f $BUNDLECRT ] ; then
+	        logger -t fetch-ldap-cert "Fetched and verified LDAP SSL certificate from $LDAPSERVER."
+	    else
+	        logger -t fetch-ldap-cert "Fetched LDAP SSL certificate from $LDAPSERVER."
+	    fi
 	else
-	    rm $CERTFILE.new
+	    rm -f $CERTFILE.new
 	    log_action_end_msg 1
 	    logger -t fetch-ldap-cert "Failed to fetch LDAP SSL certificate from $LDAPSERVER."
 	    ERROR=true
@@ -64,6 +76,14 @@ do_start() {
 		log_action_begin_msg "Copying LDAP SSL certificate to ltsp-chroot $ltsp_chroot "
 		if test -s $CERTFILE; then
 		    cp $CERTFILE $ltsp_chroot$CERTFILE
+		[ "$VERBOSE" != no ] && log_action_end_msg 0
+		else
+		    log_action_end_msg 1
+		    ERROR=true
+		fi
+		log_action_begin_msg "Copying TLS certificate bundle to ltsp-chroot $ltsp_chroot "
+		if test -s $BUNDLECRT; then
+		    cp $BUNDLECRT $ltsp_chroot$BUNDLECRT
 		    [ "$VERBOSE" != no ] && log_action_end_msg 0
 		else
 		    log_action_end_msg 1
@@ -76,16 +96,9 @@ do_start() {
 	return 1
     fi
 }
-
 case "$1" in
     start)
-	# do absolutely nothing, if this host is already "attached" to
-	# a Debian Edu network
-	if [ -e /etc/ssl/certs/debian-edu-server.crt ]; then
-	    :
-	else
-	    do_start
-	fi
+	do_start
 	;;
     stop)
 	;;


In all test cases the existing certificates have been removed, then 
'service fetch-ldap-cert' has been run twice. The logs are from the 
first run. After the second one I checked if the certificates not been 
fetched again. They had stayed untouched. I can also confirm that 
authentication actually worked afterwards.

(1) stretch workstation against buster main server

Jul 24 14:24:25 ws9mate systemd[1]: Starting LSB: Fetch LDAP SSL public key from the server...
Jul 24 14:24:25 ws9mate fetch-ldap-cert[2103]: Fetching LDAP SSL certificate....done.
Jul 24 14:24:25 ws9mate fetch-ldap-cert: Fetched LDAP SSL certificate from ldap.
Jul 24 14:24:25 ws9mate systemd[1]: Started LSB: Fetch LDAP SSL public key from the server.

(2) buster workstation against jessie main server 

Jul 24 12:57:15 am-080027dbce36 systemd[1]: Starting LSB: Fetch LDAP SSL public key from the server...
Jul 24 12:57:15 am-080027dbce36 fetch-ldap-cert: Fetched pre Buster LDAP server certificate.
Jul 24 12:57:15 am-080027dbce36 fetch-ldap-cert[1998]: Fetching LDAP SSL certificate....done.
Jul 24 12:57:15 am-080027dbce36 fetch-ldap-cert: Fetched LDAP SSL certificate from ldap.intern.
Jul 24 12:57:15 am-080027dbce36 systemd[1]: Started LSB: Fetch LDAP SSL public key from the server.

(3) buster workstation against buster main server

Jul 24 13:20:15 am-0800276f4d92 systemd[1]: Starting LSB: Fetch LDAP SSL public key from the server...
Jul 24 13:20:16 am-0800276f4d92 fetch-ldap-cert[1968]: Fetching LDAP SSL certificate.... 0 s:C = NO, ST = Intern, L = Debian Edu Network, O = Debian Edu, OU = Debian Edu RootCA, CN = www.intern, emailAddress = postmaster@postoffice.intern
Jul 24 13:20:16 am-0800276f4d92 fetch-ldap-cert[1968]:    i:C = NO, ST = Intern, L = Debian Edu Network, O = Debian Edu, OU = Debian Edu RootCA, CN = www.intern, emailAddress = postmaster@postoffice.intern
Jul 24 13:20:16 am-0800276f4d92 fetch-ldap-cert[1968]: subject=C = NO, ST = Intern, L = Debian Edu Network, O = Debian Edu, OU = Debian Edu RootCA, CN = www.intern, emailAddress = postmaster@postoffice.intern
Jul 24 13:20:16 am-0800276f4d92 fetch-ldap-cert[1968]: issuer=C = NO, ST = Intern, L = Debian Edu Network, O = Debian Edu, OU = Debian Edu RootCA, CN = www.intern, emailAddress = postmaster@postoffice.intern
Jul 24 13:20:16 am-0800276f4d92 fetch-ldap-cert[1968]:   % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
Jul 24 13:20:16 am-0800276f4d92 fetch-ldap-cert[1968]:                                  Dload  Upload   Total   Spent    Left  Speed
Jul 24 13:20:16 am-0800276f4d92 fetch-ldap-cert[1968]: #015  0     0    0     0    0     0      0      0 --:--:-- --:--:-- --:--:--     0#015100  3460  100  3460    0     0   259k      0 --:--:-- --:--:-- --:--:--  259k
Jul 24 13:20:16 am-0800276f4d92 fetch-ldap-cert[1968]: |<1>| There was a non-CA certificate in the trusted list: C=NO,ST=Intern,L=Debian Edu Network,O=Debian Edu,OU=Debian Edu RootCA,CN=www.intern,EMAIL=postmaster@postoffice.intern.
Jul 24 13:20:16 am-0800276f4d92 fetch-ldap-cert[1968]: Processed 2 CA certificate(s).
Jul 24 13:20:16 am-0800276f4d92 fetch-ldap-cert[1968]: Resolving 'tjener.intern:443'...
Jul 24 13:20:16 am-0800276f4d92 fetch-ldap-cert[1968]: Connecting to '10.0.2.2:443'...
Jul 24 13:20:16 am-0800276f4d92 fetch-ldap-cert[1968]: - Certificate type: X.509
Jul 24 13:20:16 am-0800276f4d92 fetch-ldap-cert[1968]: - Got a certificate list of 1 certificates.
Jul 24 13:20:16 am-0800276f4d92 fetch-ldap-cert[1968]: - Certificate[0] info:
Jul 24 13:20:16 am-0800276f4d92 fetch-ldap-cert[1968]:  - subject `EMAIL=postmaster@postoffice.intern,CN=www.intern,OU=Debian Edu RootCA,O=Debian Edu,L=Debian Edu Network,ST=Intern,C=NO', issuer `EMAIL=postmaster@postoffice.intern,CN=www.intern,OU=Debian Edu RootCA,O=Debian Edu,L=Debian Edu Network,ST=Intern,C=NO', serial 0x535fb6ec31d07546625c3c70ecdebc7504d4b473, RSA key 2048 bits, signed using RSA-SHA256, activated `2019-07-22 07:57:32 UTC', expires `2029-07-19 07:57:32 UTC', pin-sha256="jlFjHURnQF3eoxKPHJSzs3FO3JIJL7vjlLPHIm1X8CU="
Jul 24 13:20:16 am-0800276f4d92 fetch-ldap-cert[1968]: #011Public Key ID:
Jul 24 13:20:16 am-0800276f4d92 fetch-ldap-cert[1968]: #011#011sha1:374487a04ac5ed79838f1e112e49677b11c46e70
Jul 24 13:20:16 am-0800276f4d92 fetch-ldap-cert[1968]: #011#011sha256:8e51631d4467405ddea3128f1c94b3b3714edc92092fbbe394b3c7226d57f025
Jul 24 13:20:16 am-0800276f4d92 fetch-ldap-cert[1968]: #011Public Key PIN:
Jul 24 13:20:16 am-0800276f4d92 fetch-ldap-cert[1968]: #011#011pin-sha256:jlFjHURnQF3eoxKPHJSzs3FO3JIJL7vjlLPHIm1X8CU=
Jul 24 13:20:16 am-0800276f4d92 fetch-ldap-cert[1968]: - Status: The certificate is trusted.
Jul 24 13:20:16 am-0800276f4d92 fetch-ldap-cert[1968]: - Description: (TLS1.3)-(ECDHE-SECP256R1)-(RSA-PSS-RSAE-SHA256)-(AES-256-GCM)
Jul 24 13:20:16 am-0800276f4d92 fetch-ldap-cert[1968]: - Options:
Jul 24 13:20:16 am-0800276f4d92 fetch-ldap-cert[1968]: - Handshake was completed
Jul 24 13:20:16 am-0800276f4d92 fetch-ldap-cert[1968]: - Simple Client Mode:
Jul 24 13:20:16 am-0800276f4d92 fetch-ldap-cert[1968]: - Peer has closed the GnuTLS connection
Jul 24 13:20:16 am-0800276f4d92 fetch-ldap-cert: Fetched bundle certificate from www.intern.
Jul 24 13:20:16 am-0800276f4d92 fetch-ldap-cert[1968]: done.
Jul 24 13:20:16 am-0800276f4d92 fetch-ldap-cert: Fetched and verified LDAP SSL certificate from tjener.intern.
Jul 24 13:20:16 am-0800276f4d92 fetch-ldap-cert[1968]: Copying LDAP SSL certificate to ltsp-chroot /opt/ltsp/i386 ...done.
Jul 24 13:20:16 am-0800276f4d92 fetch-ldap-cert[1968]: Copying TLS certificate bundle to ltsp-chroot /opt/ltsp/i386 ...done.
Jul 24 13:20:16 am-0800276f4d92 systemd[1]: Started LSB: Fetch LDAP SSL public key from the server.

(4) similar to (3) but with the bundle certificate made unavailable 
    (just to check if a failure is reported)

Jul 24 13:26:24 am-0800276f4d92 systemd[1]: Starting LSB: Fetch LDAP SSL public key from the server...
Jul 24 13:26:24 am-0800276f4d92 fetch-ldap-cert[2185]: Fetching LDAP SSL certificate.... 0 s:C = NO, ST = Intern, L = Debian Edu Network, O = Debian Edu, OU = Debian Edu RootCA, CN = www.intern, emailAddress = postmaster@postoffice.intern
Jul 24 13:26:24 am-0800276f4d92 fetch-ldap-cert[2185]:    i:C = NO, ST = Intern, L = Debian Edu Network, O = Debian Edu, OU = Debian Edu RootCA, CN = www.intern, emailAddress = postmaster@postoffice.intern
Jul 24 13:26:24 am-0800276f4d92 fetch-ldap-cert[2185]: subject=C = NO, ST = Intern, L = Debian Edu Network, O = Debian Edu, OU = Debian Edu RootCA, CN = www.intern, emailAddress = postmaster@postoffice.intern
Jul 24 13:26:24 am-0800276f4d92 fetch-ldap-cert[2185]: issuer=C = NO, ST = Intern, L = Debian Edu Network, O = Debian Edu, OU = Debian Edu RootCA, CN = www.intern, emailAddress = postmaster@postoffice.intern
Jul 24 13:26:24 am-0800276f4d92 fetch-ldap-cert[2185]:   % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
Jul 24 13:26:24 am-0800276f4d92 fetch-ldap-cert[2185]:                                  Dload  Upload   Total   Spent    Left  Speed
Jul 24 13:26:24 am-0800276f4d92 fetch-ldap-cert[2185]: #015  0     0    0     0    0     0      0      0 --:--:-- --:--:-- --:--:--     0#015100   296  100   296    0     0  26909      0 --:--:-- --:--:-- --:--:-- 26909
Jul 24 13:26:24 am-0800276f4d92 fetch-ldap-cert[2185]: *** Fatal error: Error in the certificate.
Jul 24 13:26:24 am-0800276f4d92 fetch-ldap-cert[2185]: Processed 0 CA certificate(s).
Jul 24 13:26:24 am-0800276f4d92 fetch-ldap-cert[2185]: Resolving 'tjener.intern:443'...
Jul 24 13:26:24 am-0800276f4d92 fetch-ldap-cert[2185]: Connecting to '10.0.2.2:443'...
Jul 24 13:26:24 am-0800276f4d92 fetch-ldap-cert[2185]: - Certificate type: X.509
Jul 24 13:26:24 am-0800276f4d92 fetch-ldap-cert[2185]: - Got a certificate list of 1 certificates.
Jul 24 13:26:24 am-0800276f4d92 fetch-ldap-cert[2185]: - Certificate[0] info:
Jul 24 13:26:24 am-0800276f4d92 fetch-ldap-cert[2185]:  - subject `EMAIL=postmaster@postoffice.intern,CN=www.intern,OU=Debian Edu RootCA,O=Debian Edu,L=Debian Edu Network,ST=Intern,C=NO', issuer `EMAIL=postmaster@postoffice.intern,CN=www.intern,OU=Debian Edu RootCA,O=Debian Edu,L=Debian Edu Network,ST=Intern,C=NO', serial 0x535fb6ec31d07546625c3c70ecdebc7504d4b473, RSA key 2048 bits, signed using RSA-SHA256, activated `2019-07-22 07:57:32 UTC', expires `2029-07-19 07:57:32 UTC', pin-sha256="jlFjHURnQF3eoxKPHJSzs3FO3JIJL7vjlLPHIm1X8CU="
Jul 24 13:26:24 am-0800276f4d92 fetch-ldap-cert[2185]: #011Public Key ID:
Jul 24 13:26:24 am-0800276f4d92 fetch-ldap-cert[2185]: #011#011sha1:374487a04ac5ed79838f1e112e49677b11c46e70
Jul 24 13:26:24 am-0800276f4d92 fetch-ldap-cert[2185]: #011#011sha256:8e51631d4467405ddea3128f1c94b3b3714edc92092fbbe394b3c7226d57f025
Jul 24 13:26:24 am-0800276f4d92 fetch-ldap-cert[2185]: #011Public Key PIN:
Jul 24 13:26:24 am-0800276f4d92 fetch-ldap-cert[2185]: #011#011pin-sha256:jlFjHURnQF3eoxKPHJSzs3FO3JIJL7vjlLPHIm1X8CU=
Jul 24 13:26:24 am-0800276f4d92 fetch-ldap-cert[2185]: - Status: The certificate is NOT trusted. The certificate issuer is unknown.
Jul 24 13:26:24 am-0800276f4d92 fetch-ldap-cert[2185]: *** PKI verification of server certificate failed...
Jul 24 13:26:24 am-0800276f4d92 systemd[1]: fetch-ldap-cert.service: Control process exited, code=exited, status=1/FAILURE
Jul 24 13:26:24 am-0800276f4d92 systemd[1]: fetch-ldap-cert.service: Failed with result 'exit-code'.
Jul 24 13:26:24 am-0800276f4d92 systemd[1]: Failed to start LSB: Fetch LDAP SSL public key from the server.

If no one shouts I'll commit the script with a delay of two days...

Wolfgang

--------------------

Hi Wolfgang,

On  Mi 24 Jul 2019 16:05:13 CEST, Wolfgang Schweer wrote:

    On Mon, Jul 22, 2019 at 07:38:53PM +0000, Holger Levsen wrote:

        On Mon, Jul 22, 2019 at 06:32:47PM +0000, Mike Gabriel wrote:
        > The school I can test this on is currently powered down due to maintenance
        > work on the electric wiring in the building that hosts the server chamber.
        > It's on the list...

        do you have an ETA for this?


I am waiting for the system to come online again fully. The admin teacher at that school has been pinged/pong.


        currently the next point release is planned for August 31 or September
        7...


    We should really get this into 10.1; as the real world test date appears


Yes!

    to be uncertain, I've now tested the fetch-ldap-script in two virtual Edu
    networks with buster and stretch workstations against both buster and
    pre buster main servers. Everything works like expected; see logs from
    various scenarios further below to get the picture.


Nice!

    (Compared to my previous version there are a few cosmetic changes, also
    logging has been improved a bit.)


Ok.

    This is the diff against the current version in Git:

    diff --git a/debian/debian-edu-config.fetch-ldap-cert b/debian/debian-edu-config.fetch-ldap-cert

    index dfec40da..4a4f5585 100755
    --- a/debian/debian-edu-config.fetch-ldap-cert
    +++ b/debian/debian-edu-config.fetch-ldap-cert


    [...]


    [ "$VERBOSE" != no ] && log_action_begin_msg "Fetching LDAP SSL certificate."

    -	if curl -f -k https://www.intern/debian-edu-bundle.crt > $BUNDLECRT ; then

    - gnutls-cli --x509cafile $BUNDLECRT --save-cert=$CERTFILE.new ldap.intern < /dev/null + if echo | openssl s_client -connect "$LDAPSERVER:$LDAPPORT" 2>/dev/null | grep RootCA ; then

    +	    if curl -k https://www.intern/debian-edu-bundle.crt > $BUNDLECRT && \


    +		grep -v -q 404 $BUNDLECRT ; then


WARNING: you dropped the "-f" parameter from curl. Without "-f" curl always exits with exit code 0, we should rather have curl to fail properly on connection problems, DNS problems, etc. Further above, in the remove curl call, I had added the "-f" option especially for better exit result handling.


Capturing curl issues by grepping for a 404 is IMHO incomplete. (Turn of Apache2 and you won't get the 404 and curl | grep ends in some untested realm).


    + gnutls-cli --x509cafile $BUNDLECRT --save-cert=$CERTFILE.new $LDAPSERVER < /dev/null

    +		logger -t fetch-ldap-cert "Fetched bundle certificate from www.intern."
    +	    else
    +		rm $BUNDLECRT

    + logger -t fetch-ldap-cert "Failed to fetch bundle certificate from www.intern."

    +	    fi


    [...]


Furthermore, you operate on the bundle certificate file still for buster<->buster setups.


Have you tested with distributing just the rootCA file to the clients?

Greets,
Mike

-------------------

Hi Mike,

thanks for the fast feedback.

On Wed, Jul 24, 2019 at 03:11:11PM +0000, Mike Gabriel wrote:
> I am waiting for the system to come online again fully. The admin teacher at
> that school has been pinged/pong.

Good. 

> > +	    if curl -k https://www.intern/debian-edu-bundle.crt > $BUNDLECRT && \
> 
> > +		grep -v -q 404 $BUNDLECRT ; then
> 
> WARNING: you dropped the "-f" parameter from curl. Without "-f" curl always
> exits with exit code 0, we should rather have curl to fail properly on
> connection problems, DNS problems, etc. Further above, in the remove curl
> call, I had added the "-f" option especially for better exit result
> handling.
> 
> Capturing curl issues by grepping for a 404 is IMHO incomplete. (Turn of
> Apache2 and you won't get the 404 and curl | grep ends in some untested
> realm).

Good point; this should definitly be improved.

> Furthermore, you operate on the bundle certificate file still for
> buster<->buster setups.
> 
> Have you tested with distributing just the rootCA file to the clients?

Yes, works like expected. But then, one more change needs to get into 
10.1 (share/debian-edu-config/tools/create-debian-edu-certs) and it 
won't be easy to handle this change upon upgrades. Please correct me if 
I'm wrong.

Wolfgang

------------------

On Wed, Jul 24, 2019 at 06:41:42PM +0200, Wolfgang Schweer wrote:
> > Capturing curl issues by grepping for a 404 is IMHO incomplete. (Turn of
> > Apache2 and you won't get the 404 and curl | grep ends in some untested
> > realm).
> 
> Good point; this should definitly be improved.

See my proposal in the revised fetch-ldap-cert script, also attached.
 
> > Furthermore, you operate on the bundle certificate file still for
> > buster<->buster setups.
> > 
> > Have you tested with distributing just the rootCA file to the clients?
> 
> Yes, works like expected. But then, one more change needs to get into 
> 10.1 (share/debian-edu-config/tools/create-debian-edu-certs) and it 
> won't be easy to handle this change upon upgrades.

The complete diff for all required changes (also for upgrading), fetch 
script included. Don't know if this is suitable for 10.1, though:

diff --git a/cf3/cf.finalize b/cf3/cf.finalize
index 5f3ee1b9..a4185128 100644
--- a/cf3/cf.finalize
+++ b/cf3/cf.finalize
@@ -66,6 +66,8 @@ files:
     copy_from => local_cp("/etc/ssl/certs/debian-edu-server.crt");
     "/opt/ltsp/$(default_arch)/etc/ssl/certs/debian-edu-bundle.crt"
     copy_from => local_cp("/etc/ssl/certs/debian-edu-bundle.crt");
+    "/opt/ltsp/$(default_arch)/etc/ssl/certs/Debian-Edu_rootCA.crt"
+    copy_from => local_cp("/etc/ssl/certs/Debian-Edu_rootCA.crt");
 
 commands:
 
@@ -124,12 +126,21 @@ commands:
 
   # Adjust certificate rights to make them accessible.
 
+  debian.server.installation::
+
+    "/bin/chmod 0644 /etc/debian-edu/www/Debian-Edu_rootCA.crt"
+      contain => in_shell;
+
   debian.ltspclient.installation::
 
     "/bin/chmod 0644 /etc/ssl/certs/debian-edu*.crt"
       contain => in_shell;
+    "/bin/chmod 0644 /etc/ssl/certs/Debian-Edu_rootCA.crt"
+      contain => in_shell;
     "/bin/chmod 0644 /opt/ltsp/*/etc/ssl/certs/debian-edu*.crt"
       contain => in_shell;
+    "/bin/chmod 0644 /opt/ltsp/*/etc/ssl/certs/Debian-Edu_rootCA.crt"
+      contain => in_shell;
 
   # Note that 'ltsp-update-image --config-nbd' is needed to generate the image and
   # to configure NBD; adjust rights to make the image available for the NBD server.
diff --git a/cf3/cf.workarounds b/cf3/cf.workarounds
index 716ed817..671459af 100644
--- a/cf3/cf.workarounds
+++ b/cf3/cf.workarounds
@@ -33,6 +33,12 @@ files:
       link_from => ln_s("/usr/share/debian-edu-config/edu-firefox-nfs"),
       move_obstructions => "true";
 
+  # Provide Debian Edu RootCA pub key as download.
+
+  debian.server.installation::
+    "/etc/debian-edu/www/Debian-Edu_rootCA.crt"
+    copy_from => local_cp("/etc/ssl/certs/Debian-Edu_rootCA.crt");
+
 commands:
 
   debian.xfce.(ltspclient|ltspserver).installation::
diff --git a/debian/debian-edu-config.fetch-ldap-cert b/debian/debian-edu-config.fetch-ldap-cert
index dfec40da..1ee84443 100755
--- a/debian/debian-edu-config.fetch-ldap-cert
+++ b/debian/debian-edu-config.fetch-ldap-cert
@@ -23,14 +23,15 @@ set -e
 
 CERTFILE=/etc/ssl/certs/debian-edu-server.crt
 BUNDLECRT=/etc/ssl/certs/debian-edu-bundle.crt
+ROOTCACRT=/etc/ssl/certs/Debian-Edu_rootCA.crt
 
 do_start() {
     # Locate LDAP server
     LDAPSERVER=$(debian-edu-ldapserver)
-
+    LDAPPORT=636 # ldaps
     ERROR=false
-    if [ -f /etc/nslcd.conf ] &&
-       grep -q /etc/ssl/certs/debian-edu-server.crt /etc/nslcd.conf ; then
+    if [ ! -f $CERTFILE ] &&  [ -f /etc/nslcd.conf ] &&
+        grep -q /etc/ssl/certs/debian-edu-server.crt /etc/nslcd.conf ; then
 	if [ -z "$LDAPSERVER" ] ; then
 	    msg="Failed to locate LDAP server"
 	    log_action_begin_msg "$msg"
@@ -39,18 +40,43 @@ do_start() {
 	    return 1
 	fi
 	[ "$VERBOSE" != no ] && log_action_begin_msg "Fetching LDAP SSL certificate."
-	if curl -f -k https://www.intern/debian-edu-bundle.crt > $BUNDLECRT ; then
-	    gnutls-cli --x509cafile $BUNDLECRT --save-cert=$CERTFILE.new ldap.intern < /dev/null
+	if echo | openssl s_client -connect "$LDAPSERVER:$LDAPPORT" 2>/dev/null | grep RootCA ; then
+	    if curl -sfk --head -o /dev/null https://www.intern ; then
+		if curl -k https://www.intern/Debian-Edu_rootCA.crt > $ROOTCACRT && \
+		    grep -q CERTIFICATE $ROOTCACRT ; then
+			gnutls-cli --x509cafile $ROOTCACRT --save-cert=$CERTFILE.new $LDAPSERVER < /dev/null
+			logger -t fetch-ldap-cert "Fetched rootCA certificate from www.intern."
+		    else
+			rm -f $ROOTCACRT
+			if curl -k https://www.intern/debian-edu-bundle.crt > $BUNDLECRT && \
+			    grep -q CERTIFICATE $BUNDLECRT ; then
+				gnutls-cli --x509cafile $BUNDLECRT --save-cert=$CERTFILE.new $LDAPSERVER < /dev/null
+				logger -t fetch-ldap-cert "Fetched bundle certificate from www.intern."
+		else
+		    rm -f $BUNDLECRT
+		    logger -t fetch-ldap-cert "Failed to fetch certificates from www.intern."
+		fi
+	    fi
+	    else
+		log_action_end_msg 1
+		logger -t fetch-ldap-cert "Failed to connect to www.intern, maybe the web server down."
+	        ERROR=true
+	    fi
 	else
 	    /usr/share/debian-edu-config/tools/ldap-server-getcert $LDAPSERVER > $CERTFILE.new
 	    chmod 644 $CERTFILE.new
+	    logger -t fetch-ldap-cert "Fetched pre Buster LDAP server certificate."
 	fi
 	if test -s $CERTFILE.new ; then
 	    mv $CERTFILE.new $CERTFILE
 	    [ "$VERBOSE" != no ] && log_action_end_msg 0
-	    logger -t fetch-ldap-cert "Fetched and verified LDAP SSL certificate from $LDAPSERVER."
+	    if [ -f $BUNDLECRT ] ; then
+	        logger -t fetch-ldap-cert "Fetched and verified LDAP SSL certificate from $LDAPSERVER."
+	    else
+	        logger -t fetch-ldap-cert "Fetched LDAP SSL certificate from $LDAPSERVER."
+	    fi
 	else
-	    rm $CERTFILE.new
+	    rm -f $CERTFILE.new
 	    log_action_end_msg 1
 	    logger -t fetch-ldap-cert "Failed to fetch LDAP SSL certificate from $LDAPSERVER."
 	    ERROR=true
@@ -64,10 +90,24 @@ do_start() {
 		log_action_begin_msg "Copying LDAP SSL certificate to ltsp-chroot $ltsp_chroot "
 		if test -s $CERTFILE; then
 		    cp $CERTFILE $ltsp_chroot$CERTFILE
+		[ "$VERBOSE" != no ] && log_action_end_msg 0
+		else
+		    log_action_end_msg 1
+		    ERROR=true
+		fi
+		log_action_begin_msg "Copying Debian Edu rootCA certificate to ltsp-chroot $ltsp_chroot "
+		if test -s $ROOTCACRT; then
+		    cp $ROOTCACRT $ltsp_chroot$ROOTCACRT
 		    [ "$VERBOSE" != no ] && log_action_end_msg 0
 		else
+		    log_action_begin_msg "Copying TLS certificate bundle to ltsp-chroot $ltsp_chroot "
+		    if test -s $BUNDLECRT; then
+			cp $BUNDLECRT $ltsp_chroot$BUNDLECRT
+			[ "$VERBOSE" != no ] && log_action_end_msg 0
+		    else
 		    log_action_end_msg 1
 		    ERROR=true
+		    fi
 		fi
 	    fi
 	done
@@ -76,16 +116,9 @@ do_start() {
 	return 1
     fi
 }
-
 case "$1" in
     start)
-	# do absolutely nothing, if this host is already "attached" to
-	# a Debian Edu network
-	if [ -e /etc/ssl/certs/debian-edu-server.crt ]; then
-	    :
-	else
-	    do_start
-	fi
+	do_start
 	;;
     stop)
 	;;
diff --git a/share/debian-edu-config/tools/create-debian-edu-certs b/share/debian-edu-config/tools/create-debian-edu-certs
index 346f0bf4..93f345cf 100755
--- a/share/debian-edu-config/tools/create-debian-edu-certs
+++ b/share/debian-edu-config/tools/create-debian-edu-certs
@@ -72,7 +72,9 @@ generate() {
     # available via web-server.
     cp /etc/ssl/certs/debian-edu-bundle.crt /etc/debian-edu/www
     cp /etc/ssl/certs/debian-edu-bundle.pem /etc/debian-edu/www
+    cp /etc/ssl/certs/Debian-Edu_rootCA.crt /etc/debian-edu/www
     chmod 644 /etc/debian-edu/www/debian-edu-bundle.*
+    chmod 644 /etc/debian-edu/www/Debian-Edu_rootCA.crt
     logger -t create-debian-edu-certs "Certs with both .crt and .pem extension made available in /etc/debian-edu/www."
 }
 


Wolfgang

Attachment: signature.asc
Description: PGP signature

--- End Message ---

--- Begin Message ---

To: 933183-close@bugs.debian.org
Subject: Bug#933183: fixed in debian-edu-config 2.10.65+deb10u1
From: Mike Gabriel <sunweaver@debian.org>
Date: Mon, 26 Aug 2019 20:45:00 +0000
Message-id: <E1i2LrI-000H4I-KP@fasolo.debian.org>

Source: debian-edu-config
Source-Version: 2.10.65+deb10u1

We believe that the bug you reported is fixed in the latest version of
debian-edu-config, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 933183@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Mike Gabriel <sunweaver@debian.org> (supplier of updated debian-edu-config package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Format: 1.8
Date: Mon, 26 Aug 2019 20:14:26 +0200
Source: debian-edu-config
Architecture: source
Version: 2.10.65+deb10u1
Distribution: buster
Urgency: medium
Maintainer: Debian Edu Developers <debian-edu@lists.debian.org>
Changed-By: Mike Gabriel <sunweaver@debian.org>
Closes: 926933 928756 929964 930122 931366 931413 931680 932828 933183 933580 934380
Changes:
 debian-edu-config (2.10.65+deb10u1) buster; urgency=medium
 .
   [ Wolfgang Schweer ]
   * Adjust ltsp-build-client/Debian-custom/001-ltsp-setting. (Closes: #928756)
     - Use PXE option 'ipappend 2' for LTSP client boot. This option makes sure
       that all DHCP server information is getting through to LTSP clients.
       (LTSP used this option before, but switched to 'ipappend 3' during the
       Buster development cycle to ease setups with ProxyDHCP.)
   * Adjust share/debian-edu-config/sudo-ldap.conf. (Closes: #929964)
     - Fix sudo-ldap configuration. (The LDAP URI is needed on LDAP clients.)
   * Set environment variable to deal with Firefox profile. (Closes: #930122)
     This is a workaround for bug #930125, preventing firefox-esr startup issues
     if the mozilla profile is on an NFS share).
     - Ship share/debian-edu-config/edu-firefox-nfs with NSS_SDB_USE_CACHE="yes"
       as content. Thanks to Mike Gabriel for spotting the issue and providing
       this information.
     - Add instructions to cf3/cf.workarounds to link the 'edu-firefox-nfs' file
       to appropriate files below '/etc/X11/Xsession.d' and '/etc/profile.d'.
   * Adjust cf3/cf.homes: Set correct LTSP chroot path. (Closes: #931680)
     - While the reported arch is i686, LTSP uses i386. Set arch accordingly.
   * Adjust share/debian-edu-config/tools/kerberos-kdc-init. (Closes: #931366)
     - Remove outdated (and now wrong) logging section.
   * Fix loss of dynamically allocated v4 IP address. (Closes: #933580)
     - Drop etc/network/if-up.d/hostname. This script doesn't work anymore due
       to changed behaviour of the ifupdown/dhclient/systemd combination and now
       also causes the loss of a dynamically allocated ipv4 IP address after 20
       to 30 minutes after booting.
     - Add code to d/debian-edu-config.postinstall to implement the intended
       hostname update just after rebooting the system after a change.
     - Adjust Makefile.
   * Provide Debian Edu RootCA certificate for download. (Closes: #933183)
     - Adjust share/debian-edu-config/tools/create-debian-edu-certs to copy the
       rootCA file to the web server directory at certificate generation time.
     - Adjust cf3/cf.finalize to care for the rootCA file as well.
     - Adjust cf3/cf.workarounds to copy the rootCA file to the web server
       directory upon main server upgrade.
   * Add LDAP server certificate to the initial LTSP NBD image. (Closes: #932828)
     - etc/ltsp/ltsp-build-client.conf: Don't create the image by default.
     - cf3/edu.cf: Define new class 'ltspimages'.
     - cf3/cf.finalize: Add code to include the LDAP server certificate for all
       possible use cases, to generate the image and to adjust various rights.
   * Changes to debian-edu-config.fetch-ldap-cert from 2.10.67).
     - Use independent conditions to make sure that the LDAP server certificate
       is only downloaded once for both host and LTSP chroot. (Closes: #934380)
     - Add code to validate the LDAP server certificate in case the Debian Edu
       RootCA certificate is available for download.
 .
   [ Mike Gabriel ]
   * Changes to debian-edu-config.fetch-ldap-cert (from 2.10.66):
     - Make the script (and with it Debian Edu buster workstations) work in a
       Debian Edu environment where the main server (TJENER) is still on Debian
       Edu 8 or 9. (Closes: #926933)
     - Retrieve TJENER's PKI server certificate only once per host to improve
       security. This re-introduces the behaviour of fetch-ldap-cert in stretch
       and earlier. (Closes: #931413).
   * Changes to debian-edu-config.fetch-ldap-cert (from 2.10.67):
     - White-space-only change: Fix broken and inconsistent indentations.
     - Fully inline-document fetch-ldap-cert script.
     - Add "-f" option to all curl calls that don't have it set so far.
       This assures that curl bails out with a non-zero exit code, if anything
       goes wrong while retrieving certificate files.
     - Also report a successful certificate verification if we verified the
       LDAP server certificate using the Debian Edu RootCA.
     - Really check that the LDAP server uses a certificate issued by the
       "Debian Edu RootCA", not just by (some) "RootCA".
     - Add 2x FIXME about BUNDLECRT file removal from host and from LTSP chroots.
     - LTSP chroot certificate copying: only log those actions, if they are
       actually about to happen..
     - Silence curl stderr and gnutls-cli stdout+stderr.
     - Certificate retrieval: Fix upgrade path for RootCA deployment. Re-run
       CERTFILE (and ROOTCACRT retrieval) until we have both on the client.
       This will lead to repetitive downloads of the CERTFILE on system boot.
       To get rid of this, people must upgrade their TJENERs from Debian Edu
       10.0 to 10.1. Then it will stop. This hack is necessary to assure
       distribution of the RootCA to all clients that don't have it, yet.
     - Detach dependency of ROOTCACRT chroot copying and BUNDLECRT chroot
       copying from chroot copying of the CERTFILE. The chroot may have the
       CERTFILE, but not the ROOTCACRT, yet. This assures a smooth upgrade
       path from Debian Edu 10.0 to Debian Edu 10.1.
     - Do a simple validity check if a directory under /opt/ltsp really is
       a chroot (and e.g. not the SquashFS images' directory).
Checksums-Sha1:
 b607dc7c6bbebfac539d247d0ed0f44fa21f9aa8 1979 debian-edu-config_2.10.65+deb10u1.dsc
 9dbd2f6629a2582012d38990fa79aca5341c2581 345200 debian-edu-config_2.10.65+deb10u1.tar.xz
 a6c2cdf305c8f044a8bfa713172184e9f9fd738e 6268 debian-edu-config_2.10.65+deb10u1_source.buildinfo
Checksums-Sha256:
 0835ba945745662431a159177d3b523a1282e15a89648b52094a31d8480a0245 1979 debian-edu-config_2.10.65+deb10u1.dsc
 0309a33dbf4c5ee6fe6c41fcb37b189f63c28788f5777237c64fc89d439d3bf8 345200 debian-edu-config_2.10.65+deb10u1.tar.xz
 87c384785f4d80d00083de666a3feff6399f37e7d0bd554f3017923af116d9d6 6268 debian-edu-config_2.10.65+deb10u1_source.buildinfo
Files:
 71346dbd768946f9e70480b6f81fb492 1979 misc optional debian-edu-config_2.10.65+deb10u1.dsc
 49104c49362dc4d406782f6f359aab7b 345200 misc optional debian-edu-config_2.10.65+deb10u1.tar.xz
 63cf6b6c00ba8f68207f7b6bf8165677 6268 misc optional debian-edu-config_2.10.65+deb10u1_source.buildinfo

-----BEGIN PGP SIGNATURE-----

iQJJBAEBCAAzFiEEm/uu6GwKpf+/IgeCmvRrMCV3GzEFAl1kIZ0VHHN1bndlYXZl
ckBkZWJpYW4ub3JnAAoJEJr0azAldxsx1s8QAIfGI4kJnuPk9WZxdpXw6QxJ7W7v
31144c5IPLM+ahOBuMuBfRzT59+R7enJxUb/mfPPX4bM2x9WGCe2HQUDVIA7O430
9MFb2tmGHffDl+0cjYXDv4K1dUz/Gp/xFlCfrcLE+Q5WUPrALni8hWyXLLyWSPYU
E14vOLjyrMnlos0bR9eJQVXfGUfX7wIGlyCuBeur1FUSf6Srlrr7j63bBA4+h5VH
v61syK2LKlgRCmts7wIQn8qmWrxLzwF6CUitnaxP5inX7+WhCbm71zSaH3rnkN5V
diZpR6MeUUsHw50n3RXvQRxVfBQVGMD63uObaQV2pOjg46QddIwp+dLEm6w+RQLn
r6zueO6JifVKsxuusaT7K5AGiz5yoBHAQCH5AzUJQifSi8yrFTm0k1jViWDieQti
OUnzw+ILj7QGG/KccrzSMLfjBHEzD9BbKajyLb38ukwWmIMPCt0IIKMuAjBAMlSL
DM/fbYGWXHwh6L/T0tdEgyn/afhQR+BLjkXGmjpW6li/+6bw5nkF9WFF+lHBmgNt
yAyRKCUZycKD2MUbC1LXY1y2iw+V7PqqzXqXadxpaki13ZG+DRERwf7Rwqg4bPFi
JXZa5+3vH8dgNpxynSIMPJAGciYQfjUa5ZfSG0j8esg+h47mf92aTPzMxrQfDqHi
PDv6xxsiZWXIN8sY
=EjMw
-----END PGP SIGNATURE-----

--- End Message ---

Reply to:

Prev by Date: Bug#933580: marked as done (etc/network/if-up.d/hostname causes loss of dynamic v4 IP address)
Next by Date: Bug#934380: marked as done (fetch-ldap-cert should have independent conditions for both host and LTSP chroot)
Previous by thread: Bug#933183: marked as done (debian-edu-config: should provide Debian Edu RootCA certificate (pub key) for download to improve security)
Next by thread: Bug#933580: marked as done (etc/network/if-up.d/hostname causes loss of dynamic v4 IP address)
Index(es):
- Date
- Thread