[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#951070: debian-edu-config: make Debian-Edu_rootCA available via /etc/ssl/certs/ca-certificates.crt

Missing script now attached.

Wolfgang

	#!/bin/sh
### BEGIN INIT INFO
# Provides:          fetch-ldap-cert
# Required-Start:    $local_fs $remote_fs
# Required-Stop:     $local_fs $remote_fs
# Should-Start:      $network $syslog $named slapd
# Default-Start:     2 3 4 5
# Default-Stop:
# Short-Description: Fetch LDAP SSL public key from the server
# Description:
#   Start before krb5-kdc to give slapd time to become operational
#   before krb5-kdc try to connect to the LDAP server as a workaround
#   for #589915.
# X-Start-Before:    isc-dhcp-server krb5-kdc nslcd
### END INIT INFO
#
# Author: Petter Reinholdtsen <pere@hungry.com>
# Date:   2007-06-09

set -ex

. /lib/lsb/init-functions

BUNDLECRT=/etc/ssl/certs/debian-edu-bundle.crt
ROOTCACRT=/etc/ssl/certs/Debian-Edu_rootCA.crt
LOCALCACRT=/usr/local/share/ca-certificates/Debian-Edu_rootCA.crt

do_start() {

	ERROR=false

	# Remove no longer used certificate file
	rm -f $BUNDLECRT

	# RootCA cert retrieval
	if [ ! -f $LOCALCACRT ]  ; then
		# Since Debian Edu 10, the RootCA file is distributed
		# over http (always via the host serving www.intern, by default: TJENER)
		#
		# We do an availability check for the webserver first, to provide proper
		# error reporting (see below). So, the following check merely discovers,
		# if the webserver is online at all.
		if curl -sfk --head -o /dev/null https://www.intern 2>/dev/null; then
			# Now let's see if the webserver has the "Debian Edu RootCA" file.
			# This has been the case for Debian Edu main servers (TJENER) since
			# Debian Edu 10.1.
			if curl -fk https://www.intern/Debian-Edu_rootCA.crt 1> $LOCALCACRT | \
				tee $ROOTCACRT 2>/dev/null && \
				grep -q CERTIFICATE $LOCALCACRT ; then
				# Integrate the rootCA certificate into /etc/ssl/certs/ca-certificates
				update-ca-certificates
				logger -t fetch-ldap-cert "Deploy the Debian Edu rootCA certificate fetched from www.intern systemwide."
			else
				# Drop the ROOTCACRT file, as it probably only contains some 404 http
				# error message in html.
				rm -f $LOCALCACRT
				logger -t fetch-ldap-cert "Failed to fetch rootCA certificate from www.intern."
			fi
		else
			# Report an error, if www.intern is down http-wise. This can happen and is probably
			# a temporary problem that needs an admin to fix it.
			log_action_end_msg 1
			logger -t fetch-ldap-cert "Failed to connect to www.intern, maybe the web server is down."
			ERROR=true
		fi
	fi

	if $ERROR; then
		return 1
	fi
}

case "$1" in
	start)
		do_start
		;;
	stop)
		;;
	restart|force-reload)
		;;
	*)
		echo "Usage: $0 {start|stop|restart|force-reload}"
		exit 2
esac
exit 0

Attachment: signature.asc
Description: PGP signature

Reply to: