Bug#971775: marked as done (debian-edu-config: LOCALCACRT file empty in fetch-rootca-cert init script)

["Debian Bug Tracking System" <owner@bugs.debian.org>]

Your message dated Mon, 19 Oct 2020 13:49:27 +0000
with message-id <E1kUVXT-000IUB-SD@fasolo.debian.org>
and subject line Bug#971775: fixed in debian-edu-config 2.11.32
has caused the Debian Bug report #971775,
regarding debian-edu-config: LOCALCACRT file empty in fetch-rootca-cert init script
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
971775: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=971775
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems

--- Begin Message ---

• To: submit@bugs.debian.org
• Subject: debian-edu-config: LOCALCACRT file empty in fetch-rootca-cert init script
• From: Mike Gabriel <mike.gabriel@das-netzwerkteam.de>
• Date: Tue, 06 Oct 2020 22:56:07 +0000
• Message-id: <[🔎] 20201006225607.Horde.INnIrrWNF9_yB_rPuSndCnk@mail.das-netzwerkteam.de>

Package: debian-edu-config
Version: 2.11.31
Tags: patch

During a migration-like scenario (old stretch main server being partially upgraded to a buster-like main server), I made the observations that clients (bullseye systems) that already have the fetch-rootca-cert init script can end up with /usr/local/share/ca-certificates/Debian-Edu_rootCA.crt being an empty file.

This happens if the download URL of the rootCA file is not yet a valid URL. In migration scenarios this can easily happen, because the TJENER needs to be manually step-by-step upgraded und one of those steps is providing Debian-Edu_rootCA.crt in /etc/debian-edu/www.

If that file is not present in that folder (exported via Apache2), the clients end up with empty rootCA files and never will retry another retrieval.

My suggestion to mitigate this is this patch:

```

diff --git a/debian/debian-edu-config.fetch-rootca-cert b/debian/debian-edu-config.fetch-rootca-cert

index 7f65d3d5..c14bef44 100755
--- a/debian/debian-edu-config.fetch-rootca-cert
+++ b/debian/debian-edu-config.fetch-rootca-cert
@@ -31,7 +31,7 @@ do_start() {
        rm -f $BUNDLECRT

        # RootCA cert retrieval
-       if [ ! -f $LOCALCACRT ] ; then
+       if [ ! -f $LOCALCACRT ] || [ -s $LOCALCACRT ]; then
                # Since Debian Edu 10, the RootCA file is distributed

# over http (always via the host serving www.intern, by default: TJENER)

                #
```

Mike
--

DAS-NETZWERKTEAM
c\o Technik- und Ökologiezentrum Eckernförde
Mike Gabriel, Marienthaler Str. 17, 24340 Eckernförde
mobile: +49 (1520) 1976 148
landline: +49 (4351) 850 8940

GnuPG Fingerprint: 9BFB AEE8 6C0A A5FF BF22  0782 9AF4 6B30 2577 1B31
mail: mike.gabriel@das-netzwerkteam.de, http://das-netzwerkteam.de

Attachment: pgpcAW6yPFxL5.pgp
Description: Digitale PGP-Signatur

--- End Message ---

--- Begin Message ---

• To: 971775-close@bugs.debian.org
• Subject: Bug#971775: fixed in debian-edu-config 2.11.32
• From: Debian FTP Masters <ftpmaster@ftp-master.debian.org>
• Date: Mon, 19 Oct 2020 13:49:27 +0000
• Message-id: <E1kUVXT-000IUB-SD@fasolo.debian.org>
• Reply-to: Holger Levsen <holger@debian.org>

Source: debian-edu-config
Source-Version: 2.11.32
Done: Holger Levsen <holger@debian.org>

We believe that the bug you reported is fixed in the latest version of
debian-edu-config, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 971775@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Holger Levsen <holger@debian.org> (supplier of updated debian-edu-config package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Mon, 19 Oct 2020 14:14:47 +0200
Source: debian-edu-config
Architecture: source
Version: 2.11.32
Distribution: unstable
Urgency: medium
Maintainer: Debian Edu Developers <debian-edu@lists.debian.org>
Changed-By: Holger Levsen <holger@debian.org>
Closes: 971767 971775
Changes:
 debian-edu-config (2.11.32) unstable; urgency=medium
 .
   [ Mike Gabriel ]
   * debian/fetch-rootca-cert: Re-try rootCA retrieval if previous
     retrievals ended up with an empty Debian-Edu_rootCA.crt file in
     /usr/local/share/ca-certificates/. (Closes: #971775).
 .
   [ Wolfgang Schweer ]
   * debian/debian-edu-config.fetch-rootca-cert:
     - Avoid execution on the main server where things are already in place.
     - Adjust code to let the Debian-Edu_rootCA.crt file show up in the
       /etc/ssl/certs/ directory more reliably. (Closes: #971767).
     - Fix logging messages.
   * debian/control:
     - Lower Depends on libpam-python to Recommends. This way the src:debian-edu
       autopkgtest might succeed (until libpam-python3 becomes available).
     - Adjust Description field.
     - Use https://blends.debian.org/edu as homepage.
   * Move from deprecated, unusable Samba NT4-style PDC role to standalone server
     one to be compatible with OpenLDAP, MIT Kerberos and GOsa²:
     - Drop all domain related files.
     - Add code to debian/debian-edu-config.postinst to get those files removed.
     - Adjust etc/samba/smb-debian-edu.conf accordingly (also with support for
       non-root user usershares and override file included).
     - Add share/debian-edu-config/smb.conf.edu-site as override template file.
   * Re-work LDAP bootstrap and configuration file.
     - Move entries from ldap-bootstrap/samba.ldif to ldap-bootstrap/gosa.ldif
       and ldap-bootstrap/root.ldif respectively, now that Samba isn't contained
       in LDAP anymore.
     - etc/ldap/slapd-debian-edu.conf: Cleanup from Samba related entries.
   * share/debian-edu-config/gosa.conf.template:
     - Remove Samba related tab to prevent it from showing up in the GUI.
     - Add sambaHashHook="" to prevent Samba password hashes showing up in LDAP
       for security reasons.
   * Manage Samba accounts and sambashare group membership using GOsa² hooks.
     - share/debian-edu-config/tools/gosa-create: Add user to sambashare group.
     - share/debian-edu-config/tools/gosa-sync:
       Create a user Samba account and keep Samba and POSIX passwords in sync.
     - share/debian-edu-config/tools/gosa-lock-user: Also disable Samba account.
     - share/debian-edu-config/tools/gosa-unlock-user: Also enable Samba account.
     - share/debian-edu-config/tools/kerberos-kdc-init: Add samba account and
     - sambashare group membership for the special case 'first user'.
   * Use Avahi to publish Samba shares in the local network. This will also
     improve support for macOS using systems:
     - Add share/debian-edu-config/avahi.smb.service configuration file.
     - cf3/cf.samba: Conditionally copy the service file to the right place.
       (Also create the Samba usershares directory with proper rights.)
   * share/debian-edu-config/tools/edu-ldap-from-scratch:
     - Adjust to reflect the Samba related changes.
   * share/debian-edu-config/passwords_stub.dat:
     - Drop obsolete entries now that icinga2-classicui is gone.
Checksums-Sha1:
 022c4c41d0d85676325a33b2516448ea46a8f1c6 1926 debian-edu-config_2.11.32.dsc
 d416d1adb582d80476a7fcb73305a2733a5ab1de 336584 debian-edu-config_2.11.32.tar.xz
 84fdc0e3876809dfec7c441c34446a2806d69ebb 5769 debian-edu-config_2.11.32_source.buildinfo
Checksums-Sha256:
 8c087911d83599bd62a448f8f1595a357336c5050ad5fce1b938962f3efbdde8 1926 debian-edu-config_2.11.32.dsc
 15291a800cad6b14f020c545d43f75c31eac1eea4377a0414e6288c88111a18a 336584 debian-edu-config_2.11.32.tar.xz
 7e2a01e8944526c2412bea1a23628cdbae55c52ba1cda788d3ea8299be877344 5769 debian-edu-config_2.11.32_source.buildinfo
Files:
 c9fa07e076130d631689af26fee84067 1926 misc optional debian-edu-config_2.11.32.dsc
 615ae39ae8f9d3a786c7f978f9bb1bfd 336584 misc optional debian-edu-config_2.11.32.tar.xz
 185e257d11138b5c4688d64501a74155 5769 misc optional debian-edu-config_2.11.32_source.buildinfo

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEEuL9UE3sJ01zwJv6dCRq4VgaaqhwFAl+NhFkACgkQCRq4Vgaa
qhzlnw//fnIe0N9PjsPs3QxWFgFoWZbJnhumToCi0fIxqhTKynSSry6i/4aqykTe
DuXIY2Zu8/eTUuV335Wqc/oR79G6Z0VJVFFmjUMmZStPp09rYW3RfovNh2RCr8B3
PGw2gWF/7LBfV0Y+0v2c5LIj537aSJ0bFBHC/UsVKr9zEqEvGjND+Oy91oECr+Xh
MnUqvEa6BJW5Nqz6QQi5vOlg1ErP8lNPkFbyJ9XYuxnk1vWP5x5uSuW2ZsJJ5dM7
SQt6Q5TcU++zN+6dE7tZYp0bJQNkq05HCkKLtDhpWh2EVT/uHFN0QJ6gdv1dw6gu
sN9MG+ensgEN4C+wu/l8e04sOIOxwGE23TtC0cf1dowqQQm2epBYAXZUBG7Dcehc
eUlwCzUoT30KogQljlIb58l8Tq+y44XYnVAJAdVri6Z2Mr0iK6NiB5l1Dy+6HJ9B
3ZXfiL5qOIkxc19uhRmbdwBvEcZTg3R3z43ele3P+n2RiuB6iFfEWcq6fBvnFeV0
QA3br4+FNpFxdl1Qt2ilgHnntQi3gm/6p32uD8qOmRbVJhyMCISiKnfX+kGbAS2S
yPOjdOPLHqEjdbfOsl31N3ujpO2ho8zy3PpyKfy1/DL/qKkJCX2QiyB+9HO/gP4A
ViJDFijrmikIA88oaEtGKu0CIzv0ywFV7Tmlds17k5ivxUHng6M=
=8dsX
-----END PGP SIGNATURE-----

--- End Message ---