Package: debian-edu-config Severity: important Version: 2.11.31 Hi,while digging deeper once more into Debian Edu SSL stuff, I found that the two init scripts fetch-rooca-cert and fetch-ldap-cert are not working ok together.
The Debian-Edu_rootCA file should nowadays obtained from TJENER via fetch-rootca-cert. This is ok (except from #971775). It pulls in the Debian-Edu_rootCA from TJENER, stores it into /usr/local/share/ca-certificates and runs update-ca-certificates. This gives a Debian-Edu_rootCA.pem file in /etc/ssl/certs and adds that CA cert also to /etc/ssl/certs/ca-certificates.crt. Very good.
However, fetch-ldap-cert duplicates part of this and does it in a wrong way (an earlier approach I implemented). It downloads Debian-Edu_rootCA.crt and places it into /etc/ssl/certs/Debian-Edu_rootCA.crt (please note the file suffix). Thus, we end up with Debian-Edu_rootCA.pem and Debian-Edu_rootCA.crt, both in /etc/ssl/certs.
IMHO, fetch-ldap-cert should not try to download the Debian-Edu_rootCA.crt anymore as that's handled by fetch-rootca-cert. The fetch-ldap-cert script should only handle situations where a Debian Edu clients runs against a TJENER from stretch (or earlier) or buster 10.0.
Comments on that? Greets, Mike -- DAS-NETZWERKTEAM c\o Technik- und Ökologiezentrum Eckernförde Mike Gabriel, Marienthaler Str. 17, 24340 Eckernförde mobile: +49 (1520) 1976 148 landline: +49 (4351) 850 8940 GnuPG Fingerprint: 9BFB AEE8 6C0A A5FF BF22 0782 9AF4 6B30 2577 1B31 mail: mike.gabriel@das-netzwerkteam.de, http://das-netzwerkteam.de
Attachment:
pgpE6y8RYe5Md.pgp
Description: Digitale PGP-Signatur