certificates/dehydrated-cron
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

install_dehydrated.sh: add support for TLSA records '2 1 1' and '2 0 2'.

Browse Source
This commit is contained in:
Christoph 2020-12-02 21:49:26 +01:00
parent 38b620bcb3
commit cdb1fe4ee9
1 changed files with 151 additions and 23 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

174
install_dehydrated.sh
View File

@ -1298,10 +1298,11 @@ renew_tlsa_record=bind_set_renew_tlsa.sh
get_domain_by_hostname=bind_get_domain_by_hostname.sh get_domain_by_hostname=bind_get_domain_by_hostname.sh
# - TTL for Records "IN TLSA 3 1 1" and "IN TLSA 2 1 1" # - TTL for Records "IN TLSA 3 1 1", "IN TLSA 2 0 1", "IN TLSA 2 0 2" and "IN TLSA 2 1 1"
# - # -
ttl_311=3600 ttl_311=3600
ttl_201=3600 ttl_201=3600
ttl_202=3600
ttl_211=3600 ttl_211=3600
@ -1420,11 +1421,12 @@ renew_tlsa_record=bind_set_renew_tlsa.sh
get_domain_by_hostname=bind_get_domain_by_hostname.sh get_domain_by_hostname=bind_get_domain_by_hostname.sh
# - TTL for Records "IN TLSA 3 1 1" and "IN TLSA 2 1 1" # - TTL for Records "IN TLSA 3 1 1", "IN TLSA 2 0 1", "IN TLSA 2 0 2" and "IN TLSA 2 1 1"
# - # -
ttl_311=360 ttl_311=3600
ttl_201=360 ttl_201=3600
ttl_211=360 ttl_202=3600
ttl_211=3600
# - Logfile where the certificate generation process, called from dehydrated # - Logfile where the certificate generation process, called from dehydrated
@ -1995,15 +1997,17 @@ if [[ -n "\$_successfully_created_hosts" ]] ; then
;; ;;
esac esac
# - Generate TLSA 2 0 1 record # - Generate TLSA 2 1 1 record
# - # -
\$verbose && echononl " Generate \\"TLSA 2 0 1\\" record from root certificate (root.ca).." \$verbose && echononl " Generate \"TLSA 2 1 1\\" record from certificate (\${_tmp_arr[0]}).."
tlsa_record_201=\$( tlsa_record_211=\$(
printf "_%s._tcp.%s. \$ttl_201 IN TLSA 2 0 1 %s\\n" \\ printf "_%s._tcp.%s. \$ttl_211 IN TLSA 2 1 1 %s\\n" \\
\${_tmp_arr[1]} \\ \${_tmp_arr[1]} \\
\${_tmp_arr[0]} \\ \${_tmp_arr[0]} \\
\$(openssl x509 -in /var/lib/dehydrated/certs/\${_tmp_arr[0]}/chain.pem -outform DER | \$(openssl x509 -in /var/lib/dehydrated/certs/\${_tmp_arr[0]}/chain.pem -noout -pubkey |
openssl pkey -pubin -outform DER |
openssl dgst -sha256 -binary | openssl dgst -sha256 -binary |
hexdump -ve '/1 "%02x"') hexdump -ve '/1 "%02x"')
) )
@ -2012,9 +2016,9 @@ if [[ -n "\$_successfully_created_hosts" ]] ; then
else else
\$verbose && echo_failed \$verbose && echo_failed
if \$verbose ; then if \$verbose ; then
error "Generating \\"TLSA 2 0 1\\" record failed! " error "Generating \"TLSA 2 1 1\\" record failed! "
else else
echo -e "\\n [ Error ]: Generating \\"TLSA 2 0 1\\" record failed! \\n" echo -e "\\n [ Error ]: Generating \"TLSA 2 1 1\\" record failed! \\n"
fi fi
continue continue
fi fi
@ -2023,31 +2027,141 @@ if [[ -n "\$_successfully_created_hosts" ]] ; then
# - # -
\$verbose && echononl " Add/Renew Record in concerning zone file.." \$verbose && echononl " Add/Renew Record in concerning zone file.."
ssh -q -p \$dane_ssh_port -i \$dane_ssh_key \${dane_ssh_user}@\${dane_nameserver} \\ ssh -q -p \$dane_ssh_port -i \$dane_ssh_key \${dane_ssh_user}@\${dane_nameserver} \\
"sudo \$renew_tlsa_record \$tlsa_record_201 > /dev/null 2>&1" "sudo \$renew_tlsa_record \$tlsa_record_211 > /dev/null 2>&1"
ret_val=\$? ret_val=\$?
case \$ret_val in case \$ret_val in
0) 0)
\$verbose && echo_skipped \$verbose && echo_skipped
if \$verbose ; then if \$verbose ; then
info "TLSA 2 0 1 record for \\"\$hostname\\" is up to date." info "TLSA 2 1 1 record for \\"\$hostname\\" is up to date."
else else
echo -e "\\n [ Info ]: TLSA 2 0 1 record for \\"\$hostname\\" is up to date.\\n" echo -e "\\n [ Info ]: TLSA 2 1 1 record for \\"\$hostname\\" is up to date.\\n"
fi fi
;; ;;
1) 1)
\$verbose && echo_ok \$verbose && echo_ok
if \$verbose ; then if \$verbose ; then
info "TLSA 2 0 1 record for \\"\$hostname\\" replaced." info "TLSA 2 1 1 record for \\"\$hostname\\" replaced."
else else
echo -e "\\n [ Info ]: TLSA 2 0 1 record for \\"\$hostname\\" replaced.\\n" echo -e "\\n [ Info ]: TLSA 2 1 1 record for \\"\$hostname\\" replaced.\\n"
fi fi
;; ;;
2) 2)
\$verbose && echo_ok \$verbose && echo_ok
if \$verbose ; then if \$verbose ; then
info "New TLSA 2 0 1 record for \\"\$hostname\\" added." info "New TLSA 2 1 1 record for \\"\$hostname\\" added."
else else
echo -e "\\n [ Info ]: New TLSA 2 0 1 record for \\"\$hostname\\" added.\\n" echo -e "\\n [ Info ]: New TLSA 2 1 1 record for \\"\$hostname\\" added.\\n"
fi
;;
10)
\$verbose && echo_failed
if \$verbose ; then
error "Invalid TLSA record given!"
else
echo -e "\\n [ Error ]: Invalid TLSA record given! \\n"
fi
continue
;;
11)
\$verbose && echo_failed
if \$verbose ; then
error "No zonefile for host \\"\$hostname\\" found!"
else
echo -e "\\n [ Error ]: No zonefile for host \\"\$hostname\\" found! \\n"
fi
;;
20)
\$verbose && echo_failed
if \$verbose ; then
error "Replacing TLSA 2 1 1 record for host \\"\$hostname\\" failed!"
else
echo -e "\\n [ Error ]: Replacing TLSA 2 1 1 record for host \\"\$hostname\\" failed! \\n"
fi
continue
;;
21)
\$verbose && echo_failed
if \$verbose ; then
error "Adding TLSA 2 1 1 record for host \\"\$hostname\\" failed!"
else
echo -e "\\n [ Error ]: Adding TLSA 2 1 1 record for host \\"\$hostname\\" failed! \\n"
fi
continue
;;
99)
\$verbose && echo_failed
if \$verbose ; then
error "Fatal Error!"
else
echo -e "\\n [ Error ]: Fatal Error! \\n"
fi
continue
;;
*)
\$verbose && echo_failed
if \$verbose ; then
error "Unknown exit code from remote script \\"\$renew_tlsa_record\"!"
else
echo -e "\\n [ Error ]: Unknown exit code from remote script \\"\$renew_tlsa_record\! \\n"
fi
continue
;;
esac
# - Generate TLSA 2 0 2 record
# -
\$verbose && echononl " Generate \\"TLSA 2 0 2\\" record from root certificate (root.ca).."
tlsa_record_202=\$(
printf "_%s._tcp.%s. \$ttl_202 IN TLSA 2 0 2 %s\\n" \\
\${_tmp_arr[1]} \\
\${_tmp_arr[0]} \\
\$(openssl x509 -in /var/lib/dehydrated/certs/\${_tmp_arr[0]}/chain.pem -outform DER |
openssl dgst -sha512 -binary |
hexdump -ve '/1 "%02x"')
)
if [[ \$? -eq 0 ]] ; then
\$verbose && echo_ok
else
\$verbose && echo_failed
if \$verbose ; then
error "Generating \\"TLSA 2 0 2\\" record failed! "
else
echo -e "\\n [ Error ]: Generating \\"TLSA 2 0 2\\" record failed! \\n"
fi
continue
fi
# - Add/Renew Record in concerning zone file
# -
\$verbose && echononl " Add/Renew Record in concerning zone file.."
ssh -q -p \$dane_ssh_port -i \$dane_ssh_key \${dane_ssh_user}@\${dane_nameserver} \\
"sudo \$renew_tlsa_record \$tlsa_record_202 > /dev/null 2>&1"
ret_val=\$?
case \$ret_val in
0)
\$verbose && echo_skipped
if \$verbose ; then
info "TLSA 2 0 2 record for \\"\$hostname\\" is up to date."
else
echo -e "\\n [ Info ]: TLSA 2 0 2 record for \\"\$hostname\\" is up to date.\\n"
fi
;;
1)
\$verbose && echo_ok
if \$verbose ; then
info "TLSA 2 0 2 record for \\"\$hostname\\" replaced."
else
echo -e "\\n [ Info ]: TLSA 2 0 2 record for \\"\$hostname\\" replaced.\\n"
fi
;;
2)
\$verbose && echo_ok
if \$verbose ; then
info "New TLSA 2 0 2 record for \\"\$hostname\\" added."
else
echo -e "\\n [ Info ]: New TLSA 2 0 2 record for \\"\$hostname\\" added.\\n"
fi fi
;; ;;
10) 10)
@ -2071,18 +2185,18 @@ if [[ -n "\$_successfully_created_hosts" ]] ; then
20) 20)
\$verbose && echo_failed \$verbose && echo_failed
if \$verbose ; then if \$verbose ; then
error "Replacing TLSA 2 0 1 record for host \\"\$hostname\\" failed!" error "Replacing TLSA 2 0 2 record for host \\"\$hostname\\" failed!"
else else
echo -e "\\n [ Error ]: Replacing TLSA 2 0 1 record for host \\"\$hostname\\" failed! \\n" echo -e "\\n [ Error ]: Replacing TLSA 2 0 2 record for host \\"\$hostname\\" failed! \\n"
fi fi
continue continue
;; ;;
21) 21)
\$verbose && echo_failed \$verbose && echo_failed
if \$verbose ; then if \$verbose ; then
error "Adding TLSA 2 0 1 record for host \\"\$hostname\\" failed!" error "Adding TLSA 2 0 2 record for host \\"\$hostname\\" failed!"
else else
echo -e "\\n [ Error ]: Adding TLSA 2 0 1 record for host \\"\$hostname\\" failed! \\n" echo -e "\\n [ Error ]: Adding TLSA 2 0 2 record for host \\"\$hostname\\" failed! \\n"
fi fi
continue continue
;; ;;
@ -3506,6 +3620,16 @@ tlsa_record_201_chain=\$(
hexdump -ve '/1 "%02x"')" hexdump -ve '/1 "%02x"')"
) )
cert=/var/lib/dehydrated/certs/\${hostname}/chain.pem
tlsa_record_202_chain=\$(
printf '_%s._tcp.%s. 360 IN TLSA 2 0 2 %s\n' \\
\$port \\
\$hostname \\
"\$(openssl x509 -in \$cert -outform DER |
openssl dgst -sha512 -binary |
hexdump -ve '/1 "%02x"')"
)
tlsa_record_211_root="" tlsa_record_211_root=""
cert=/var/lib/dehydrated/certs/\${hostname}/root.ca cert=/var/lib/dehydrated/certs/\${hostname}/root.ca
if [[ -f "\$cert" ]]; then if [[ -f "\$cert" ]]; then
@ -3537,6 +3661,10 @@ echo "TLSA 2 0 1 chain"
echo "================" echo "================"
echo "\$tlsa_record_201_chain" echo "\$tlsa_record_201_chain"
echo "" echo ""
echo "TLSA 2 0 2 chain"
echo "================"
echo "\$tlsa_record_202_chain"
echo ""
if [[ -n "\$tlsa_record_211_root" ]]; then if [[ -n "\$tlsa_record_211_root" ]]; then
echo "TLSA 2 1 1 root" echo "TLSA 2 1 1 root"
echo "===============" echo "==============="