Skip to content
Commits on Source (9)
Show whitespace changes
Inline Side-by-side
debian/changelog
View file @ 567ed6d7
......@@ -11,6 +11,29 @@ debian-edu-config (2.10.67) UNRELEASED; urgency=medium
* Code review debian-edu-config.fetch-ldap-cert:
- White-space-only change: Fix broken and inconsistent indentations.
- Fully inline-document fetch-ldap-cert script.
- Add "-f" option to all curl calls that don't have it set so far.
This assures that curl bails out with a non-zero exit code, if anything
goes wrong while retrieving certificate files.
- Also report a successful certificate verification if we verified the
LDAP server certificate using the Debian Edu RootCA.
- Really check that the LDAP server uses a certificate issued by the
"Debian Edu RootCA", not just by (some) "RootCA".
- Add 2x FIXME about BUNDLECRT file removal from host and from LTSP chroots.
- LTSP chroot certificate copying: only log those actions, if they are
actually about to happen..
- Silence curl stderr and gnutls-cli stdout+stderr.
- Certificate retrieval: Fix upgrade path for RootCA deployment. Re-run
CERTFILE (and ROOTCACRT retrieval) until we have both on the client.
This will lead to repetitive downloads of the CERTFILE on system boot.
To get rid of this, people must upgrade their TJENERs from Debian Edu
10.0 to 10.1. Then it will stop. This hack is necessary to assure
distribution of the RootCA to all clients that don't have it, yet.
- Detach dependency of ROOTCACRT chroot copying and BUNDLECRT chroot
copying from chroot copying of the CERTFILE. The chroot may have the
CERTFILE, but not the ROOTCACRT, yet. This assures a smooth upgrade
path from Debian Edu 10.0 to Debian Edu 10.1.
- Do a simple validity check if a directory under /opt/ltsp really is
a chroot (and e.g. not the SquashFS images' directory).
-- Wolfgang Schweer <wschweer@arcor.de> Sat, 10 Aug 2019 14:14:26 +0200
......
debian/debian-edu-config.fetch-ldap-cert
View file @ 567ed6d7
......@@ -36,7 +36,7 @@ do_start() {
### PHASE 1: RootCA / bundle-cert / LDAP server cert retrieval
###
if [ ! -f $CERTFILE ] && [ -f /etc/nslcd.conf ] &&
if ( [ ! -f $CERTFILE ] || [ ! -f $ROOTCACRT ] ) && [ -f /etc/nslcd.conf ] &&
grep -q /etc/ssl/certs/debian-edu-server.crt /etc/nslcd.conf ; then
# LDAP server host not known/found, bailing out...
......@@ -54,7 +54,7 @@ do_start() {
# has been issued by the "Debian Edu RootCA", if not we are likely dealing with a
# pre-Debian Edu 10 (aka buster) TJENER or with some other non-Debian-Edu LDAP
# server.
if echo | openssl s_client -connect "$LDAPSERVER:$LDAPPORT" 2>/dev/null | grep RootCA ; then
if echo | openssl s_client -connect "$LDAPSERVER:$LDAPPORT" 2>/dev/null | grep -q "Debian Edu RootCA" ; then
# Since Debian Edu 10, the LDAP certificate (or the RootCA file) is distributed
# over http (always via the host serving www.intern, by default: TJENER)
......@@ -62,19 +62,24 @@ do_start() {
# We do an availability check for the webserver first, to provide proper
# error reporting (see below). So, the following check merely discovers,
# if the webserver is online at all.
if curl -sfk --head -o /dev/null https://www.intern ; then
if curl -sfk --head -o /dev/null https://www.intern 2>/dev/null; then
# Now let's see if the webserver has the "Debian Edu RootCA" file.
# This has been the case for Debian Edu main servers (TJENER) since
# Debian Edu 10.1.
if curl -k https://www.intern/Debian-Edu_rootCA.crt > $ROOTCACRT && \
if curl -fk https://www.intern/Debian-Edu_rootCA.crt 1> $ROOTCACRT 2>/dev/null && \
grep -q CERTIFICATE $ROOTCACRT ; then
# Obtained a RootCA-verified version of the LDAP server's server certificate.
gnutls-cli --x509cafile $ROOTCACRT --save-cert=$CERTFILE.new $LDAPSERVER < /dev/null
gnutls-cli --x509cafile $ROOTCACRT --save-cert=$CERTFILE.new $LDAPSERVER < /dev/null 1>/dev/null 2>/dev/null
logger -t fetch-ldap-cert "Fetched rootCA certificate from www.intern."
# FIXME: If the host previously had got the BUNDLECERT file installed,
# we should make sure here to have it removed. From now on, the LTSP chroot
# can operate on the ROOTCACRT file and the BUNDLECERT will never get
# update anymore once the ROOTCACRT is available on www.intern.
else
# If there is no Debian Edu RootCA available on www.intern, fallback to
......@@ -89,14 +94,14 @@ do_start() {
# So, now let's see if the webserver has the "debian-edu-bundle.crt"
# file. If so (and no Debian Edu RootCA file), then we are likely dealing
# with a Debian Edu 10.0 main server.
if curl -k https://www.intern/debian-edu-bundle.crt > $BUNDLECRT && \
if curl -fk https://www.intern/debian-edu-bundle.crt 1> $BUNDLECRT 2>/dev/null && \
grep -q CERTIFICATE $BUNDLECRT ; then
# Obtained a self-verified version of the LDAP server's server certificate.
# (The BUNDLECERT file should already contain the LDAP server's certificate,
# so having this cert file should allow us to successfully and "verified'ly"
# connect to the LDAP server and let us retrieve that very same certificate).
gnutls-cli --x509cafile $BUNDLECRT --save-cert=$CERTFILE.new $LDAPSERVER < /dev/null
gnutls-cli --x509cafile $BUNDLECRT --save-cert=$CERTFILE.new $LDAPSERVER < /dev/null 1>/dev/null 2>/dev/null
logger -t fetch-ldap-cert "Fetched bundle certificate from www.intern."
else
......@@ -141,7 +146,7 @@ do_start() {
if test -s $CERTFILE.new ; then
mv $CERTFILE.new $CERTFILE
[ "$VERBOSE" != no ] && log_action_end_msg 0
if [ -f $BUNDLECRT ] ; then
if [ -f $BUNDLECRT ] || [ -f $ROOTCACRT ] ; then
logger -t fetch-ldap-cert "Fetched and verified LDAP SSL certificate from $LDAPSERVER."
else
logger -t fetch-ldap-cert "Fetched LDAP SSL certificate from $LDAPSERVER."
......@@ -168,14 +173,19 @@ do_start() {
# Loop over all to be found LTSP chroots...
for ltsp_chroot in `find /opt/ltsp/ -mindepth 1 -maxdepth 1 -type d`; do
if [ ! -d $ltsp_chroot/etc/ssl/certs/ ]; then
# likely not a chroot dir, skipping...
continue
fi
# Only install the CERTFILE into this chroot, if not already present...
if [ ! -f $ltsp_chroot$CERTFILE ] && [ -f $ltsp_chroot/etc/nslcd.conf ] &&
grep -q /etc/ssl/certs/debian-edu-server.crt $ltsp_chroot/etc/nslcd.conf ; then
# Copy the obtained CERTFILE into the LTSP chroot (containing the LDAP server's
# certificate.
[ "$VERBOSE" != no ] &&
log_action_begin_msg "Copying LDAP SSL certificate to ltsp-chroot $ltsp_chroot "
[ "$VERBOSE" != no ] &&
if test -s $CERTFILE; then
cp $CERTFILE $ltsp_chroot$CERTFILE
[ "$VERBOSE" != no ] && log_action_end_msg 0
......@@ -183,14 +193,37 @@ do_start() {
log_action_end_msg 1
ERROR=true
fi
fi
if [ ! -f $ltsp_chroot$ROOTCACRT ]; then
if test -e $ROOTCACRT; then
# If we retrieved it, we also copy the obtained ROOTCACRT into the LTSP chroot
# (containing the self-built rootCA of the Debian Edu site).
log_action_begin_msg "Copying Debian Edu rootCA certificate to ltsp-chroot $ltsp_chroot "
if test -s $ROOTCACRT; then
# FIXME: If the chroot previously had got the BUNDLECERT file installed,
# we should make sure here to have it removed. From now on, the LTSP chroot
# can operate on the ROOTCACRT file and the BUNDLECERT will never get
# update anymore once the ROOTCACRT is available on www.intern.
cp $ROOTCACRT $ltsp_chroot$ROOTCACRT
[ "$VERBOSE" != no ] && log_action_end_msg 0
else
log_action_end_msg 1
ERROR=true
fi
fi
fi
if [ ! -f $ltsp_chroot$BUNDLECRT ] && [ ! -f $ltsp_chroot$ROOTCACRT ]; then
if test -e $BUNDLECRT; then
# If we talked to a Debian Edu 10.0 main server (aka TJENER) above, then we
# don't have the ROOTCACRT. We copy the BUNDLECRT file into the LTSP chroot
# instead (containing all certificates ever issued for the Debian Edu site).
......@@ -207,7 +240,9 @@ do_start() {
ERROR=true
fi
fi
fi
done
fi
......