Your message dated Mon, 19 Oct 2020 13:49:27 +0000 with message-id <E1kUVXT-000IUB-SD@fasolo.debian.org> and subject line Bug#971775: fixed in debian-edu-config 2.11.32 has caused the Debian Bug report #971775, regarding debian-edu-config: LOCALCACRT file empty in fetch-rootca-cert init script to be marked as done. This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact owner@bugs.debian.org immediately.) -- 971775: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=971775 Debian Bug Tracking System Contact owner@bugs.debian.org with problems
--- Begin Message ---
- To: submit@bugs.debian.org
- Subject: debian-edu-config: LOCALCACRT file empty in fetch-rootca-cert init script
- From: Mike Gabriel <mike.gabriel@das-netzwerkteam.de>
- Date: Tue, 06 Oct 2020 22:56:07 +0000
- Message-id: <[🔎] 20201006225607.Horde.INnIrrWNF9_yB_rPuSndCnk@mail.das-netzwerkteam.de>
Package: debian-edu-config Version: 2.11.31 Tags: patchDuring a migration-like scenario (old stretch main server being partially upgraded to a buster-like main server), I made the observations that clients (bullseye systems) that already have the fetch-rootca-cert init script can end up with /usr/local/share/ca-certificates/Debian-Edu_rootCA.crt being an empty file.This happens if the download URL of the rootCA file is not yet a valid URL. In migration scenarios this can easily happen, because the TJENER needs to be manually step-by-step upgraded und one of those steps is providing Debian-Edu_rootCA.crt in /etc/debian-edu/www.If that file is not present in that folder (exported via Apache2), the clients end up with empty rootCA files and never will retry another retrieval.My suggestion to mitigate this is this patch: ```diff --git a/debian/debian-edu-config.fetch-rootca-cert b/debian/debian-edu-config.fetch-rootca-certindex 7f65d3d5..c14bef44 100755 --- a/debian/debian-edu-config.fetch-rootca-cert +++ b/debian/debian-edu-config.fetch-rootca-cert @@ -31,7 +31,7 @@ do_start() { rm -f $BUNDLECRT # RootCA cert retrieval - if [ ! -f $LOCALCACRT ] ; then + if [ ! -f $LOCALCACRT ] || [ -s $LOCALCACRT ]; then # Since Debian Edu 10, the RootCA file is distributed# over http (always via the host serving www.intern, by default: TJENER)# ``` Mike -- DAS-NETZWERKTEAM c\o Technik- und Ökologiezentrum Eckernförde Mike Gabriel, Marienthaler Str. 17, 24340 Eckernförde mobile: +49 (1520) 1976 148 landline: +49 (4351) 850 8940 GnuPG Fingerprint: 9BFB AEE8 6C0A A5FF BF22 0782 9AF4 6B30 2577 1B31 mail: mike.gabriel@das-netzwerkteam.de, http://das-netzwerkteam.deAttachment: pgpcAW6yPFxL5.pgp
Description: Digitale PGP-Signatur
--- End Message ---
--- Begin Message ---
- To: 971775-close@bugs.debian.org
- Subject: Bug#971775: fixed in debian-edu-config 2.11.32
- From: Debian FTP Masters <ftpmaster@ftp-master.debian.org>
- Date: Mon, 19 Oct 2020 13:49:27 +0000
- Message-id: <E1kUVXT-000IUB-SD@fasolo.debian.org>
- Reply-to: Holger Levsen <holger@debian.org>
Source: debian-edu-config Source-Version: 2.11.32 Done: Holger Levsen <holger@debian.org> We believe that the bug you reported is fixed in the latest version of debian-edu-config, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 971775@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Holger Levsen <holger@debian.org> (supplier of updated debian-edu-config package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmaster@ftp-master.debian.org) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Format: 1.8 Date: Mon, 19 Oct 2020 14:14:47 +0200 Source: debian-edu-config Architecture: source Version: 2.11.32 Distribution: unstable Urgency: medium Maintainer: Debian Edu Developers <debian-edu@lists.debian.org> Changed-By: Holger Levsen <holger@debian.org> Closes: 971767 971775 Changes: debian-edu-config (2.11.32) unstable; urgency=medium . [ Mike Gabriel ] * debian/fetch-rootca-cert: Re-try rootCA retrieval if previous retrievals ended up with an empty Debian-Edu_rootCA.crt file in /usr/local/share/ca-certificates/. (Closes: #971775). . [ Wolfgang Schweer ] * debian/debian-edu-config.fetch-rootca-cert: - Avoid execution on the main server where things are already in place. - Adjust code to let the Debian-Edu_rootCA.crt file show up in the /etc/ssl/certs/ directory more reliably. (Closes: #971767). - Fix logging messages. * debian/control: - Lower Depends on libpam-python to Recommends. This way the src:debian-edu autopkgtest might succeed (until libpam-python3 becomes available). - Adjust Description field. - Use https://blends.debian.org/edu as homepage. * Move from deprecated, unusable Samba NT4-style PDC role to standalone server one to be compatible with OpenLDAP, MIT Kerberos and GOsa²: - Drop all domain related files. - Add code to debian/debian-edu-config.postinst to get those files removed. - Adjust etc/samba/smb-debian-edu.conf accordingly (also with support for non-root user usershares and override file included). - Add share/debian-edu-config/smb.conf.edu-site as override template file. * Re-work LDAP bootstrap and configuration file. - Move entries from ldap-bootstrap/samba.ldif to ldap-bootstrap/gosa.ldif and ldap-bootstrap/root.ldif respectively, now that Samba isn't contained in LDAP anymore. - etc/ldap/slapd-debian-edu.conf: Cleanup from Samba related entries. * share/debian-edu-config/gosa.conf.template: - Remove Samba related tab to prevent it from showing up in the GUI. - Add sambaHashHook="" to prevent Samba password hashes showing up in LDAP for security reasons. * Manage Samba accounts and sambashare group membership using GOsa² hooks. - share/debian-edu-config/tools/gosa-create: Add user to sambashare group. - share/debian-edu-config/tools/gosa-sync: Create a user Samba account and keep Samba and POSIX passwords in sync. - share/debian-edu-config/tools/gosa-lock-user: Also disable Samba account. - share/debian-edu-config/tools/gosa-unlock-user: Also enable Samba account. - share/debian-edu-config/tools/kerberos-kdc-init: Add samba account and - sambashare group membership for the special case 'first user'. * Use Avahi to publish Samba shares in the local network. This will also improve support for macOS using systems: - Add share/debian-edu-config/avahi.smb.service configuration file. - cf3/cf.samba: Conditionally copy the service file to the right place. (Also create the Samba usershares directory with proper rights.) * share/debian-edu-config/tools/edu-ldap-from-scratch: - Adjust to reflect the Samba related changes. * share/debian-edu-config/passwords_stub.dat: - Drop obsolete entries now that icinga2-classicui is gone. Checksums-Sha1: 022c4c41d0d85676325a33b2516448ea46a8f1c6 1926 debian-edu-config_2.11.32.dsc d416d1adb582d80476a7fcb73305a2733a5ab1de 336584 debian-edu-config_2.11.32.tar.xz 84fdc0e3876809dfec7c441c34446a2806d69ebb 5769 debian-edu-config_2.11.32_source.buildinfo Checksums-Sha256: 8c087911d83599bd62a448f8f1595a357336c5050ad5fce1b938962f3efbdde8 1926 debian-edu-config_2.11.32.dsc 15291a800cad6b14f020c545d43f75c31eac1eea4377a0414e6288c88111a18a 336584 debian-edu-config_2.11.32.tar.xz 7e2a01e8944526c2412bea1a23628cdbae55c52ba1cda788d3ea8299be877344 5769 debian-edu-config_2.11.32_source.buildinfo Files: c9fa07e076130d631689af26fee84067 1926 misc optional debian-edu-config_2.11.32.dsc 615ae39ae8f9d3a786c7f978f9bb1bfd 336584 misc optional debian-edu-config_2.11.32.tar.xz 185e257d11138b5c4688d64501a74155 5769 misc optional debian-edu-config_2.11.32_source.buildinfo -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEEuL9UE3sJ01zwJv6dCRq4VgaaqhwFAl+NhFkACgkQCRq4Vgaa qhzlnw//fnIe0N9PjsPs3QxWFgFoWZbJnhumToCi0fIxqhTKynSSry6i/4aqykTe DuXIY2Zu8/eTUuV335Wqc/oR79G6Z0VJVFFmjUMmZStPp09rYW3RfovNh2RCr8B3 PGw2gWF/7LBfV0Y+0v2c5LIj537aSJ0bFBHC/UsVKr9zEqEvGjND+Oy91oECr+Xh MnUqvEa6BJW5Nqz6QQi5vOlg1ErP8lNPkFbyJ9XYuxnk1vWP5x5uSuW2ZsJJ5dM7 SQt6Q5TcU++zN+6dE7tZYp0bJQNkq05HCkKLtDhpWh2EVT/uHFN0QJ6gdv1dw6gu sN9MG+ensgEN4C+wu/l8e04sOIOxwGE23TtC0cf1dowqQQm2epBYAXZUBG7Dcehc eUlwCzUoT30KogQljlIb58l8Tq+y44XYnVAJAdVri6Z2Mr0iK6NiB5l1Dy+6HJ9B 3ZXfiL5qOIkxc19uhRmbdwBvEcZTg3R3z43ele3P+n2RiuB6iFfEWcq6fBvnFeV0 QA3br4+FNpFxdl1Qt2ilgHnntQi3gm/6p32uD8qOmRbVJhyMCISiKnfX+kGbAS2S yPOjdOPLHqEjdbfOsl31N3ujpO2ho8zy3PpyKfy1/DL/qKkJCX2QiyB+9HO/gP4A ViJDFijrmikIA88oaEtGKu0CIzv0ywFV7Tmlds17k5ivxUHng6M= =8dsX -----END PGP SIGNATURE-----
--- End Message ---