[debian-edu-commits] [Git][debian-edu/debian-edu-config][master] 9 commits: Add "-f" option to all curl calls that don't have it set so far. This assures...

Mike Gabriel gitlab at salsa.debian.org
Sat Aug 10 17:48:09 BST 2019



Mike Gabriel pushed to branch master at Debian Edu / debian-edu-config


Commits:
fc8d5031 by Mike Gabriel at 2019-08-10T15:45:53Z
Add "-f" option to all curl calls that don't have it set so far. This assures that curl bails out with a non-zero exit code, if anything goes wrong while retrieving certificate files.

- - - - -
5779f174 by Mike Gabriel at 2019-08-10T15:47:32Z
Also report a successful certificate verification if we verified the LDAP server certificate using the Debian Edu RootCA.

- - - - -
71479167 by Mike Gabriel at 2019-08-10T15:48:46Z
Really check that the LDAP server uses a certificate issued by the "Debian Edu RootCA", not just by (some) "RootCA".

- - - - -
eb60de40 by Mike Gabriel at 2019-08-10T15:52:42Z
Add 2x FIXME about BUNDLECRT file removal from host and from LTSP chroots.

- - - - -
d717d43a by Mike Gabriel at 2019-08-10T16:29:08Z
LTSP chroot certificate copying: only log those actions, if they are actually about to happen.

- - - - -
bf9c1eb8 by Mike Gabriel at 2019-08-10T16:29:27Z
Silence curl stderr and gnutls-cli stdout+stderr.

- - - - -
cd5466e7 by Mike Gabriel at 2019-08-10T16:39:32Z
Certificate retrieval: Fix upgrade path for RootCA deployment. Re-run CERTFILE (and ROOTCACRT retrieval) until we have both on the client. This will lead to repetitive downloads of the CERTFILE on system boot. To get rid of this, people must upgrade their TJENERs from Debian Edu 10.0 to 10.1. Then it will stop. This hack is necessary to assure distribution of the RootCA to all clients that don't have it, yet.

- - - - -
015384c9 by Mike Gabriel at 2019-08-10T16:40:06Z
Detach dependency of ROOTCACRT chroot copying and BUNDLECRT chroot copying from chroot copying of the CERTFILE. The chroot may have the CERTFILE, but not the ROOTCACRT, yet. This assures a smooth upgrade path from Debian Edu 10.0 to Debian Edu 10.1.

- - - - -
567ed6d7 by Mike Gabriel at 2019-08-10T16:47:23Z
Do a simple validity check if a directory under /opt/ltsp really is a chroot (and e.g. not the SquashFS images' directory).

- - - - -


2 changed files:

- debian/changelog
- debian/debian-edu-config.fetch-ldap-cert


Changes:

=====================================
debian/changelog
=====================================
@@ -11,6 +11,29 @@ debian-edu-config (2.10.67) UNRELEASED; urgency=medium
   * Code review debian-edu-config.fetch-ldap-cert:
     - White-space-only change: Fix broken and inconsistent indentations.
     - Fully inline-document fetch-ldap-cert script.
+    - Add "-f" option to all curl calls that don't have it set so far.
+      This assures that curl bails out with a non-zero exit code, if anything
+      goes wrong while retrieving certificate files.
+    - Also report a successful certificate verification if we verified the
+      LDAP server certificate using the Debian Edu RootCA.
+    - Really check that the LDAP server uses a certificate issued by the
+      "Debian Edu RootCA", not just by (some) "RootCA".
+    - Add 2x FIXME about BUNDLECRT file removal from host and from LTSP chroots.
+    - LTSP chroot certificate copying: only log those actions, if they are
+      actually about to happen..
+    - Silence curl stderr and gnutls-cli stdout+stderr.
+    - Certificate retrieval: Fix upgrade path for RootCA deployment. Re-run
+      CERTFILE (and ROOTCACRT retrieval) until we have both on the client.
+      This will lead to repetitive downloads of the CERTFILE on system boot.
+      To get rid of this, people must upgrade their TJENERs from Debian Edu
+      10.0 to 10.1. Then it will stop. This hack is necessary to assure
+      distribution of the RootCA to all clients that don't have it, yet.
+    - Detach dependency of ROOTCACRT chroot copying and BUNDLECRT chroot
+      copying from chroot copying of the CERTFILE. The chroot may have the
+      CERTFILE, but not the ROOTCACRT, yet. This assures a smooth upgrade
+      path from Debian Edu 10.0 to Debian Edu 10.1.
+    - Do a simple validity check if a directory under /opt/ltsp really is
+      a chroot (and e.g. not the SquashFS images' directory).
 
  -- Wolfgang Schweer <wschweer at arcor.de>  Sat, 10 Aug 2019 14:14:26 +0200
 


=====================================
debian/debian-edu-config.fetch-ldap-cert
=====================================
@@ -36,7 +36,7 @@ do_start() {
 	### PHASE 1: RootCA / bundle-cert / LDAP server cert retrieval
 	###
 
-	if [ ! -f $CERTFILE ] &&  [ -f /etc/nslcd.conf ] &&
+	if ( [ ! -f $CERTFILE ] || [ ! -f $ROOTCACRT ] ) && [ -f /etc/nslcd.conf ] &&
 	    grep -q /etc/ssl/certs/debian-edu-server.crt /etc/nslcd.conf ; then
 
 		# LDAP server host not known/found, bailing out...
@@ -54,7 +54,7 @@ do_start() {
 		# has been issued by the "Debian Edu RootCA", if not we are likely dealing with a
 		# pre-Debian Edu 10 (aka buster) TJENER or with some other non-Debian-Edu LDAP
 		# server.
-		if echo | openssl s_client -connect "$LDAPSERVER:$LDAPPORT" 2>/dev/null | grep RootCA ; then
+		if echo | openssl s_client -connect "$LDAPSERVER:$LDAPPORT" 2>/dev/null | grep -q "Debian Edu RootCA" ; then
 
 			# Since Debian Edu 10, the LDAP certificate (or the RootCA file) is distributed
 			# over http (always via the host serving www.intern, by default: TJENER)
@@ -62,19 +62,24 @@ do_start() {
 			# We do an availability check for the webserver first, to provide proper
 			# error reporting (see below). So, the following check merely discovers,
 			# if the webserver is online at all.
-			if curl -sfk --head -o /dev/null https://www.intern ; then
+			if curl -sfk --head -o /dev/null https://www.intern 2>/dev/null; then
 
 				# Now let's see if the webserver has the "Debian Edu RootCA" file.
 				# This has been the case for Debian Edu main servers (TJENER) since
 				# Debian Edu 10.1.
-				if curl -k https://www.intern/Debian-Edu_rootCA.crt > $ROOTCACRT && \
+				if curl -fk https://www.intern/Debian-Edu_rootCA.crt 1> $ROOTCACRT 2>/dev/null && \
 
 				    grep -q CERTIFICATE $ROOTCACRT ; then
 
 					# Obtained a RootCA-verified version of the LDAP server's server certificate.
-					gnutls-cli --x509cafile $ROOTCACRT --save-cert=$CERTFILE.new $LDAPSERVER < /dev/null
+					gnutls-cli --x509cafile $ROOTCACRT --save-cert=$CERTFILE.new $LDAPSERVER < /dev/null 1>/dev/null 2>/dev/null
 					logger -t fetch-ldap-cert "Fetched rootCA certificate from www.intern."
 
+					# FIXME: If the host previously had got the BUNDLECERT file installed,
+					# we should make sure here to have it removed. From now on, the LTSP chroot
+					# can operate on the ROOTCACRT file and the BUNDLECERT will never get
+					# update anymore once the ROOTCACRT is available on www.intern.
+
 				else
 
 					# If there is no Debian Edu RootCA available on www.intern, fallback to
@@ -89,14 +94,14 @@ do_start() {
 					# So, now let's see if the webserver has the "debian-edu-bundle.crt"
 					# file. If so (and no Debian Edu RootCA file), then we are likely dealing
 					# with a Debian Edu 10.0 main server.
-					if curl -k https://www.intern/debian-edu-bundle.crt > $BUNDLECRT && \
+					if curl -fk https://www.intern/debian-edu-bundle.crt 1> $BUNDLECRT 2>/dev/null && \
 					    grep -q CERTIFICATE $BUNDLECRT ; then
 
 						# Obtained a self-verified version of the LDAP server's server certificate.
 						# (The BUNDLECERT file should already contain the LDAP server's certificate,
 						# so having this cert file should allow us to successfully and "verified'ly"
 						# connect to the LDAP server and let us retrieve that very same certificate).
-						gnutls-cli --x509cafile $BUNDLECRT --save-cert=$CERTFILE.new $LDAPSERVER < /dev/null
+						gnutls-cli --x509cafile $BUNDLECRT --save-cert=$CERTFILE.new $LDAPSERVER < /dev/null 1>/dev/null 2>/dev/null
 						logger -t fetch-ldap-cert "Fetched bundle certificate from www.intern."
 					else
 
@@ -141,7 +146,7 @@ do_start() {
 		if test -s $CERTFILE.new ; then
 			mv $CERTFILE.new $CERTFILE
 			[ "$VERBOSE" != no ] && log_action_end_msg 0
-			if [ -f $BUNDLECRT ] ; then
+			if [ -f $BUNDLECRT ] || [ -f $ROOTCACRT ] ; then
 				logger -t fetch-ldap-cert "Fetched and verified LDAP SSL certificate from $LDAPSERVER."
 			else
 				logger -t fetch-ldap-cert "Fetched LDAP SSL certificate from $LDAPSERVER."
@@ -168,14 +173,19 @@ do_start() {
 		# Loop over all to be found LTSP chroots...
 		for ltsp_chroot in `find /opt/ltsp/ -mindepth 1 -maxdepth 1 -type d`; do
 
+			if [ ! -d $ltsp_chroot/etc/ssl/certs/ ]; then
+				# likely not a chroot dir, skipping...
+				continue
+			fi
+
 			# Only install the CERTFILE into this chroot, if not already present...
 			if [ ! -f $ltsp_chroot$CERTFILE ] && [ -f $ltsp_chroot/etc/nslcd.conf ] &&
 			    grep -q /etc/ssl/certs/debian-edu-server.crt $ltsp_chroot/etc/nslcd.conf ; then
 
 				# Copy the obtained CERTFILE into the LTSP chroot (containing the LDAP server's
 				# certificate.
-				[ "$VERBOSE" != no ] &&
 				log_action_begin_msg "Copying LDAP SSL certificate to ltsp-chroot $ltsp_chroot "
+				[ "$VERBOSE" != no ] &&
 				if test -s $CERTFILE; then
 					cp $CERTFILE $ltsp_chroot$CERTFILE
 					[ "$VERBOSE" != no ] && log_action_end_msg 0
@@ -183,14 +193,37 @@ do_start() {
 					log_action_end_msg 1
 					ERROR=true
 				fi
+			fi
 
-				# If we retrieved it, we also copy the obtained ROOTCACRT into the LTSP chroot
-				# (containing the self-built rootCA of the Debian Edu site).
-				log_action_begin_msg "Copying Debian Edu rootCA certificate to ltsp-chroot $ltsp_chroot "
-				if test -s $ROOTCACRT; then
-					cp $ROOTCACRT $ltsp_chroot$ROOTCACRT
-					[ "$VERBOSE" != no ] && log_action_end_msg 0
-				else
+			if [ ! -f $ltsp_chroot$ROOTCACRT ]; then
+
+				if test -e $ROOTCACRT; then
+
+					# If we retrieved it, we also copy the obtained ROOTCACRT into the LTSP chroot
+					# (containing the self-built rootCA of the Debian Edu site).
+					log_action_begin_msg "Copying Debian Edu rootCA certificate to ltsp-chroot $ltsp_chroot "
+					if test -s $ROOTCACRT; then
+
+						# FIXME: If the chroot previously had got the BUNDLECERT file installed,
+						# we should make sure here to have it removed. From now on, the LTSP chroot
+						# can operate on the ROOTCACRT file and the BUNDLECERT will never get
+						# update anymore once the ROOTCACRT is available on www.intern.
+
+						cp $ROOTCACRT $ltsp_chroot$ROOTCACRT
+						[ "$VERBOSE" != no ] && log_action_end_msg 0
+
+					else
+						log_action_end_msg 1
+						ERROR=true
+					fi
+
+				fi
+
+			fi
+
+			if [ ! -f $ltsp_chroot$BUNDLECRT ] && [ ! -f $ltsp_chroot$ROOTCACRT ]; then
+
+				if test -e $BUNDLECRT; then
 					# If we talked to a Debian Edu 10.0 main server (aka TJENER) above, then we
 					# don't have the ROOTCACRT. We copy the BUNDLECRT file into the LTSP chroot
 					# instead (containing all certificates ever issued for the Debian Edu site).
@@ -207,7 +240,9 @@ do_start() {
 						ERROR=true
 					fi
 				fi
+
 			fi
+
 		done
 	fi
 



View it on GitLab: https://salsa.debian.org/debian-edu/debian-edu-config/compare/64a19293e6291028ed967210e5291e0e1bf5dca9...567ed6d7ae43c297d9fd7302b4e999f975e84666

-- 
View it on GitLab: https://salsa.debian.org/debian-edu/debian-edu-config/compare/64a19293e6291028ed967210e5291e0e1bf5dca9...567ed6d7ae43c297d9fd7302b4e999f975e84666
You're receiving this email because of your account on salsa.debian.org.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-edu-commits/attachments/20190810/cbd986ef/attachment-0001.html>


More information about the debian-edu-commits mailing list