From cdb1fe4ee9eae2316962f49b8fd54d9590b89b4c Mon Sep 17 00:00:00 2001 From: Christoph Date: Wed, 2 Dec 2020 21:49:26 +0100 Subject: [PATCH] install_dehydrated.sh: add support for TLSA records '2 1 1' and '2 0 2'. --- install_dehydrated.sh | 174 ++++++++++++++++++++++++++++++++++++------ 1 file changed, 151 insertions(+), 23 deletions(-) diff --git a/install_dehydrated.sh b/install_dehydrated.sh index 920251d..d2a6fde 100755 --- a/install_dehydrated.sh +++ b/install_dehydrated.sh @@ -1298,10 +1298,11 @@ renew_tlsa_record=bind_set_renew_tlsa.sh get_domain_by_hostname=bind_get_domain_by_hostname.sh -# - TTL for Records "IN TLSA 3 1 1" and "IN TLSA 2 1 1" +# - TTL for Records "IN TLSA 3 1 1", "IN TLSA 2 0 1", "IN TLSA 2 0 2" and "IN TLSA 2 1 1" # - ttl_311=3600 ttl_201=3600 +ttl_202=3600 ttl_211=3600 @@ -1420,11 +1421,12 @@ renew_tlsa_record=bind_set_renew_tlsa.sh get_domain_by_hostname=bind_get_domain_by_hostname.sh -# - TTL for Records "IN TLSA 3 1 1" and "IN TLSA 2 1 1" +# - TTL for Records "IN TLSA 3 1 1", "IN TLSA 2 0 1", "IN TLSA 2 0 2" and "IN TLSA 2 1 1" # - -ttl_311=360 -ttl_201=360 -ttl_211=360 +ttl_311=3600 +ttl_201=3600 +ttl_202=3600 +ttl_211=3600 # - Logfile where the certificate generation process, called from dehydrated @@ -1995,15 +1997,17 @@ if [[ -n "\$_successfully_created_hosts" ]] ; then ;; esac + - # - Generate TLSA 2 0 1 record + # - Generate TLSA 2 1 1 record # - - \$verbose && echononl " Generate \\"TLSA 2 0 1\\" record from root certificate (root.ca).." - tlsa_record_201=\$( - printf "_%s._tcp.%s. \$ttl_201 IN TLSA 2 0 1 %s\\n" \\ + \$verbose && echononl " Generate \"TLSA 2 1 1\\" record from certificate (\${_tmp_arr[0]}).." + tlsa_record_211=\$( + printf "_%s._tcp.%s. \$ttl_211 IN TLSA 2 1 1 %s\\n" \\ \${_tmp_arr[1]} \\ \${_tmp_arr[0]} \\ - \$(openssl x509 -in /var/lib/dehydrated/certs/\${_tmp_arr[0]}/chain.pem -outform DER | + \$(openssl x509 -in /var/lib/dehydrated/certs/\${_tmp_arr[0]}/chain.pem -noout -pubkey | + openssl pkey -pubin -outform DER | openssl dgst -sha256 -binary | hexdump -ve '/1 "%02x"') ) @@ -2012,9 +2016,9 @@ if [[ -n "\$_successfully_created_hosts" ]] ; then else \$verbose && echo_failed if \$verbose ; then - error "Generating \\"TLSA 2 0 1\\" record failed! " + error "Generating \"TLSA 2 1 1\\" record failed! " else - echo -e "\\n [ Error ]: Generating \\"TLSA 2 0 1\\" record failed! \\n" + echo -e "\\n [ Error ]: Generating \"TLSA 2 1 1\\" record failed! \\n" fi continue fi @@ -2023,31 +2027,141 @@ if [[ -n "\$_successfully_created_hosts" ]] ; then # - \$verbose && echononl " Add/Renew Record in concerning zone file.." ssh -q -p \$dane_ssh_port -i \$dane_ssh_key \${dane_ssh_user}@\${dane_nameserver} \\ - "sudo \$renew_tlsa_record \$tlsa_record_201 > /dev/null 2>&1" + "sudo \$renew_tlsa_record \$tlsa_record_211 > /dev/null 2>&1" ret_val=\$? case \$ret_val in 0) \$verbose && echo_skipped if \$verbose ; then - info "TLSA 2 0 1 record for \\"\$hostname\\" is up to date." + info "TLSA 2 1 1 record for \\"\$hostname\\" is up to date." else - echo -e "\\n [ Info ]: TLSA 2 0 1 record for \\"\$hostname\\" is up to date.\\n" + echo -e "\\n [ Info ]: TLSA 2 1 1 record for \\"\$hostname\\" is up to date.\\n" fi ;; 1) \$verbose && echo_ok if \$verbose ; then - info "TLSA 2 0 1 record for \\"\$hostname\\" replaced." + info "TLSA 2 1 1 record for \\"\$hostname\\" replaced." else - echo -e "\\n [ Info ]: TLSA 2 0 1 record for \\"\$hostname\\" replaced.\\n" + echo -e "\\n [ Info ]: TLSA 2 1 1 record for \\"\$hostname\\" replaced.\\n" fi ;; 2) \$verbose && echo_ok if \$verbose ; then - info "New TLSA 2 0 1 record for \\"\$hostname\\" added." + info "New TLSA 2 1 1 record for \\"\$hostname\\" added." else - echo -e "\\n [ Info ]: New TLSA 2 0 1 record for \\"\$hostname\\" added.\\n" + echo -e "\\n [ Info ]: New TLSA 2 1 1 record for \\"\$hostname\\" added.\\n" + fi + ;; + 10) + \$verbose && echo_failed + if \$verbose ; then + error "Invalid TLSA record given!" + else + echo -e "\\n [ Error ]: Invalid TLSA record given! \\n" + fi + continue + ;; + 11) + \$verbose && echo_failed + if \$verbose ; then + error "No zonefile for host \\"\$hostname\\" found!" + else + echo -e "\\n [ Error ]: No zonefile for host \\"\$hostname\\" found! \\n" + fi + ;; + 20) + \$verbose && echo_failed + if \$verbose ; then + error "Replacing TLSA 2 1 1 record for host \\"\$hostname\\" failed!" + else + echo -e "\\n [ Error ]: Replacing TLSA 2 1 1 record for host \\"\$hostname\\" failed! \\n" + fi + continue + ;; + 21) + \$verbose && echo_failed + if \$verbose ; then + error "Adding TLSA 2 1 1 record for host \\"\$hostname\\" failed!" + else + echo -e "\\n [ Error ]: Adding TLSA 2 1 1 record for host \\"\$hostname\\" failed! \\n" + fi + continue + ;; + 99) + \$verbose && echo_failed + if \$verbose ; then + error "Fatal Error!" + else + echo -e "\\n [ Error ]: Fatal Error! \\n" + fi + continue + ;; + *) + \$verbose && echo_failed + if \$verbose ; then + error "Unknown exit code from remote script \\"\$renew_tlsa_record\"!" + else + echo -e "\\n [ Error ]: Unknown exit code from remote script \\"\$renew_tlsa_record\! \\n" + fi + continue + ;; + + esac + + # - Generate TLSA 2 0 2 record + # - + \$verbose && echononl " Generate \\"TLSA 2 0 2\\" record from root certificate (root.ca).." + tlsa_record_202=\$( + printf "_%s._tcp.%s. \$ttl_202 IN TLSA 2 0 2 %s\\n" \\ + \${_tmp_arr[1]} \\ + \${_tmp_arr[0]} \\ + \$(openssl x509 -in /var/lib/dehydrated/certs/\${_tmp_arr[0]}/chain.pem -outform DER | + openssl dgst -sha512 -binary | + hexdump -ve '/1 "%02x"') + ) + if [[ \$? -eq 0 ]] ; then + \$verbose && echo_ok + else + \$verbose && echo_failed + if \$verbose ; then + error "Generating \\"TLSA 2 0 2\\" record failed! " + else + echo -e "\\n [ Error ]: Generating \\"TLSA 2 0 2\\" record failed! \\n" + fi + continue + fi + + # - Add/Renew Record in concerning zone file + # - + \$verbose && echononl " Add/Renew Record in concerning zone file.." + ssh -q -p \$dane_ssh_port -i \$dane_ssh_key \${dane_ssh_user}@\${dane_nameserver} \\ + "sudo \$renew_tlsa_record \$tlsa_record_202 > /dev/null 2>&1" + ret_val=\$? + case \$ret_val in + 0) + \$verbose && echo_skipped + if \$verbose ; then + info "TLSA 2 0 2 record for \\"\$hostname\\" is up to date." + else + echo -e "\\n [ Info ]: TLSA 2 0 2 record for \\"\$hostname\\" is up to date.\\n" + fi + ;; + 1) + \$verbose && echo_ok + if \$verbose ; then + info "TLSA 2 0 2 record for \\"\$hostname\\" replaced." + else + echo -e "\\n [ Info ]: TLSA 2 0 2 record for \\"\$hostname\\" replaced.\\n" + fi + ;; + 2) + \$verbose && echo_ok + if \$verbose ; then + info "New TLSA 2 0 2 record for \\"\$hostname\\" added." + else + echo -e "\\n [ Info ]: New TLSA 2 0 2 record for \\"\$hostname\\" added.\\n" fi ;; 10) @@ -2071,18 +2185,18 @@ if [[ -n "\$_successfully_created_hosts" ]] ; then 20) \$verbose && echo_failed if \$verbose ; then - error "Replacing TLSA 2 0 1 record for host \\"\$hostname\\" failed!" + error "Replacing TLSA 2 0 2 record for host \\"\$hostname\\" failed!" else - echo -e "\\n [ Error ]: Replacing TLSA 2 0 1 record for host \\"\$hostname\\" failed! \\n" + echo -e "\\n [ Error ]: Replacing TLSA 2 0 2 record for host \\"\$hostname\\" failed! \\n" fi continue ;; 21) \$verbose && echo_failed if \$verbose ; then - error "Adding TLSA 2 0 1 record for host \\"\$hostname\\" failed!" + error "Adding TLSA 2 0 2 record for host \\"\$hostname\\" failed!" else - echo -e "\\n [ Error ]: Adding TLSA 2 0 1 record for host \\"\$hostname\\" failed! \\n" + echo -e "\\n [ Error ]: Adding TLSA 2 0 2 record for host \\"\$hostname\\" failed! \\n" fi continue ;; @@ -3506,6 +3620,16 @@ tlsa_record_201_chain=\$( hexdump -ve '/1 "%02x"')" ) +cert=/var/lib/dehydrated/certs/\${hostname}/chain.pem +tlsa_record_202_chain=\$( + printf '_%s._tcp.%s. 360 IN TLSA 2 0 2 %s\n' \\ + \$port \\ + \$hostname \\ + "\$(openssl x509 -in \$cert -outform DER | + openssl dgst -sha512 -binary | + hexdump -ve '/1 "%02x"')" +) + tlsa_record_211_root="" cert=/var/lib/dehydrated/certs/\${hostname}/root.ca if [[ -f "\$cert" ]]; then @@ -3537,6 +3661,10 @@ echo "TLSA 2 0 1 chain" echo "================" echo "\$tlsa_record_201_chain" echo "" +echo "TLSA 2 0 2 chain" +echo "================" +echo "\$tlsa_record_202_chain" +echo "" if [[ -n "\$tlsa_record_211_root" ]]; then echo "TLSA 2 1 1 root" echo "==============="