[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#971767: debian-edu-config: Wrong certificate path in Firefox's policies.json file

Hi Wolfgang,

On  Mi 07 Okt 2020 10:56:08 CEST, Wolfgang Schweer wrote:


Hi Mike,

[ Mike Gabriel, 2020-10-06 ]

I am currently facing myself with Debian Edu testing/bullseye notebooks
running against a Debian Edu TJENER based on stretch.

I am currently adding the Debian Edu PKI as we have them in buster +
bullseye (rootCA and all that) to the stretch TJENER.

When doing this, I stumbled over this:

{
  "policies": {
    "Certificates": {
      "ImportEnterpriseRoots": true,
      "Install": [
        "/etc/ssl/certs/Debian-Edu_rootCA.crt"
      ]
    },
    "NewTabPage": false,
    "OverrideFirstRunPage": ""
  }
}

However, if I look into /etc/ssl/certs, I only see Debian-Edu_rootCA.pem.


ATM, I don' have a proper test environment. IIRC,
/etc/ssl/certs/Debian-Edu_rootCA.crt should actually exist (see tee
command in /etc/init.d/fetch-root-ca-cert).

I'm just wondering why this failed in your use case.

Wolfgang
I extracted the below test command line from the fetch-rootca-cert script (lines 33ff.): 

```
root@tjener:~# https_proxy= curl -fk https://www.intern/Debian-Edu_rootCA.crt 1> /tmp/1 | tee /tmp/2 2>/dev/null
% Total % Received % Xferd Average Speed Time Time Time Current 
                                 Dload  Upload   Total   Spent    Left  Speed
100  1395  100  1395    0     0  91553      0 --:--:-- --:--:-- --:--:-- 93000

root@tjener:~# cat /tmp/1
-----BEGIN CERTIFICATE-----
MIID2jCCAsICCQCZfn9CcXwnQTANBgkqhkiG9w0BAQsFADCBrjELMAkGA1UEBhMC
Tk8xDzANBgNVBAgMBkludGVybjEbMBkGA1UEBwwSRGViaWFuIEVkdSBOZXR3b3Jr
MRMwEQYDVQQKDApEZWJpYW4gRWR1MRowGAYDVQQLDBFEZWJpYW4gRWR1IFJvb3RD
QTETMBEGA1UEAwwKd3d3LmludGVybjErMCkGCSqGSIb3DQEJARYccG9zdG1hc3Rl
ckBwb3N0b2ZmaWNlLmludGVybjAeFw0yMDEwMDYxOTM4MjRaFw0zMDEwMDQxOTM4
MjRaMIGuMQswCQYDVQQGEwJOTzEPMA0GA1UECAwGSW50ZXJuMRswGQYDVQQHDBJE
ZWJpYW4gRWR1IE5ldHdvcmsxEzARBgNVBAoMCkRlYmlhbiBFZHUxGjAYBgNVBAsM
EURlYmlhbiBFZHUgUm9vdENBMRMwEQYDVQQDDAp3d3cuaW50ZXJuMSswKQYJKoZI
hvcNAQkBFhxwb3N0bWFzdGVyQHBvc3RvZmZpY2UuaW50ZXJuMIIBIjANBgkqhkiG
9w0BAQEFAAOCAQ8AMIIBCgKCAQEAyJ89uVEX+RG8Acu6y/7xgyhYICk9/6OrZM2i
URg1dMVs6fs0gSkNeAKm7TqkoEhGJPctVTCnBvDiezbS0zHfDg5NOBwielT1m7i3
G/iN9nVM/G/rbu4nUrpyHyfxWIBqoSyK6r3JExPFMDPYkliM+k6+2ENYlZ0Fz9KA
SAr15VyWD33lx0f83t0v8xyqIUqyonlwwt6vQSUyOnVxJG8li031QWZx5L/UwAv2
YgIdXMtDSKfD45HjQcCc+0XNPcYkj596UfJgSo7EHUfZy3HdVkh0VF4YNR06vjr4
ICFw6i6rDqzXZrdwrplX+Ez4vUkY2pqVNbBlHqBrypVMvJkWNQIDAQABMA0GCSqG
SIb3DQEBCwUAA4IBAQA7Zt+QczzwNnO4Q2Rcs3GWKXfoSV/RXPrtm62Iik3rWFKJ
PJSfXMh+4lQphMXGGJKH84o/dsbb3L5B2DLfydCTJHtVPyM7iP1PFq7OfwcltRVW
zB/NgBZHwBt5CFnR3xFxhegwvDgS/JZ4tLeNRvHH5EeJ6P02EzkndmPtoi7o4DXe
U97eoCQolVZVTj34kFrJv9+lUCJ1jTq05Bik3poa2b6rTG/mwD26EZjPqlLEWaY4
VoDO43gdc5R1gbjwZi6OvGztGjbF094bkTDvgMMVf4P+Gz37k7HXNbPPICDtiAN1
DbfMm/oz6llchMkC0vj/uEGNbrmquPx34oq3Oi4f
-----END CERTIFICATE-----

root@tjener:~# cat /tmp/2

root@tjener:~#
```

As you see /tmp/1 has the file content while /tmp/2 does not.
However, I don't think that we should fix this command line as that is handled by update-ca-certificates indirectly.
We should rather switch /etc/ssl/certs/Debian-Edu_rootCA.crt to /etc/ssl/certs/Debian-Edu_rootCA.pem (or ca-certificates.crt) in config files that reference our rootCA file. 

Greets,
Mike
--

DAS-NETZWERKTEAM
c\o Technik- und Ökologiezentrum Eckernförde
Mike Gabriel, Marienthaler Str. 17, 24340 Eckernförde
mobile: +49 (1520) 1976 148
landline: +49 (4351) 850 8940

GnuPG Fingerprint: 9BFB AEE8 6C0A A5FF BF22  0782 9AF4 6B30 2577 1B31
mail: mike.gabriel@das-netzwerkteam.de, http://das-netzwerkteam.de

Attachment: pgpTDQ5JYkbGB.pgp
Description: Digitale PGP-Signatur

Reply to: