[debian-edu-commits] [Git][debian-edu/debian-edu-config][mr/fix-root-ca-cert-openssl-v3] 11 commits: Add new file 'debian-edu-router.ldif'. Empty proxy groups should be installed on all new Tjeners.
Mike Gabriel (@sunweaver)
gitlab at salsa.debian.org
Fri May 22 23:34:40 BST 2026
Mike Gabriel pushed to branch mr/fix-root-ca-cert-openssl-v3 at Debian Edu / debian-edu-config
Commits:
e7f8fe8b by Daniel Teichmann at 2026-03-13T16:54:07+01:00
Add new file 'debian-edu-router.ldif'. Empty proxy groups should be installed on all new Tjeners.
These are preconfigured empty proxy groups for the use in Debian Edu Router.
See Debian Edu Router Plugin: Content filter at https://salsa.debian.org/debian-edu/debian-edu-router/-/tree/master/docs.
- - - - -
1342f54b by Daniel Teichmann at 2026-03-13T16:54:10+01:00
ldap-bootstrap/debian-edu-router.ldif: Add 'server-hosts' nisNetgroup to 'proxy-trusted' nisNetgroup, via 'memberNisNetgroup' attribute.
- - - - -
ae91d71a by Daniel Teichmann at 2026-03-13T16:54:10+01:00
share/debian-edu-config/gosa.conf.template: Activate nisNetgroup tab for user accounts.
This makes it possible to add a user into a nisNetgroup while editing a user.
This is a fine addition to the already present 'NIS Netgroup' tab on the left.
- - - - -
c53528cf by Mike Gabriel at 2026-05-07T22:28:30+02:00
share/debian-edu-config/tools/copy-host-keytab: Support SSH publickey login to tjener, if this is possible (e.g. if admin is using SSH agent forwarding).
- - - - -
b892e2fa by Daniel Teichmann at 2026-05-22T22:28:45+00:00
apache2 debian-edu-default.conf: Do not force HTTPS on *.crt (including Debian-Edu_rootCA.crt).
Closes: #1068388
- - - - -
a624dc1c by Daniel Teichmann at 2026-05-22T22:29:28+00:00
etc/dovecot/local.conf: Fix passdb block syntax for Dovecot 2.4.x compatibility.
Dovecot 2.4.x introduced a breaking change to the passdb/userdb
configuration block syntax. A prior commit 63523d4c partially adapted
etc/dovecot/local.conf to Dovecot 2.4.x by splitting mail_location
into mail_driver, mail_path, and mail_inbox_path, but did not update
the passdb block, leaving the configuration broken.
This causes Dovecot to fail immediately at startup with:
- doveconf: Fatal: Error in configuration file /etc/dovecot/local.conf line 10: passdb { }
- dovecot.service: Main process exited, code=exited, status=89/n/a
- - - - -
17c18602 by Daniel Teichmann at 2026-05-22T22:30:02+00:00
debian/control: Add 'Conflicts: firefox-esr-mobile-config'.
This ensures that /usr/share/firefox-esr/distribution/policies.json
will not be overwritten by the other package.
Closes: #1126881
- - - - -
16922109 by Daniel Teichmann at 2026-05-22T22:34:37+00:00
v3CA.cnf: Fix Root CA X.509v3 extensions for OpenSSL 3 compatibility
OpenSSL 3 strictly enforces certificate purposes.
The old Root CA configuration lacked the required critical
basic constraints (CA:TRUE) and the proper key usage flags
(cRLSign, keyCertSign) necessary to act as an issuing authority.
Without these, OpenSSL 3 rejects the CA with an
"invalid CA certificate" error.
The flag "critical" is also required by OpenSSLv3.
- - - - -
1ef598be by Daniel Teichmann at 2026-05-22T22:34:37+00:00
v3.cnf: Fix server cert X.509v3 extensions for OpenSSL 3 compatibility
OpenSSL 3 requires server certificates to explicitly declare
their extended key usage.
The v3.cnf file previously only defined Subject Alternative Names,
lacking the serverAuth Extended Key Usage flag.
This caused OpenSSL 3 clients (like libldap) to reject the server
certificate during the TLS handshake with an
"unsuitable certificate purpose" error.
This commit adds the necessary Key Usage and Extended Key Usage definitions.
- - - - -
e5573407 by Daniel Teichmann at 2026-05-22T22:34:37+00:00
tools/create-debian-edu-certs: Fix script to apply correct configurations
1. It failed to apply the $V3_CA_CONF extensions when generating the Root CA,
resulting in a CA missing its basic constraints.
2. It erroneously used the CA configuration ($SSL_CA_CONF) instead of the
server configuration ($SSL_CONF) when generating the server CSR.
This caused the Root CA and the Server Certificate to share identical
Subject DNs, confusing the OpenSSL 3 validation chain.
This commit corrects the openssl req invocations to use the appropriate
configuration and extension files.
- - - - -
f2bacf68 by Daniel Teichmann at 2026-05-22T22:34:37+00:00
tools/create-server-cert: Add OpenSSL 3 extensions and fix base config
* Injects missing `keyUsage` and `extendedKeyUsage` into the generated
v3.conf to satisfy OpenSSL 3 strict validation requirements.
* Switches the template from `sslCA.cnf` to `ssl.cnf` so server
certificates do not inherit the Root CA's Organizational Unit.
NOTE: These are fixes, which come from previous commits.
See history of create-debian-edu-certs for more info.
- - - - -
12 changed files:
- Makefile
- debian/control
- etc/apache2/sites-available/debian-edu-default.conf
- etc/dovecot/local.conf
- + ldap-bootstrap/debian-edu-router.ldif
- ldap-tools/ldap-debian-edu-install
- share/debian-edu-config/gosa.conf.template
- share/debian-edu-config/tools/copy-host-keytab
- share/debian-edu-config/tools/create-debian-edu-certs
- share/debian-edu-config/tools/create-server-cert
- share/debian-edu-config/v3.cnf
- share/debian-edu-config/v3CA.cnf
Changes:
=====================================
Makefile
=====================================
@@ -195,6 +195,7 @@ LDIFS = \
ltsp.ldif \
gosa.ldif \
gosa-server.ldif \
+ debian-edu-router.ldif \
$(NULL)
LDAPPROGRAMS = \
=====================================
debian/control
=====================================
@@ -18,6 +18,7 @@ Vcs-Git: https://salsa.debian.org/debian-edu/debian-edu-config.git
Package: debian-edu-config
Architecture: all
+Conflicts: firefox-esr-mobile-config,
Depends: ${misc:Depends},
adduser,
bind9-host,
=====================================
etc/apache2/sites-available/debian-edu-default.conf
=====================================
@@ -7,7 +7,9 @@
<Directory /etc/debian-edu/www/ >
RewriteEngine On
RewriteCond %{SERVER_PORT} 80
+ # HTTP only: wpad.dat + Debian-Edu_rootCA.crt
RewriteCond %{REQUEST_URI} !\.dat$
+ RewriteCond %{REQUEST_URI} !\.crt$
RewriteRule ^(.*)$ https://%{SERVER_ADDRESS}/$1 [R=301,L]
Options Indexes FollowSymLinks MultiViews
AllowOverride None
=====================================
etc/dovecot/local.conf
=====================================
@@ -7,8 +7,12 @@ auth_gssapi_hostname = postoffice.intern
mail_driver = maildir
mail_path = ~/Maildir
mail_inbox_path = /var/mail/%u
-passdb {
- args = uid=uid home=homeDirectory
- driver = static
+
+passdb static {
+ fields {
+ uid = uid
+ home = homeDirectory
+ }
}
+
protocols = "imap"
=====================================
ldap-bootstrap/debian-edu-router.ldif
=====================================
@@ -0,0 +1,37 @@
+dn: cn=proxy-trusted,ou=netgroup,dc=skole,dc=skolelinux,dc=no
+objectClass: top
+objectClass: nisNetgroup
+cn: proxy-trusted
+description: Completely unfiltered internet access (+ bypasses NAT/T-P-M) - ProxyTrusted{User,Client} - Debian Edu Router Plugin: Content filter
+# This should enable direct unNAT'ted (bypasses transparent-proxy-mode) internet access to all internal servers in the Debian Edu network.
+memberNisNetgroup: server-hosts
+
+dn: cn=proxy-allow,ou=netgroup,dc=skole,dc=skolelinux,dc=no
+objectClass: top
+objectClass: nisNetgroup
+cn: proxy-allow
+description: Generally unfiltered internet access - ProxyAllow{User,Client} - Debian Edu Router Plugin: Content filter
+
+dn: cn=proxy-deny,ou=netgroup,dc=skole,dc=skolelinux,dc=no
+objectClass: top
+objectClass: nisNetgroup
+cn: proxy-deny
+description: Disables internet access completely - ProxyDeny{User,Client} - Debian Edu Router Plugin: Content filter
+
+dn: cn=proxy-blacklist,ou=netgroup,dc=skole,dc=skolelinux,dc=no
+objectClass: top
+objectClass: nisNetgroup
+cn: proxy-blacklist
+description: Allows all but specific blacklisted websites - ProxyBlacklist{User,Client} - Debian Edu Router Plugin: Content filter
+
+dn: cn=proxy-whitelist,ou=netgroup,dc=skole,dc=skolelinux,dc=no
+objectClass: top
+objectClass: nisNetgroup
+cn: proxy-whitelist
+description: Allows nothing but specific whitelisted websites - ProxyWhitelist{User,Client} - Debian Edu Router Plugin: Content filter
+
+dn: cn=proxy-noauth-client,ou=netgroup,dc=skole,dc=skolelinux,dc=no
+objectClass: top
+objectClass: nisNetgroup
+cn: proxy-noauth-client
+description: Fully disable auth. for these clients (BYOD Clients) - ProxyNoauthClient - Debian Edu Router Plugin: Content filter
=====================================
ldap-tools/ldap-debian-edu-install
=====================================
@@ -282,7 +282,8 @@ EOF
/etc/ldap/gosa-server.ldif \
/etc/ldap/ltsp.ldif \
/etc/ldap/firstuser.ldif \
- /etc/ldap/krb5.ldif
+ /etc/ldap/krb5.ldif \
+ /etc/ldap/debian-edu-router.ldif
do
if cat $ldif | sed -e "s:\$ROOTPWDHASH:$ROOTPWDHASH:" \
-e "s/\$MAC/$MAC/" \
=====================================
share/debian-edu-config/gosa.conf.template
=====================================
@@ -117,6 +117,7 @@
<tab class="gofaxAccount" name="Fax" />
<tab class="phoneAccount" name="Phone" />
<tab class="nagiosAccount" name="Nagios" />
+ <tab class="netgroupAccount" name="NIS Netgroup" />
</usertabs>
<!-- User dialog -->
=====================================
share/debian-edu-config/tools/copy-host-keytab
=====================================
@@ -1,6 +1,21 @@
#!/bin/sh
set -e
-kinit
+
+if [ $(id -u) -gt 0 ]; then
+ echo "ERROR: This script has to run as super-user root."
+ exit 1
+fi
+
+# Attempt passwordless SSH login root at tjener (could be publickey, gssapi-keyex, or gssapi-with-mic)
+set +e
+ssh -o PasswordAuthentication=no -o KbdInteractiveAuthentication=no tjener "echo -n" 2>/dev/null
+ret=$?
+set -e
+if [ "${ret}" != "0" ]; then
+ # Try to get a Kerberos ticket for root instead to use GSSAPI login.
+ kinit root
+fi
+
scp tjener:/var/lib/debian-edu/host-keytabs/$(hostname -s).intern.keytab /etc/krb5.keytab
# Special case separate LTSP server.
=====================================
share/debian-edu-config/tools/create-debian-edu-certs
=====================================
@@ -33,10 +33,11 @@ SERVER_KEY="$KEY_DIR/debian-edu-server.key"
generate() {
# Generate Debian Edu root CA private key.
openssl genrsa -out $CA_KEY 2048
- # Request rootCA certificate.
- openssl req -x509 -new -nodes -key $CA_KEY -days 3650 -out $CA_CERT -config $SSL_CA_CONF
+ # Request rootCA CSR and self-sign it to apply v3 extensions.
+ openssl req -new -nodes -key $CA_KEY -out $TMP/ca.csr -config $SSL_CA_CONF
+ openssl x509 -req -in $TMP/ca.csr -signkey $CA_KEY -days 3650 -out $CA_CERT -extfile $V3_CA_CONF
# Request web server key.
- openssl req -new -nodes -out $TMP/server.csr -newkey rsa:2048 -keyout $SERVER_KEY -config $SSL_CA_CONF
+ openssl req -new -nodes -out $TMP/server.csr -newkey rsa:2048 -keyout $SERVER_KEY -config $SSL_CONF
# Request web server certificate.
openssl x509 -req -in $TMP/server.csr -CA $CA_CERT -CAkey $CA_KEY -CAcreateserial -out $SERVER_CERT -days 3650 -extfile $V3_CONF
# Adjust owner and rights.
=====================================
share/debian-edu-config/tools/create-server-cert
=====================================
@@ -135,20 +135,23 @@ csrfile="${certname}.csr"
tempdir=$(mktemp -d)
+# Same as in /usr/share/debian-edu-config/tools/create-debian-edu-certs
cat > "${tempdir}/v3.conf" <<EOF
# v3.ext
authorityKeyIdentifier=keyid,issuer
+keyUsage = digitalSignature, keyEncipherment
+extendedKeyUsage = serverAuth
subjectAltName = @alt_names
[alt_names]
$(for item in ${SANs[*]}; do echo $item; done)
EOF
-# same as in /usr/share/debian-edu-config/tools/create-debian-edu-certs
-SSL_CA_CONF="/usr/share/debian-edu-config/sslCA.cnf"
+# Same as in /usr/share/debian-edu-config/tools/create-debian-edu-certs
+SSL_CONF="/usr/share/debian-edu-config/ssl.cnf"
# tweak the common name to match our FQDN
-cp "${SSL_CA_CONF}" "${tempdir}/ssl.cnf"
+cp "${SSL_CONF}" "${tempdir}/ssl.cnf"
sed -r -i "${tempdir}/ssl.cnf" -e "s/(commonName\s+=\s+)(.*)/\1${server_name}.${server_domain}/"
if [ -f "${keydir}/${keyfile}" ]; then
=====================================
share/debian-edu-config/v3.cnf
=====================================
@@ -1,5 +1,7 @@
# v3.ext
authorityKeyIdentifier=keyid,issuer
+keyUsage = digitalSignature, keyEncipherment
+extendedKeyUsage = serverAuth
subjectAltName = @alt_names
[alt_names]
=====================================
share/debian-edu-config/v3CA.cnf
=====================================
@@ -1,9 +1,8 @@
# v3.ext
-authorityKeyIdentifier=keyid,issuer
-basicConstraints=CA:True
-keyUsage = digitalSignature
+authorityKeyIdentifier = keyid, issuer
+basicConstraints = critical, CA:TRUE
+keyUsage = critical, digitalSignature, cRLSign, keyCertSign
subjectAltName = @alt_names
[alt_names]
DNS = www
-
View it on GitLab: https://salsa.debian.org/debian-edu/debian-edu-config/-/compare/faffe26eafb8ecbe60cc3c4ad3ac3bab6a90b114...f2bacf68f0c57871f53e72f925f5f3c455247ec0
--
View it on GitLab: https://salsa.debian.org/debian-edu/debian-edu-config/-/compare/faffe26eafb8ecbe60cc3c4ad3ac3bab6a90b114...f2bacf68f0c57871f53e72f925f5f3c455247ec0
You're receiving this email because of your account on salsa.debian.org. Manage all notifications: https://salsa.debian.org/-/profile/notifications | Help: https://salsa.debian.org/help
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-edu-commits/attachments/20260522/9a3d1e13/attachment-0001.htm>
More information about the debian-edu-commits
mailing list