[debian-edu-commits] [Git][debian-edu/debian-edu-config][master] Do not attempt to fetch the rootCA cert outside of a DebianEdu network

[Mike Gabriel (@sunweaver)]

Mike Gabriel pushed to branch master at Debian Edu / debian-edu-config


Commits:
8412a3d9 by Guido Berhoerster at 2023-08-18T14:42:15+00:00
Do not attempt to fetch the rootCA cert outside of a DebianEdu network

An error should only be reported if the machine is inside a DebianEdu network,
i.e. www.intern is resolvable, but the download fails. (Closes: #1008599)

- - - - -


1 changed file:

- share/debian-edu-config/tools/fetch-rootca-cert


Changes:

=====================================
share/debian-edu-config/tools/fetch-rootca-cert
=====================================
@@ -25,36 +25,44 @@ case $PROFILE in
     ;;
 esac
 
-if [ ! -f $LOCALCACRT ] || [ ! -s $LOCALCACRT ] ; then
-    # Since Debian Edu 10, the RootCA file is distributed
-    # over http (always via the host serving www.intern, by default: TJENER)
-    #
-    # We do an availability check for the webserver first, to provide proper
-    # error reporting (see below). So, the following check merely discovers,
-    # if the webserver is online at all.
-    if curl -sfk --head -o /dev/null https://www.intern 2>/dev/null; then
-        # Now let's see if the webserver has the "Debian Edu RootCA" file.
-        # This has been the case for Debian Edu main servers (TJENER) since
-        # Debian Edu 10.1.
-        if curl -fk https://www.intern/Debian-Edu_rootCA.crt > $LOCALCACRT 2>/dev/null && \
-            grep -q CERTIFICATE $LOCALCACRT ; then
-            # Make rootCA certificate available in /etc/ssl/certs/
-            ln -nsf $LOCALCACRT $ROOTCACRT
-            # Integrate the rootCA certificate into /etc/ssl/certs/ca-certificates
-            update-ca-certificates
-            logger -t fetch-rootca-cert "Deploy the Debian Edu rootCA certificate fetched from www.intern systemwide."
-        else
-            # Drop $ROOTCACRT and $LOCALCACRT files, as they probably only contain some
-            # 404 http error message in html.
-            rm -f $LOCALCACRT
-            rm -f $ROOTCACRT
-            logger -t fetch-rootca-cert "Failed to fetch rootCA certificate from www.intern."
-        fi
+if [ -f $LOCALCACRT ] && [ -s $LOCALCACRT ] ; then
+    # The cert file already exists, nothing to do.
+    exit 0
+fi
+
+if [ -z "$(dig +short A www.intern)" ] ; then
+    # If the main server is not resolvable, we are not part of a DebianEdu
+    # network, no need to report an error.
+    exit 0
+fi
+
+# Since Debian Edu 10, the RootCA file is distributed
+# over http (always via the host serving www.intern, by default: TJENER)
+#
+# We do an availability check for the webserver first, to provide proper
+# error reporting (see below). So, the following check merely discovers,
+# if the webserver is online at all.
+if curl -sfk --head -o /dev/null https://www.intern 2>/dev/null; then
+    # Now let's see if the webserver has the "Debian Edu RootCA" file.
+    # This has been the case for Debian Edu main servers (TJENER) since
+    # Debian Edu 10.1.
+    if curl -fk https://www.intern/Debian-Edu_rootCA.crt > $LOCALCACRT 2>/dev/null && \
+        grep -q CERTIFICATE $LOCALCACRT ; then
+        # Make rootCA certificate available in /etc/ssl/certs/
+        ln -nsf $LOCALCACRT $ROOTCACRT
+        # Integrate the rootCA certificate into /etc/ssl/certs/ca-certificates
+        update-ca-certificates
+        logger -t fetch-rootca-cert "Deploy the Debian Edu rootCA certificate fetched from www.intern systemwide."
     else
-        # Report an error, if www.intern is down http-wise. This can happen and is probably
-        # a temporary problem that needs an admin to fix it.
-        log_action_end_msg 1
-        logger -t fetch-rootca-cert "Failed to connect to www.intern, maybe the web server is down."
-        exit 1
+        # Drop $ROOTCACRT and $LOCALCACRT files, as they probably only contain some
+        # 404 http error message in html.
+        rm -f $LOCALCACRT
+        rm -f $ROOTCACRT
+        logger -t fetch-rootca-cert "Failed to fetch rootCA certificate from www.intern."
     fi
+else
+    # Report an error, if www.intern is down http-wise. This can happen and is probably
+    # a temporary problem that needs an admin to fix it.
+    logger -t fetch-rootca-cert "Failed to connect to www.intern, maybe the web server is down."
+    exit 1
 fi



View it on GitLab: https://salsa.debian.org/debian-edu/debian-edu-config/-/commit/8412a3d917233ac414b05315f3dc95275bcb75b9

-- 
View it on GitLab: https://salsa.debian.org/debian-edu/debian-edu-config/-/commit/8412a3d917233ac414b05315f3dc95275bcb75b9
You're receiving this email because of your account on salsa.debian.org.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-edu-commits/attachments/20230818/1f8c15bd/attachment-0001.htm>