Hi again, On Di 06 Okt 2020 22:54:50 CEST, Mike Gabriel wrote:
Package: debian-edu-config Version: 2.11.31 Severity: normal Hi Wolfgang,I am currently facing myself with Debian Edu testing/bullseye notebooks running against a Debian Edu TJENER based on stretch.I am currently adding the Debian Edu PKI as we have them in buster + bullseye (rootCA and all that) to the stretch TJENER.When doing this, I stumbled over this: { "policies": { "Certificates": { "ImportEnterpriseRoots": true, "Install": [ "/etc/ssl/certs/Debian-Edu_rootCA.crt" ] }, "NewTabPage": false, "OverrideFirstRunPage": "" } } However, if I look into /etc/ssl/certs, I only see Debian-Edu_rootCA.pem.I am currently working around this on the Debian Edu bullseye notebooks via puppet (which has a rule to create a symlink of that name).
I have identified several more places, where actually Debian-Edu_rootCA.pem (or ca-certificates.crt) should be used instead of Debian-Edu_rootCA.crt.
On TJENER itself the situation is special, as we create the Debian-Edu_rootCA there and store the resulting files in /etc/ssl. I wonder if we should actually (at least) partially move this out of /etc/ssl and create the PKI e.g. in /var/lib/debian-edu-config (or such) and copy the Debian-Edu_rootCA.key to /etc/ssl/private/ and the Debian-Edu_rootCA.crt to /usr/local/share/ca-certificates/ (with a subsequent update-ca-certificates run).
Here the list of places where .pem should be used instead of .crt:lib/thunderbird/distribution/policies.json: "/etc/ssl/certs/Debian-Edu_rootCA.crt"
share/firefox-esr/distribution/policies.json: "/etc/ssl/certs/Debian-Edu_rootCA.crt"
share/debian-edu-config/tools/create-user-nssdb: su - $username sh -c 'certutil -A -d sql:$HOME/.pki/nssdb/ -t "CT,CT," -n "DebianEdu" -i /etc/ssl/certs/Debian-Edu_rootCA.crt' share/debian-edu-config/tools/create-user-nssdb: certutil -A -d sql:$dir/.pki/nssdb/ -t "CT,CT," -n "DebianEdu" -i /etc/ssl/certs/Debian-Edu_rootCA.crt
-> this works on TJENER, as we have created Debian-Edu_rootCA.crt here.share/debian-edu-config/tools/edu-ltsp-install: cp /etc/ssl/certs/Debian-Edu_rootCA.crt /srv/ltsp/thin/"$thin_type"-"$arch"/etc/ssl/certs share/debian-edu-config/tools/edu-ltsp-install: "/etc/ssl/certs/Debian-Edu_rootCA.crt"
-> here we need to copy the crt to /usr/local/share/ca-certificates and run update-ca-certificates in the LTSP chroot.
share/debian-edu-config/tools/update-cert-dbs: su - $username sh -c 'certutil -A -d sql:$HOME/.pki/nssdb/ -t "CT,CT," -n "DebianEdu" -i /etc/ssl/certs/Debian-Edu_rootCA.crt'
-> this works on TJENER, as we have created Debian-Edu_rootCA.crt here.share/debian-edu-config/tools/gosa-create: certutil -A -d sql:$HOMEDIR/.pki/nssdb/ -t "CT,CT," -n "DebianEdu" -i /etc/ssl/certs/Debian-Edu_rootCA.crt
-> this works on TJENER, as we have created Debian-Edu_rootCA.crt here.ldap-tools/ldap-debian-edu-install: certutil -A -d sql:/skole/tjener/home0/"$FIRSTUSERNAME"/.pki/nssdb/ -t "CT,CT," -n "DebianEdu" -i /etc/ssl/certs/Debian-Edu_rootCA.crt
-> this works on TJENER, as we have created Debian-Edu_rootCA.crt here.etc/ldap/slapd-debian-edu.conf:TLSCACertificateFile /etc/ssl/certs/Debian-Edu_rootCA.crt
-> it probably should use Debian-Edu_rootCA.pem from /etc/ssl/certs/ here, or the ca-certificates.crt directly.
cf3/cf.finalize: "/bin/chmod 0644 /etc/debian-edu/www/Debian-Edu_rootCA.crt"
Greets, MIke -- DAS-NETZWERKTEAM c\o Technik- und Ökologiezentrum Eckernförde Mike Gabriel, Marienthaler Str. 17, 24340 Eckernförde mobile: +49 (1520) 1976 148 landline: +49 (4351) 850 8940 GnuPG Fingerprint: 9BFB AEE8 6C0A A5FF BF22 0782 9AF4 6B30 2577 1B31 mail: mike.gabriel@das-netzwerkteam.de, http://das-netzwerkteam.de
Attachment:
pgpP52oEBycvQ.pgp
Description: Digitale PGP-Signatur