diff --git a/install_dehydrated.sh b/install_dehydrated.sh index 9460f54..1a578ad 100755 --- a/install_dehydrated.sh +++ b/install_dehydrated.sh @@ -2110,6 +2110,117 @@ if [[ -n "\$_successfully_created_hosts" ]] ; then esac + # - Generate TLSA 2 0 1 record + # - + \$verbose && echononl " Generate \\"TLSA 2 0 1\\" record from root certificate (root.ca).." + tlsa_record_201=\$( + printf "_%s._tcp.%s. \$ttl_201 IN TLSA 2 0 1 %s\\n" \\ + \${_tmp_arr[1]} \\ + \${_tmp_arr[0]} \\ + \$(openssl x509 -in /var/lib/dehydrated/certs/\${_tmp_arr[0]}/chain.pem -outform DER | + openssl dgst -sha256 -binary | + hexdump -ve '/1 "%02x"') + ) + if [[ \$? -eq 0 ]] ; then + \$verbose && echo_ok + else + \$verbose && echo_failed + if \$verbose ; then + error "Generating \\"TLSA 2 0 1\\" record failed! " + else + echo -e "\\n [ Error ]: Generating \\"TLSA 2 0 1\\" record failed! \\n" + fi + continue + fi + + # - Add/Renew Record in concerning zone file + # - + \$verbose && echononl " Add/Renew Record in concerning zone file.." + ssh -q -p \$dane_ssh_port -i \$dane_ssh_key \${dane_ssh_user}@\${dane_nameserver} \\ + "sudo \$renew_tlsa_record \$tlsa_record_201 > /dev/null 2>&1" + ret_val=\$? + case \$ret_val in + 0) + \$verbose && echo_skipped + if \$verbose ; then + info "TLSA 2 0 1 record for \\"\$hostname\\" is up to date." + else + echo -e "\\n [ Info ]: TLSA 2 0 1 record for \\"\$hostname\\" is up to date.\\n" + fi + ;; + 1) + \$verbose && echo_ok + if \$verbose ; then + info "TLSA 2 0 1 record for \\"\$hostname\\" replaced." + else + echo -e "\\n [ Info ]: TLSA 2 0 1 record for \\"\$hostname\\" replaced.\\n" + fi + ;; + 2) + \$verbose && echo_ok + if \$verbose ; then + info "New TLSA 2 0 1 record for \\"\$hostname\\" added." + else + echo -e "\\n [ Info ]: New TLSA 2 0 1 record for \\"\$hostname\\" added.\\n" + fi + ;; + 10) + \$verbose && echo_failed + if \$verbose ; then + error "Invalid TLSA record given!" + else + echo -e "\\n [ Error ]: Invalid TLSA record given! \\n" + fi + continue + ;; + 11) + \$verbose && echo_failed + if \$verbose ; then + error "No zonefile for host \\"\$hostname\\" found!" + else + echo -e "\\n [ Error ]: No zonefile for host \\"\$hostname\\" found! \\n" + fi + continue + ;; + 20) + \$verbose && echo_failed + if \$verbose ; then + error "Replacing TLSA 2 0 1 record for host \\"\$hostname\\" failed!" + else + echo -e "\\n [ Error ]: Replacing TLSA 2 0 1 record for host \\"\$hostname\\" failed! \\n" + fi + continue + ;; + 21) + \$verbose && echo_failed + if \$verbose ; then + error "Adding TLSA 2 0 1 record for host \\"\$hostname\\" failed!" + else + echo -e "\\n [ Error ]: Adding TLSA 2 0 1 record for host \\"\$hostname\\" failed! \\n" + fi + continue + ;; + 99) + \$verbose && echo_failed + if \$verbose ; then + error "Fatal Error!" + else + echo -e "\\n [ Error ]: Fatal Error! \\n" + fi + continue + ;; + *) + \$verbose && echo_failed + if \$verbose ; then + error "Unknown exit code from remote script \\"\$renew_tlsa_record\"!" + else + echo -e "\\n [ Error ]: Unknown exit code from remote script \\"\$renew_tlsa_record\"! \\n" + fi + continue + ;; + + esac + # - Generate TLSA 2 0 2 record # - \$verbose && echononl " Generate \\"TLSA 2 0 2\\" record from root certificate (root.ca).."