Bug#951070: debian-edu-config: make Debian-Edu_rootCA available via /etc/ssl/certs/ca-certificates.crt

To: Wolfgang Schweer <w.schweer@gmx.de>
Cc: 951070@bugs.debian.org
Subject: Bug#951070: debian-edu-config: make Debian-Edu_rootCA available via /etc/ssl/certs/ca-certificates.crt
From: Mike Gabriel <mike.gabriel@das-netzwerkteam.de>
Date: Fri, 14 Feb 2020 12:13:14 +0000
Message-id: <[🔎] 20200214121314.Horde.bflMfskwF4iGTJpfw1ciMc2@mail.das-netzwerkteam.de>
Reply-to: Mike Gabriel <mike.gabriel@das-netzwerkteam.de>, 951070@bugs.debian.org
In-reply-to: <[🔎] 20200214105244.GA7996@star>
References: <[🔎] 20200210154602.Horde.9Dwcoq39BVmgz-tVY9F-3L-@mail.das-netzwerkteam.de> <[🔎] 20200212184704.GA25475@star> <[🔎] 20200210154602.Horde.9Dwcoq39BVmgz-tVY9F-3L-@mail.das-netzwerkteam.de> <[🔎] 20200212190921.Horde.VyWcy-3-hMF3rK3YkRrF1PE@mail.das-netzwerkteam.de> <[🔎] 20200210154602.Horde.9Dwcoq39BVmgz-tVY9F-3L-@mail.das-netzwerkteam.de> <[🔎] 20200212192008.GA26828@star> <[🔎] 20200210154602.Horde.9Dwcoq39BVmgz-tVY9F-3L-@mail.das-netzwerkteam.de> <[🔎] 20200213192127.GA21100@star> <[🔎] 20200214105244.GA7996@star> <[🔎] 20200210154602.Horde.9Dwcoq39BVmgz-tVY9F-3L-@mail.das-netzwerkteam.de>

Hi Wolfgang,

On  Fr 14 Feb 2020 11:52:44 CET, Wolfgang Schweer wrote:

On Thu, Feb 13, 2020 at 08:21:27PM +0100, Wolfgang Schweer wrote:

On Wed, Feb 12, 2020 at 08:20:08PM +0100, Wolfgang Schweer wrote:
> On Wed, Feb 12, 2020 at 07:09:21PM +0000, Mike Gabriel wrote:
> > The simpleness of the fetch-ldap-cert version you propose is
> > tempting. But this version will only work against TJENERs that have
> > a Debian-Edu_rootCA.crt exported via www.intern.

Considering...

[Mike]

> This assures that Debian-Edu_rootCA is available in the system-wide CA
> bundle in /etc/ssl/certs/ca-certificates.crt.

> This issue relates to #926388 (let Firefox trust
> /etc/ssl/certs/ca-certificates.crt)

...let's me think, that this bug is only fixable for Debian Edu 10 and
higher anyway.


Some more thoughts:

My proposed script could be added as fetch-rootca-cert because that's
what it's all about. The fetch-ldap-cert script would be kept in
bullseye (and retired in bullseye+1 aka bookworm).


Yes. That sounds good.

fetch-rootca- could then go into buster-pu, I guess.

Yes. And it should ignore missing Debian-Edu_rootCA.crt on TJENER(i.e. a TJENER from Debian 10.0 or earlier).

Also, the firefox-esr policies file (already in the master branch)
should be shipped for buster-pu.


Yes.

The policies file makes shure that FF-ESR shows the green padlock also
in case a user changes the password using gosa-desktop (which is the
recommended way to do that). It is actually quite bad to be warned about
a certificate issue and an insecure connection just in this case.


Indeed.

Reason for the gosa-desktop issue: On first call, a new FF profile is
created on the fly.

IMO the additional profile issue can't be solved with the
p11-kit-trust.so method, which is now deprecated in favour of the
pocicies one, see e.g.:

https://wiki.mozilla.org/CA/AddRootToFirefox

I've tested an appropiately updated d-e-config package both on a buster
10.3 main server and on a buster 10.3 roaming workstation (w/ your fixes
present for that one). Works ok in both cases, green padlocks in all
cases mentioned above.


Great. Please go ahead and push and I will review from there on.

Mike

--

DAS-NETZWERKTEAM
c\o Technik- und Ökologiezentrum Eckernförde
Mike Gabriel, Marienthaler str. 17, 24340 Eckernförde
mobile: +49 (1520) 1976 148
landline: +49 (4351) 850 8940

GnuPG Fingerprint: 9BFB AEE8 6C0A A5FF BF22  0782 9AF4 6B30 2577 1B31
mail: mike.gabriel@das-netzwerkteam.de, http://das-netzwerkteam.de

Attachment: pgpWgVWeZX2l2.pgp
Description: Digitale PGP-Signatur

Reply to:

References:
- Bug#951070: debian-edu-config: make Debian-Edu_rootCA available via /etc/ssl/certs/ca-certificates.crt
  - From: Mike Gabriel <mike.gabriel@das-netzwerkteam.de>
- Bug#951070: debian-edu-config: make Debian-Edu_rootCA available via /etc/ssl/certs/ca-certificates.crt
  - From: Wolfgang Schweer <w.schweer@gmx.de>
- Bug#951070: debian-edu-config: make Debian-Edu_rootCA available via /etc/ssl/certs/ca-certificates.crt
  - From: Mike Gabriel <mike.gabriel@das-netzwerkteam.de>
- Bug#951070: debian-edu-config: make Debian-Edu_rootCA available via /etc/ssl/certs/ca-certificates.crt
  - From: Wolfgang Schweer <w.schweer@gmx.de>
- Bug#951070: debian-edu-config: make Debian-Edu_rootCA available via /etc/ssl/certs/ca-certificates.crt
  - From: Wolfgang Schweer <w.schweer@gmx.de>
- Bug#951070: debian-edu-config: make Debian-Edu_rootCA available via /etc/ssl/certs/ca-certificates.crt
  - From: Wolfgang Schweer <w.schweer@gmx.de>

Prev by Date: Bug#951069: marked as done (debian-edu-config: roaming workstations tjener-smb bookmark missing in GTK-3 applications)
Next by Date: Processing of debian-edu-config_2.11.13_source.changes
Previous by thread: Bug#951070: debian-edu-config: make Debian-Edu_rootCA available via /etc/ssl/certs/ca-certificates.crt
Next by thread: Bug#951070: debian-edu-config: make Debian-Edu_rootCA available via /etc/ssl/certs/ca-certificates.crt
Index(es):
- Date
- Thread