Bug#951070: debian-edu-config: make Debian-Edu_rootCA available via /etc/ssl/certs/ca-certificates.crt

To: Wolfgang Schweer <w.schweer@gmx.de>
Cc: 951070@bugs.debian.org
Subject: Bug#951070: debian-edu-config: make Debian-Edu_rootCA available via /etc/ssl/certs/ca-certificates.crt
From: Mike Gabriel <mike.gabriel@das-netzwerkteam.de>
Date: Wed, 12 Feb 2020 19:09:21 +0000
Message-id: <[🔎] 20200212190921.Horde.VyWcy-3-hMF3rK3YkRrF1PE@mail.das-netzwerkteam.de>
Reply-to: Mike Gabriel <mike.gabriel@das-netzwerkteam.de>, 951070@bugs.debian.org
In-reply-to: <[🔎] 20200212184704.GA25475@star>
References: <[🔎] 20200210154602.Horde.9Dwcoq39BVmgz-tVY9F-3L-@mail.das-netzwerkteam.de> <[🔎] 20200212184704.GA25475@star> <[🔎] 20200210154602.Horde.9Dwcoq39BVmgz-tVY9F-3L-@mail.das-netzwerkteam.de>

Hi Wolfgang,

On  Mi 12 Feb 2020 19:47:04 CET, Wolfgang Schweer wrote:

Moin Mike,

On Mon, Feb 10, 2020 at 03:46:02PM +0000, Mike Gabriel wrote:

Package: debian-edu-config
Version: 2.11.12
Severity: wishlist

Driving the fetch-ldap-cert logic another step forward. We should, on
retrieval of Debian-Edu_rootCA.crt, move that file to
/usr/local/share/ca-certificates/debian-edu/ and run update-ca-certificates
afterwards.

This assures that Debian-Edu_rootCA is available in the system-wide CA
bundle in /etc/ssl/certs/ca-certificates.crt.

This issue relates to #926388 (let Firefox trust
/etc/ssl/certs/ca-certificates.crt)


The attached fetch-ldap-cert script is stripped down quite much, but has
been tested to work - also with both LTSP thin clients and diskless
workstations. Please note that the LTSP NBD image needs to be updated.
The LTSP clients will configure ca-certificates.crt in the overlay file
system at runtime. No need to fiddle around like done until now.

Also, the LDAP server certificate doesn't need to be downloaded and
verified.

The /etc/nslcd.conf file in Debian Edu 10 contains this setting:
tls_reqcert demand

This way the LDAP server is forced to send his certificate upon client
connect. The connection is established only in case the certificate is
valid, i.e. if the related rootCA certificate is contained in
/etc/ssl/certs/ca-certificates.

Please test.

Wolfgang

The simpleness of the fetch-ldap-cert version you propose is tempting.But this version will only work against TJENERs that have aDebian-Edu_rootCA.crt exported via www.intern.

That is, we IMHO need to make sure, a Debian 11 client still workswell with a Debian 9 server. Don't you think?


Greets,
Mike
--

DAS-NETZWERKTEAM
c\o Technik- und Ökologiezentrum Eckernförde
Mike Gabriel, Marienthaler str. 17, 24340 Eckernförde
mobile: +49 (1520) 1976 148
landline: +49 (4351) 850 8940

GnuPG Fingerprint: 9BFB AEE8 6C0A A5FF BF22  0782 9AF4 6B30 2577 1B31
mail: mike.gabriel@das-netzwerkteam.de, http://das-netzwerkteam.de

Attachment: pgp2HaKvV3oub.pgp
Description: Digitale PGP-Signatur

Reply to:

Follow-Ups:
- Bug#951070: debian-edu-config: make Debian-Edu_rootCA available via /etc/ssl/certs/ca-certificates.crt
  - From: Wolfgang Schweer <w.schweer@gmx.de>

References:
- Bug#951070: debian-edu-config: make Debian-Edu_rootCA available via /etc/ssl/certs/ca-certificates.crt
  - From: Mike Gabriel <mike.gabriel@das-netzwerkteam.de>
- Bug#951070: debian-edu-config: make Debian-Edu_rootCA available via /etc/ssl/certs/ca-certificates.crt
  - From: Wolfgang Schweer <w.schweer@gmx.de>

Prev by Date: Bug#951070: debian-edu-config: make Debian-Edu_rootCA available via /etc/ssl/certs/ca-certificates.crt
Next by Date: Bug#951070: debian-edu-config: make Debian-Edu_rootCA available via /etc/ssl/certs/ca-certificates.crt
Previous by thread: Bug#951070: debian-edu-config: make Debian-Edu_rootCA available via /etc/ssl/certs/ca-certificates.crt
Next by thread: Bug#951070: debian-edu-config: make Debian-Edu_rootCA available via /etc/ssl/certs/ca-certificates.crt
Index(es):
- Date
- Thread