Package: debian-edu-config Version: 2.11.31 Tags: patchDuring a migration-like scenario (old stretch main server being partially upgraded to a buster-like main server), I made the observations that clients (bullseye systems) that already have the fetch-rootca-cert init script can end up with /usr/local/share/ca-certificates/Debian-Edu_rootCA.crt being an empty file.
This happens if the download URL of the rootCA file is not yet a valid URL. In migration scenarios this can easily happen, because the TJENER needs to be manually step-by-step upgraded und one of those steps is providing Debian-Edu_rootCA.crt in /etc/debian-edu/www.
If that file is not present in that folder (exported via Apache2), the clients end up with empty rootCA files and never will retry another retrieval.
My suggestion to mitigate this is this patch: ```diff --git a/debian/debian-edu-config.fetch-rootca-cert b/debian/debian-edu-config.fetch-rootca-cert
index 7f65d3d5..c14bef44 100755
--- a/debian/debian-edu-config.fetch-rootca-cert
+++ b/debian/debian-edu-config.fetch-rootca-cert
@@ -31,7 +31,7 @@ do_start() {
rm -f $BUNDLECRT
# RootCA cert retrieval
- if [ ! -f $LOCALCACRT ] ; then
+ if [ ! -f $LOCALCACRT ] || [ -s $LOCALCACRT ]; then
# Since Debian Edu 10, the RootCA file is distributed
# over http (always via the host serving www.intern,
by default: TJENER)
#
```
Mike
--
DAS-NETZWERKTEAM
c\o Technik- und Ökologiezentrum Eckernförde
Mike Gabriel, Marienthaler Str. 17, 24340 Eckernförde
mobile: +49 (1520) 1976 148
landline: +49 (4351) 850 8940
GnuPG Fingerprint: 9BFB AEE8 6C0A A5FF BF22 0782 9AF4 6B30 2577 1B31
mail: mike.gabriel@das-netzwerkteam.de, http://das-netzwerkteam.de
Attachment:
pgpwrBduwW3mX.pgp
Description: Digitale PGP-Signatur