[debian-edu-commits] [Git][debian-edu/debian-edu-config][master] 4 commits: Improve debian/debian-edu-config.fetch-rootca-cert

Thu Oct 8 20:20:39 BST 2020


Wolfgang Schweer pushed to branch master at Debian Edu / debian-edu-config


Commits:
a8afe3b1 by Wolfgang Schweer at 2020-10-08T21:09:11+02:00
Improve debian/debian-edu-config.fetch-rootca-cert

Avoid execution on the main server where things are already in place.

Adjust code to let the Debian-Edu_rootCA.crt file show up in the
/etc/ssl/certs/ directory more reliably.

Fix logging messages.

Signed-off-by: Wolfgang Schweer <wschweer at arcor.de>

- - - - -
37e72a28 by Wolfgang Schweer at 2020-10-08T21:10:38+02:00
Cleanup share/debian-edu-config/passwords_stub.dat

Drop obsolete entries now that icinga2-classicui is gone.

Signed-off-by: Wolfgang Schweer <wschweer at arcor.de>

- - - - -
8fa4c1bf by Wolfgang Schweer at 2020-10-08T21:12:46+02:00
debian/control: Lower Depends on libpam-python to Recommends

This way the src:debian-edu autopkgtest might succeed until libpam-python3 is
available.

Signed-off-by: Wolfgang Schweer <wschweer at arcor.de>

- - - - -
b0e1f664 by Wolfgang Schweer at 2020-10-08T21:19:04+02:00
Add changelog entries for last commits

Signed-off-by: Wolfgang Schweer <wschweer at arcor.de>

- - - - -


4 changed files:

- debian/changelog
- debian/control
- debian/debian-edu-config.fetch-rootca-cert
- share/debian-edu-config/passwords_stub.dat


Changes:

=====================================
debian/changelog
=====================================
@@ -1,9 +1,22 @@
 debian-edu-config (2.11.32) UNRELEASED; urgency=medium
 
+  [ Mike Gabriel ]
   * debian/fetch-rootca-cert: Re-try rootCA retrieval if previous
     retrievals ended up with an empty Debian-Edu_rootCA.crt file in
     /usr/local/share/ca-certificates/. (Closes: #971775).
 
+  [ Wolfgang Schweer ]
+  * debian/debian-edu-config.fetch-rootca-cert:
+    - Avoid execution on the main server where things are already in place.
+    - Adjust code to let the Debian-Edu_rootCA.crt file show up in the
+      /etc/ssl/certs/ directory more reliably. (Closes: #971767).
+    - Fix logging messages.
+  * share/debian-edu-config/passwords_stub.dat:
+    - Drop obsolete entries now that icinga2-classicui is gone.
+  * debian/control:
+    - Lower Depends on libpam-python to Recommends. This way the src:debian-edu
+      autopkgtest might succeed (until libpam-python3 becomes available).
+
  -- Mike Gabriel <sunweaver at debian.org>  Thu, 08 Oct 2020 11:08:51 +0200
 
 debian-edu-config (2.11.31) unstable; urgency=medium


=====================================
debian/control
=====================================
@@ -63,6 +63,7 @@ Depends: ${misc:Depends},
          wget,
 Recommends: binutils,
             libnotify-bin,
+            libpam-python,
             lsof,
             memtest86+,
             resolvconf,


=====================================
debian/debian-edu-config.fetch-rootca-cert
=====================================
@@ -19,6 +19,10 @@ set -e
 
 . /lib/lsb/init-functions
 
+if [ -r /etc/debian-edu/config ] ; then
+	. /etc/debian-edu/config
+fi
+
 BUNDLECRT=/etc/ssl/certs/debian-edu-bundle.crt
 ROOTCACRT=/etc/ssl/certs/Debian-Edu_rootCA.crt
 LOCALCACRT=/usr/local/share/ca-certificates/Debian-Edu_rootCA.crt
@@ -30,8 +34,12 @@ do_start() {
 	# Remove no longer used certificate file
 	rm -f $BUNDLECRT
 
-	# RootCA cert retrieval
-	if [ ! -f $LOCALCACRT ] || [ ! -s $LOCALCACRT ]; then
+	# RootCA cert retrieval (avoid execution on the main server, things are in place)
+	if echo "$PROFILE" | egrep -q 'Main-Server' ; then
+		logger -t fetch-rootca-cert "Running on the main server, exiting."
+		exit 0
+	fi
+	if [ ! -f $LOCALCACRT ] || [ ! -s $LOCALCACRT ] ; then
 		# Since Debian Edu 10, the RootCA file is distributed
 		# over http (always via the host serving www.intern, by default: TJENER)
 		#
@@ -42,23 +50,25 @@ do_start() {
 			# Now let's see if the webserver has the "Debian Edu RootCA" file.
 			# This has been the case for Debian Edu main servers (TJENER) since
 			# Debian Edu 10.1.
-			if curl -fk https://www.intern/Debian-Edu_rootCA.crt 1> $LOCALCACRT | \
-				tee $ROOTCACRT 2>/dev/null && \
+			if curl -fk https://www.intern/Debian-Edu_rootCA.crt > $LOCALCACRT 2>/dev/null && \
 				grep -q CERTIFICATE $LOCALCACRT ; then
+				# Make rootCA certificate available in /etc/ssl/certs/
+				ln -s $LOCALCACRT $ROOTCACRT
 				# Integrate the rootCA certificate into /etc/ssl/certs/ca-certificates
 				update-ca-certificates
-				logger -t fetch-ldap-cert "Deploy the Debian Edu rootCA certificate fetched from www.intern systemwide."
+				logger -t fetch-rootca-cert "Deploy the Debian Edu rootCA certificate fetched from www.intern systemwide."
 			else
-				# Drop the ROOTCACRT file, as it probably only contains some 404 http
-				# error message in html.
+				# Drop $ROOTCACRT and $LOCALCACRT files, as they probably only contain some
+				# 404 http error message in html.
 				rm -f $LOCALCACRT
-				logger -t fetch-ldap-cert "Failed to fetch rootCA certificate from www.intern."
+				rm -f $ROOTCACRT
+				logger -t fetch-rootca-cert "Failed to fetch rootCA certificate from www.intern."
 			fi
 		else
 			# Report an error, if www.intern is down http-wise. This can happen and is probably
 			# a temporary problem that needs an admin to fix it.
 			log_action_end_msg 1
-			logger -t fetch-ldap-cert "Failed to connect to www.intern, maybe the web server is down."
+			logger -t fetch-rootca-cert "Failed to connect to www.intern, maybe the web server is down."
 			ERROR=true
 		fi
 	fi


=====================================
share/debian-edu-config/passwords_stub.dat
=====================================
@@ -28,14 +28,3 @@ Value: ROOTPWD
 Owners: debian-edu-config
 Flags: seen
 
-Name: icinga2-classicui/adminpassword
-Template: icinga2-classicui/adminpassword
-Value:
-Owners: icinga2-classicui
-Flags: seen
-
-Name: icinga2-classicui/adminpassword-repeat
-Template: icinga2-classicui/adminpassword-repeat
-Value:
-Owners: icinga2-classicui
-Flags: seen



View it on GitLab: https://salsa.debian.org/debian-edu/debian-edu-config/-/compare/d6380fb3fc61d134ba0b77b291152f7f08b22dac...b0e1f664221b682b97e872c32d9b6832c51a8aec

-- 
View it on GitLab: https://salsa.debian.org/debian-edu/debian-edu-config/-/compare/d6380fb3fc61d134ba0b77b291152f7f08b22dac...b0e1f664221b682b97e872c32d9b6832c51a8aec
You're receiving this email because of your account on salsa.debian.org.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-edu-commits/attachments/20201008/c68c6b40/attachment-0001.html>
