Bug#926933: fetch-ldap-cert fails against LDAP cert on jessie tjener

classic Classic list List threaded Threaded
3 messages Options
Reply | Threaded
Open this post in threaded view
|

Bug#926933: fetch-ldap-cert fails against LDAP cert on jessie tjener

Mike Gabriel-4
Package: debian-edu-config
Version: 2.10.64
Severity: important

I just tested a Debian Edu 10 installation against a Debian Edu 8  
TJENER. The LDAP certificate on the jessie TJENER had been created  
wrongly (subject: CN=localhost, issuer: CN=localhost).

The new gnutls-cli implemenation in fetch-ldap-cert now chokes on that  
with this error:

```
gnutls-cli --x509cafile /etc/ssl/certs/debian-edu-bundle.crt  
--save-cert=/etc/ssl/certs/debian-edu-server.crt.new ldap.intern

[...]

Status: The certificate is NOT trusted. The certificate issuer is  
unknown. The name in the certificate does not match the expected.
```

This probably needs to be addressed by documentation.

Mike
--

DAS-NETZWERKTEAM
c\o Technik- und Ökologiezentrum Eckernförde
Mike Gabriel, Marienthaler str. 17, 24340 Eckernförde
mobile: +49 (1520) 1976 148
landline: +49 (4354) 8390 139

GnuPG Fingerprint: 9BFB AEE8 6C0A A5FF BF22  0782 9AF4 6B30 2577 1B31
mail: [hidden email], http://das-netzwerkteam.de


attachment0 (868 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Bug#926933: fetch-ldap-cert fails against LDAP cert on jessie tjener

Wolfgang Schweer-3
Moin Mike,

On Fri, Apr 12, 2019 at 11:52:25AM +0000, Mike Gabriel wrote:
> I just tested a Debian Edu 10 installation against a Debian Edu 8 TJENER.
> The LDAP certificate on the jessie TJENER had been created wrongly (subject:
> CN=localhost, issuer: CN=localhost).

Maybe the SSL/TLS related changes would best be dealt with providing a
jessie-pu/debian-edu-config package. (And maye for stretch-pu as well
just in case someone installs a Buster workstation against a Stretch
main server.)

As a workaround copy these files from the Jessie main-server to the
Buster workstation:
(1) /etc/init.d/fetch-ldap-cert
(2) /usr/bin/ldap-server-getcert
(3) /etc/ldap/ldap.conf

Then run 'service fetch-ldap-certrestart'.
It should get this 8/10 combination working.
Same should apply to a 9/10 combination.

Please test.

Wolfgang

signature.asc (981 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Bug#926933: fetch-ldap-cert fails against LDAP cert on jessie tjener

Wolfgang Schweer-3
> Then run 'service fetch-ldap-certrestart'.

typo, should rather be: 'service fetch-ldap-cert restart'.
 
Wolfgang

signature.asc (981 bytes) Download Attachment