diff --git a/install_dehydrated.sh b/install_dehydrated.sh index abd28e5..7a950c4 100755 --- a/install_dehydrated.sh +++ b/install_dehydrated.sh @@ -482,7 +482,7 @@ fi if [[ -n "$GITLAB_CONF_FILE" ]]; then - if [[ ! -d "/var/lib/dehydrated/certs/${HOST_NAME}" ]]; then + if [[ ! -d "${DH_BASE_DIR}/certs/${HOST_NAME}" ]]; then URL_SCHEMA="http" else URL_SCHEMA="https" @@ -596,7 +596,7 @@ EOF echo_skipped fi - if [[ -d "/var/lib/dehydrated/certs/${HOST_NAME}" ]]; then + if [[ -d "${DH_BASE_DIR}/certs/${HOST_NAME}" ]]; then echononl " Adjust ${GITLAB_CONF_FILE} - letsencrypt['enable']" @@ -700,11 +700,11 @@ EOF echononl " Create Symlink '/etc/gitlab/ssl/${HOST_NAME}.key'.." if [[ -h "/etc/gitlab/ssl/${HOST_NAME}.key" ]] \ - && [[ "$(readlink -qs "/etc/gitlab/ssl/${HOST_NAME}.key")" = "/var/lib/dehydrated/certs/${HOST_NAME}/privkey.pem" ]] ; then + && [[ "$(readlink -qs "/etc/gitlab/ssl/${HOST_NAME}.key")" = "${DH_BASE_DIR}/certs/${HOST_NAME}/privkey.pem" ]] ; then echo_skipped else rm -rf "/etc/gitlab/ssl/${HOST_NAME}.key" > /dev/null 2>&1 - ln -s "/var/lib/dehydrated/certs/${HOST_NAME}/privkey.pem" "/etc/gitlab/ssl/${HOST_NAME}.key" > /dev/null 2>&1 + ln -s "${DH_BASE_DIR}/certs/${HOST_NAME}/privkey.pem" "/etc/gitlab/ssl/${HOST_NAME}.key" > /dev/null 2>&1 if [[ $? -eq 0 ]] ; then echo_ok gitlab_reconfigure=true @@ -715,11 +715,11 @@ EOF echononl " Create Symlink '/etc/gitlab/ssl/${HOST_NAME}.crt'.." if [[ -h "/etc/gitlab/ssl/${HOST_NAME}.crt" ]] \ - && [[ "$(readlink -qs "/etc/gitlab/ssl/${HOST_NAME}.crt")" = "/var/lib/dehydrated/certs/${HOST_NAME}/fullchain.pem" ]]; then + && [[ "$(readlink -qs "/etc/gitlab/ssl/${HOST_NAME}.crt")" = "${DH_BASE_DIR}/certs/${HOST_NAME}/fullchain.pem" ]]; then echo_skipped else rm -rf "/etc/gitlab/ssl/${HOST_NAME}.crt" > /dev/null 2>&1 - ln -s "/var/lib/dehydrated/certs/${HOST_NAME}/fullchain.pem" "/etc/gitlab/ssl/${HOST_NAME}.crt" > /dev/null 2>&1 + ln -s "${DH_BASE_DIR}/certs/${HOST_NAME}/fullchain.pem" "/etc/gitlab/ssl/${HOST_NAME}.crt" > /dev/null 2>&1 if [[ $? -eq 0 ]] ; then echo_ok gitlab_reconfigure=true @@ -1300,9 +1300,19 @@ renew_tlsa_record=bind_set_renew_tlsa.sh get_domain_by_hostname=bind_get_domain_by_hostname.sh -# - TTL for Records "IN TLSA 3 1 1", "IN TLSA 2 0 1", "IN TLSA 2 0 2" and "IN TLSA 2 1 1" +# Which TLSA Records are to be released? +# +generate_tlsa_311=true +generate_tlsa_301=false +generate_tlsa_211=true +generate_tlsa_201=false +generate_tlsa_202=false + + +# - TTL for Records "IN TLSA 3 1 1", "IN TLSA 3 0 1", "IN TLSA 2 0 1", "IN TLSA 2 0 2" and "IN TLSA 2 1 1" # - ttl_311=3600 +ttl_301=3600 ttl_201=3600 ttl_202=3600 ttl_211=3600 @@ -1423,9 +1433,19 @@ renew_tlsa_record=bind_set_renew_tlsa.sh get_domain_by_hostname=bind_get_domain_by_hostname.sh -# - TTL for Records "IN TLSA 3 1 1", "IN TLSA 2 0 1", "IN TLSA 2 0 2" and "IN TLSA 2 1 1" +# Which TLSA Records are to be released? +# +generate_tlsa_311=true +generate_tlsa_301=false +generate_tlsa_211=true +generate_tlsa_201=false +generate_tlsa_202=false + + +# - TTL for Records "IN TLSA 3 1 1", "IN TLSA 3 0 1", "IN TLSA 2 0 1", "IN TLSA 2 0 2" and "IN TLSA 2 1 1" # - ttl_311=3600 +ttl_301=3600 ttl_201=3600 ttl_202=3600 ttl_211=3600 @@ -1947,447 +1967,594 @@ if [[ -n "\$_successfully_created_hosts" ]] ; then # - Generate TLSA 3 1 1 record # - \$verbose && echononl " Generate \"TLSA 3 1 1\\" record from certificate (\${_tmp_arr[0]}).." - tlsa_record_311=\$( - printf "_%s._tcp.%s. \$ttl_311 IN TLSA 3 1 1 %s\\n" \\ - \${_tmp_arr[1]} \\ - \${_tmp_arr[0]} \\ - \$(openssl x509 -in /var/lib/dehydrated/certs/\${_tmp_arr[0]}/cert.pem -noout -pubkey | - openssl pkey -pubin -outform DER | - openssl dgst -sha256 -binary | - hexdump -ve '/1 "%02x"') - ) - if [[ \$? -eq 0 ]] ; then - \$verbose && echo_ok + + if ! \${generate_tlsa_311} ; then + echo_skipped else - \$verbose && echo_failed - if \$verbose ; then - error "Generating \"TLSA 3 1 1\\" record failed! " + tlsa_record_311=\$( + printf "_%s._tcp.%s. \$ttl_311 IN TLSA 3 1 1 %s\\n" \\ + \${_tmp_arr[1]} \\ + \${_tmp_arr[0]} \\ + \$(openssl x509 -in ${DH_BASE_DIR}/certs/\${_tmp_arr[0]}/cert.pem -noout -pubkey | + openssl pkey -pubin -outform DER | + openssl dgst -sha256 -binary | + hexdump -ve '/1 "%02x"') + ) + if [[ \$? -eq 0 ]] ; then + \$verbose && echo_ok else - echo -e "\\n [ Error ]: Generating \"TLSA 3 1 1\\" record failed! \\n" + \$verbose && echo_failed + if \$verbose ; then + error "Generating \"TLSA 3 1 1\\" record failed! " + else + echo -e "\\n [ Error ]: Generating \"TLSA 3 1 1\\" record failed! \\n" + fi + continue fi - continue - fi - # - Add/Renew Record in concerning zone file + # - Add/Renew Record in concerning zone file + # - + \$verbose && echononl " Add/Renew Record in concerning zone file.." + ssh -q -p \$dane_ssh_port -i \$dane_ssh_key \${dane_ssh_user}@\${dane_nameserver} \\ + "sudo \$renew_tlsa_record \$tlsa_record_311 > /dev/null 2>&1" + ret_val=\$? + case \$ret_val in + 0) + \$verbose && echo_skipped + if \$verbose ; then + info "TLSA 3 1 1 record for \\"\$hostname\\" is up to date." + else + echo -e "\\n [ Info ]: TLSA 3 1 1 record for \\"\$hostname\\" is up to date.\\n" + fi + ;; + 1) + \$verbose && echo_ok + if \$verbose ; then + info "TLSA 3 1 1 record for \\"\$hostname\\" replaced." + else + echo -e "\\n [ Info ]: TLSA 3 1 1 record for \\"\$hostname\\" replaced.\\n" + fi + ;; + 2) + \$verbose && echo_ok + if \$verbose ; then + info "New TLSA 3 1 1 record for \\"\$hostname\\" added." + else + echo -e "\\n [ Info ]: New TLSA 3 1 1 record for \\"\$hostname\\" added.\\n" + fi + ;; + 10) + \$verbose && echo_failed + if \$verbose ; then + error "Invalid TLSA record given!" + else + echo -e "\\n [ Error ]: Invalid TLSA record given! \\n" + fi + continue + ;; + 11) + \$verbose && echo_failed + if \$verbose ; then + error "No zonefile for host \\"\$hostname\\" found!" + else + echo -e "\\n [ Error ]: No zonefile for host \\"\$hostname\\" found! \\n" + fi + ;; + 20) + \$verbose && echo_failed + if \$verbose ; then + error "Replacing TLSA 3 1 1 record for host \\"\$hostname\\" failed!" + else + echo -e "\\n [ Error ]: Replacing TLSA 3 1 1 record for host \\"\$hostname\\" failed! \\n" + fi + continue + ;; + 21) + \$verbose && echo_failed + if \$verbose ; then + error "Adding TLSA 3 1 1 record for host \\"\$hostname\\" failed!" + else + echo -e "\\n [ Error ]: Adding TLSA 3 1 1 record for host \\"\$hostname\\" failed! \\n" + fi + continue + ;; + 99) + \$verbose && echo_failed + if \$verbose ; then + error "Fatal Error!" + else + echo -e "\\n [ Error ]: Fatal Error! \\n" + fi + continue + ;; + *) + \$verbose && echo_failed + if \$verbose ; then + error "Unknown exit code from remote script \\"\$renew_tlsa_record\"!" + else + echo -e "\\n [ Error ]: Unknown exit code from remote script \\"\$renew_tlsa_record\! \\n" + fi + continue + ;; + + esac + + fi # if ! \${generate_tlsa_311} + + + # - Generate TLSA 3 0 1 record # - - \$verbose && echononl " Add/Renew Record in concerning zone file.." - ssh -q -p \$dane_ssh_port -i \$dane_ssh_key \${dane_ssh_user}@\${dane_nameserver} \\ - "sudo \$renew_tlsa_record \$tlsa_record_311 > /dev/null 2>&1" - ret_val=\$? - case \$ret_val in - 0) - \$verbose && echo_skipped - if \$verbose ; then - info "TLSA 3 1 1 record for \\"\$hostname\\" is up to date." - else - echo -e "\\n [ Info ]: TLSA 3 1 1 record for \\"\$hostname\\" is up to date.\\n" - fi - ;; - 1) - \$verbose && echo_ok - if \$verbose ; then - info "TLSA 3 1 1 record for \\"\$hostname\\" replaced." - else - echo -e "\\n [ Info ]: TLSA 3 1 1 record for \\"\$hostname\\" replaced.\\n" - fi - ;; - 2) - \$verbose && echo_ok - if \$verbose ; then - info "New TLSA 3 1 1 record for \\"\$hostname\\" added." - else - echo -e "\\n [ Info ]: New TLSA 3 1 1 record for \\"\$hostname\\" added.\\n" - fi - ;; - 10) - \$verbose && echo_failed - if \$verbose ; then - error "Invalid TLSA record given!" - else - echo -e "\\n [ Error ]: Invalid TLSA record given! \\n" - fi - continue - ;; - 11) - \$verbose && echo_failed - if \$verbose ; then - error "No zonefile for host \\"\$hostname\\" found!" - else - echo -e "\\n [ Error ]: No zonefile for host \\"\$hostname\\" found! \\n" - fi - ;; - 20) - \$verbose && echo_failed - if \$verbose ; then - error "Replacing TLSA 3 1 1 record for host \\"\$hostname\\" failed!" - else - echo -e "\\n [ Error ]: Replacing TLSA 3 1 1 record for host \\"\$hostname\\" failed! \\n" - fi - continue - ;; - 21) - \$verbose && echo_failed - if \$verbose ; then - error "Adding TLSA 3 1 1 record for host \\"\$hostname\\" failed!" - else - echo -e "\\n [ Error ]: Adding TLSA 3 1 1 record for host \\"\$hostname\\" failed! \\n" - fi - continue - ;; - 99) - \$verbose && echo_failed - if \$verbose ; then - error "Fatal Error!" - else - echo -e "\\n [ Error ]: Fatal Error! \\n" - fi - continue - ;; - *) - \$verbose && echo_failed - if \$verbose ; then - error "Unknown exit code from remote script \\"\$renew_tlsa_record\"!" - else - echo -e "\\n [ Error ]: Unknown exit code from remote script \\"\$renew_tlsa_record\! \\n" - fi - continue - ;; + \$verbose && echononl " Generate \"TLSA 3 0 1\\" record from certificate (\${_tmp_arr[0]}).." - esac + if ! \${generate_tlsa_301} ; then + echo_skipped + else + tlsa_record_311=\$( + printf "_%s._tcp.%s. \$ttl_301 IN TLSA 3 0 1 %s\\n" \\ + \${_tmp_arr[1]} \\ + \${_tmp_arr[0]} \\ + \$(openssl x509 -in ${DH_BASE_DIR}/certs/\${_tmp_arr[0]}/cert.pem -noout -pubkey | + openssl pkey -pubin -outform DER | + openssl dgst -sha256 -binary | + hexdump -ve '/1 "%02x"') + ) + if [[ \$? -eq 0 ]] ; then + \$verbose && echo_ok + else + \$verbose && echo_failed + if \$verbose ; then + error "Generating \"TLSA 3 0 1\\" record failed! " + else + echo -e "\\n [ Error ]: Generating \"TLSA 3 0 1\\" record failed! \\n" + fi + continue + fi + + # - Add/Renew Record in concerning zone file + # - + \$verbose && echononl " Add/Renew Record in concerning zone file.." + ssh -q -p \$dane_ssh_port -i \$dane_ssh_key \${dane_ssh_user}@\${dane_nameserver} \\ + "sudo \$renew_tlsa_record \$tlsa_record_311 > /dev/null 2>&1" + ret_val=\$? + case \$ret_val in + 0) + \$verbose && echo_skipped + if \$verbose ; then + info "TLSA 3 0 1 record for \\"\$hostname\\" is up to date." + else + echo -e "\\n [ Info ]: TLSA 3 0 1 record for \\"\$hostname\\" is up to date.\\n" + fi + ;; + 1) + \$verbose && echo_ok + if \$verbose ; then + info "TLSA 3 0 1 record for \\"\$hostname\\" replaced." + else + echo -e "\\n [ Info ]: TLSA 3 0 1 record for \\"\$hostname\\" replaced.\\n" + fi + ;; + 2) + \$verbose && echo_ok + if \$verbose ; then + info "New TLSA 3 0 1 record for \\"\$hostname\\" added." + else + echo -e "\\n [ Info ]: New TLSA 3 0 1 record for \\"\$hostname\\" added.\\n" + fi + ;; + 10) + \$verbose && echo_failed + if \$verbose ; then + error "Invalid TLSA record given!" + else + echo -e "\\n [ Error ]: Invalid TLSA record given! \\n" + fi + continue + ;; + 11) + \$verbose && echo_failed + if \$verbose ; then + error "No zonefile for host \\"\$hostname\\" found!" + else + echo -e "\\n [ Error ]: No zonefile for host \\"\$hostname\\" found! \\n" + fi + ;; + 20) + \$verbose && echo_failed + if \$verbose ; then + error "Replacing TLSA 3 0 1 record for host \\"\$hostname\\" failed!" + else + echo -e "\\n [ Error ]: Replacing TLSA 3 0 1 record for host \\"\$hostname\\" failed! \\n" + fi + continue + ;; + 21) + \$verbose && echo_failed + if \$verbose ; then + error "Adding TLSA 3 0 1 record for host \\"\$hostname\\" failed!" + else + echo -e "\\n [ Error ]: Adding TLSA 3 0 1 record for host \\"\$hostname\\" failed! \\n" + fi + continue + ;; + 99) + \$verbose && echo_failed + if \$verbose ; then + error "Fatal Error!" + else + echo -e "\\n [ Error ]: Fatal Error! \\n" + fi + continue + ;; + *) + \$verbose && echo_failed + if \$verbose ; then + error "Unknown exit code from remote script \\"\$renew_tlsa_record\"!" + else + echo -e "\\n [ Error ]: Unknown exit code from remote script \\"\$renew_tlsa_record\! \\n" + fi + continue + ;; + + esac + + fi # if ! \${generate_tlsa_301} # - Generate TLSA 2 1 1 record # - \$verbose && echononl " Generate \"TLSA 2 1 1\\" record from certificate (\${_tmp_arr[0]}).." - tlsa_record_211=\$( - printf "_%s._tcp.%s. \$ttl_211 IN TLSA 2 1 1 %s\\n" \\ - \${_tmp_arr[1]} \\ - \${_tmp_arr[0]} \\ - \$(openssl x509 -in /var/lib/dehydrated/certs/\${_tmp_arr[0]}/chain.pem -noout -pubkey | - openssl pkey -pubin -outform DER | - openssl dgst -sha256 -binary | - hexdump -ve '/1 "%02x"') - ) - if [[ \$? -eq 0 ]] ; then - \$verbose && echo_ok + + if ! \${generate_tlsa_211} ; then + echo_skipped else - \$verbose && echo_failed - if \$verbose ; then - error "Generating \"TLSA 2 1 1\\" record failed! " + + tlsa_record_211=\$( + printf "_%s._tcp.%s. \$ttl_211 IN TLSA 2 1 1 %s\\n" \\ + \${_tmp_arr[1]} \\ + \${_tmp_arr[0]} \\ + \$(openssl x509 -in ${DH_BASE_DIR}/certs/\${_tmp_arr[0]}/chain.pem -noout -pubkey | + openssl pkey -pubin -outform DER | + openssl dgst -sha256 -binary | + hexdump -ve '/1 "%02x"') + ) + if [[ \$? -eq 0 ]] ; then + \$verbose && echo_ok else - echo -e "\\n [ Error ]: Generating \"TLSA 2 1 1\\" record failed! \\n" + \$verbose && echo_failed + if \$verbose ; then + error "Generating \"TLSA 2 1 1\\" record failed! " + else + echo -e "\\n [ Error ]: Generating \"TLSA 2 1 1\\" record failed! \\n" + fi + continue fi - continue - fi - # - Add/Renew Record in concerning zone file + # - Add/Renew Record in concerning zone file + # - + \$verbose && echononl " Add/Renew Record in concerning zone file.." + ssh -q -p \$dane_ssh_port -i \$dane_ssh_key \${dane_ssh_user}@\${dane_nameserver} \\ + "sudo \$renew_tlsa_record \$tlsa_record_211 > /dev/null 2>&1" + ret_val=\$? + case \$ret_val in + 0) + \$verbose && echo_skipped + if \$verbose ; then + info "TLSA 2 1 1 record for \\"\$hostname\\" is up to date." + else + echo -e "\\n [ Info ]: TLSA 2 1 1 record for \\"\$hostname\\" is up to date.\\n" + fi + ;; + 1) + \$verbose && echo_ok + if \$verbose ; then + info "TLSA 2 1 1 record for \\"\$hostname\\" replaced." + else + echo -e "\\n [ Info ]: TLSA 2 1 1 record for \\"\$hostname\\" replaced.\\n" + fi + ;; + 2) + \$verbose && echo_ok + if \$verbose ; then + info "New TLSA 2 1 1 record for \\"\$hostname\\" added." + else + echo -e "\\n [ Info ]: New TLSA 2 1 1 record for \\"\$hostname\\" added.\\n" + fi + ;; + 10) + \$verbose && echo_failed + if \$verbose ; then + error "Invalid TLSA record given!" + else + echo -e "\\n [ Error ]: Invalid TLSA record given! \\n" + fi + continue + ;; + 11) + \$verbose && echo_failed + if \$verbose ; then + error "No zonefile for host \\"\$hostname\\" found!" + else + echo -e "\\n [ Error ]: No zonefile for host \\"\$hostname\\" found! \\n" + fi + ;; + 20) + \$verbose && echo_failed + if \$verbose ; then + error "Replacing TLSA 2 1 1 record for host \\"\$hostname\\" failed!" + else + echo -e "\\n [ Error ]: Replacing TLSA 2 1 1 record for host \\"\$hostname\\" failed! \\n" + fi + continue + ;; + 21) + \$verbose && echo_failed + if \$verbose ; then + error "Adding TLSA 2 1 1 record for host \\"\$hostname\\" failed!" + else + echo -e "\\n [ Error ]: Adding TLSA 2 1 1 record for host \\"\$hostname\\" failed! \\n" + fi + continue + ;; + 99) + \$verbose && echo_failed + if \$verbose ; then + error "Fatal Error!" + else + echo -e "\\n [ Error ]: Fatal Error! \\n" + fi + continue + ;; + *) + \$verbose && echo_failed + if \$verbose ; then + error "Unknown exit code from remote script \\"\$renew_tlsa_record\"!" + else + echo -e "\\n [ Error ]: Unknown exit code from remote script \\"\$renew_tlsa_record\! \\n" + fi + continue + ;; + + esac + + fi # if ! \${generate_tlsa_211} + + + # - Generate TLSA 2 0 1 record # - - \$verbose && echononl " Add/Renew Record in concerning zone file.." - ssh -q -p \$dane_ssh_port -i \$dane_ssh_key \${dane_ssh_user}@\${dane_nameserver} \\ - "sudo \$renew_tlsa_record \$tlsa_record_211 > /dev/null 2>&1" - ret_val=\$? - case \$ret_val in - 0) - \$verbose && echo_skipped - if \$verbose ; then - info "TLSA 2 1 1 record for \\"\$hostname\\" is up to date." - else - echo -e "\\n [ Info ]: TLSA 2 1 1 record for \\"\$hostname\\" is up to date.\\n" - fi - ;; - 1) - \$verbose && echo_ok - if \$verbose ; then - info "TLSA 2 1 1 record for \\"\$hostname\\" replaced." - else - echo -e "\\n [ Info ]: TLSA 2 1 1 record for \\"\$hostname\\" replaced.\\n" - fi - ;; - 2) - \$verbose && echo_ok - if \$verbose ; then - info "New TLSA 2 1 1 record for \\"\$hostname\\" added." - else - echo -e "\\n [ Info ]: New TLSA 2 1 1 record for \\"\$hostname\\" added.\\n" - fi - ;; - 10) - \$verbose && echo_failed - if \$verbose ; then - error "Invalid TLSA record given!" - else - echo -e "\\n [ Error ]: Invalid TLSA record given! \\n" - fi - continue - ;; - 11) - \$verbose && echo_failed - if \$verbose ; then - error "No zonefile for host \\"\$hostname\\" found!" - else - echo -e "\\n [ Error ]: No zonefile for host \\"\$hostname\\" found! \\n" - fi - ;; - 20) - \$verbose && echo_failed - if \$verbose ; then - error "Replacing TLSA 2 1 1 record for host \\"\$hostname\\" failed!" - else - echo -e "\\n [ Error ]: Replacing TLSA 2 1 1 record for host \\"\$hostname\\" failed! \\n" - fi - continue - ;; - 21) - \$verbose && echo_failed - if \$verbose ; then - error "Adding TLSA 2 1 1 record for host \\"\$hostname\\" failed!" - else - echo -e "\\n [ Error ]: Adding TLSA 2 1 1 record for host \\"\$hostname\\" failed! \\n" - fi - continue - ;; - 99) - \$verbose && echo_failed - if \$verbose ; then - error "Fatal Error!" - else - echo -e "\\n [ Error ]: Fatal Error! \\n" - fi - continue - ;; - *) - \$verbose && echo_failed - if \$verbose ; then - error "Unknown exit code from remote script \\"\$renew_tlsa_record\"!" - else - echo -e "\\n [ Error ]: Unknown exit code from remote script \\"\$renew_tlsa_record\! \\n" - fi - continue - ;; + \$verbose && echononl " Generate \\"TLSA 2 0 1\\" record from root certificate (root.ca).." - esac + if ! \${generate_tlsa_201} ; then + echo_skipped + else -# # - Generate TLSA 2 0 1 record -# # - -# \$verbose && echononl " Generate \\"TLSA 2 0 1\\" record from root certificate (root.ca).." -# tlsa_record_201=\$( -# printf "_%s._tcp.%s. \$ttl_201 IN TLSA 2 0 1 %s\\n" \\ -# \${_tmp_arr[1]} \\ -# \${_tmp_arr[0]} \\ -# \$(openssl x509 -in /var/lib/dehydrated/certs/\${_tmp_arr[0]}/chain.pem -outform DER | -# openssl dgst -sha256 -binary | -# hexdump -ve '/1 "%02x"') -# ) -# if [[ \$? -eq 0 ]] ; then -# \$verbose && echo_ok -# else -# \$verbose && echo_failed -# if \$verbose ; then -# error "Generating \\"TLSA 2 0 1\\" record failed! " -# else -# echo -e "\\n [ Error ]: Generating \\"TLSA 2 0 1\\" record failed! \\n" -# fi -# continue -# fi -# -# # - Add/Renew Record in concerning zone file -# # - -# \$verbose && echononl " Add/Renew Record in concerning zone file.." -# ssh -q -p \$dane_ssh_port -i \$dane_ssh_key \${dane_ssh_user}@\${dane_nameserver} \\ -# "sudo \$renew_tlsa_record \$tlsa_record_201 > /dev/null 2>&1" -# ret_val=\$? -# case \$ret_val in -# 0) -# \$verbose && echo_skipped -# if \$verbose ; then -# info "TLSA 2 0 1 record for \\"\$hostname\\" is up to date." -# else -# echo -e "\\n [ Info ]: TLSA 2 0 1 record for \\"\$hostname\\" is up to date.\\n" -# fi -# ;; -# 1) -# \$verbose && echo_ok -# if \$verbose ; then -# info "TLSA 2 0 1 record for \\"\$hostname\\" replaced." -# else -# echo -e "\\n [ Info ]: TLSA 2 0 1 record for \\"\$hostname\\" replaced.\\n" -# fi -# ;; -# 2) -# \$verbose && echo_ok -# if \$verbose ; then -# info "New TLSA 2 0 1 record for \\"\$hostname\\" added." -# else -# echo -e "\\n [ Info ]: New TLSA 2 0 1 record for \\"\$hostname\\" added.\\n" -# fi -# ;; -# 10) -# \$verbose && echo_failed -# if \$verbose ; then -# error "Invalid TLSA record given!" -# else -# echo -e "\\n [ Error ]: Invalid TLSA record given! \\n" -# fi -# continue -# ;; -# 11) -# \$verbose && echo_failed -# if \$verbose ; then -# error "No zonefile for host \\"\$hostname\\" found!" -# else -# echo -e "\\n [ Error ]: No zonefile for host \\"\$hostname\\" found! \\n" -# fi -# continue -# ;; -# 20) -# \$verbose && echo_failed -# if \$verbose ; then -# error "Replacing TLSA 2 0 1 record for host \\"\$hostname\\" failed!" -# else -# echo -e "\\n [ Error ]: Replacing TLSA 2 0 1 record for host \\"\$hostname\\" failed! \\n" -# fi -# continue -# ;; -# 21) -# \$verbose && echo_failed -# if \$verbose ; then -# error "Adding TLSA 2 0 1 record for host \\"\$hostname\\" failed!" -# else -# echo -e "\\n [ Error ]: Adding TLSA 2 0 1 record for host \\"\$hostname\\" failed! \\n" -# fi -# continue -# ;; -# 99) -# \$verbose && echo_failed -# if \$verbose ; then -# error "Fatal Error!" -# else -# echo -e "\\n [ Error ]: Fatal Error! \\n" -# fi -# continue -# ;; -# *) -# \$verbose && echo_failed -# if \$verbose ; then -# error "Unknown exit code from remote script \\"\$renew_tlsa_record\"!" -# else -# echo -e "\\n [ Error ]: Unknown exit code from remote script \\"\$renew_tlsa_record\"! \\n" -# fi -# continue -# ;; -# -# esac -# -# # - Generate TLSA 2 0 2 record -# # - -# \$verbose && echononl " Generate \\"TLSA 2 0 2\\" record from root certificate (root.ca).." -# tlsa_record_202=\$( -# printf "_%s._tcp.%s. \$ttl_202 IN TLSA 2 0 2 %s\\n" \\ -# \${_tmp_arr[1]} \\ -# \${_tmp_arr[0]} \\ -# \$(openssl x509 -in /var/lib/dehydrated/certs/\${_tmp_arr[0]}/chain.pem -outform DER | -# openssl dgst -sha512 -binary | -# hexdump -ve '/1 "%02x"') -# ) -# if [[ \$? -eq 0 ]] ; then -# \$verbose && echo_ok -# else -# \$verbose && echo_failed -# if \$verbose ; then -# error "Generating \\"TLSA 2 0 2\\" record failed! " -# else -# echo -e "\\n [ Error ]: Generating \\"TLSA 2 0 2\\" record failed! \\n" -# fi -# continue -# fi -# -# # - Add/Renew Record in concerning zone file -# # - -# \$verbose && echononl " Add/Renew Record in concerning zone file.." -# ssh -q -p \$dane_ssh_port -i \$dane_ssh_key \${dane_ssh_user}@\${dane_nameserver} \\ -# "sudo \$renew_tlsa_record \$tlsa_record_202 > /dev/null 2>&1" -# ret_val=\$? -# case \$ret_val in -# 0) -# \$verbose && echo_skipped -# if \$verbose ; then -# info "TLSA 2 0 2 record for \\"\$hostname\\" is up to date." -# else -# echo -e "\\n [ Info ]: TLSA 2 0 2 record for \\"\$hostname\\" is up to date.\\n" -# fi -# ;; -# 1) -# \$verbose && echo_ok -# if \$verbose ; then -# info "TLSA 2 0 2 record for \\"\$hostname\\" replaced." -# else -# echo -e "\\n [ Info ]: TLSA 2 0 2 record for \\"\$hostname\\" replaced.\\n" -# fi -# ;; -# 2) -# \$verbose && echo_ok -# if \$verbose ; then -# info "New TLSA 2 0 2 record for \\"\$hostname\\" added." -# else -# echo -e "\\n [ Info ]: New TLSA 2 0 2 record for \\"\$hostname\\" added.\\n" -# fi -# ;; -# 10) -# \$verbose && echo_failed -# if \$verbose ; then -# error "Invalid TLSA record given!" -# else -# echo -e "\\n [ Error ]: Invalid TLSA record given! \\n" -# fi -# continue -# ;; -# 11) -# \$verbose && echo_failed -# if \$verbose ; then -# error "No zonefile for host \\"\$hostname\\" found!" -# else -# echo -e "\\n [ Error ]: No zonefile for host \\"\$hostname\\" found! \\n" -# fi -# continue -# ;; -# 20) -# \$verbose && echo_failed -# if \$verbose ; then -# error "Replacing TLSA 2 0 2 record for host \\"\$hostname\\" failed!" -# else -# echo -e "\\n [ Error ]: Replacing TLSA 2 0 2 record for host \\"\$hostname\\" failed! \\n" -# fi -# continue -# ;; -# 21) -# \$verbose && echo_failed -# if \$verbose ; then -# error "Adding TLSA 2 0 2 record for host \\"\$hostname\\" failed!" -# else -# echo -e "\\n [ Error ]: Adding TLSA 2 0 2 record for host \\"\$hostname\\" failed! \\n" -# fi -# continue -# ;; -# 99) -# \$verbose && echo_failed -# if \$verbose ; then -# error "Fatal Error!" -# else -# echo -e "\\n [ Error ]: Fatal Error! \\n" -# fi -# continue -# ;; -# *) -# \$verbose && echo_failed -# if \$verbose ; then -# error "Unknown exit code from remote script \\"\$renew_tlsa_record\"!" -# else -# echo -e "\\n [ Error ]: Unknown exit code from remote script \\"\$renew_tlsa_record\"! \\n" -# fi -# continue -# ;; -# -# esac + tlsa_record_201=\$( + printf "_%s._tcp.%s. \$ttl_201 IN TLSA 2 0 1 %s\\n" \\ + \${_tmp_arr[1]} \\ + \${_tmp_arr[0]} \\ + \$(openssl x509 -in ${DH_BASE_DIR}/certs/\${_tmp_arr[0]}/chain.pem -outform DER | + openssl dgst -sha256 -binary | + hexdump -ve '/1 "%02x"') + ) + if [[ \$? -eq 0 ]] ; then + \$verbose && echo_ok + else + \$verbose && echo_failed + if \$verbose ; then + error "Generating \\"TLSA 2 0 1\\" record failed! " + else + echo -e "\\n [ Error ]: Generating \\"TLSA 2 0 1\\" record failed! \\n" + fi + continue + fi + + # - Add/Renew Record in concerning zone file + # - + \$verbose && echononl " Add/Renew Record in concerning zone file.." + ssh -q -p \$dane_ssh_port -i \$dane_ssh_key \${dane_ssh_user}@\${dane_nameserver} \\ + "sudo \$renew_tlsa_record \$tlsa_record_201 > /dev/null 2>&1" + ret_val=\$? + case \$ret_val in + 0) + \$verbose && echo_skipped + if \$verbose ; then + info "TLSA 2 0 1 record for \\"\$hostname\\" is up to date." + else + echo -e "\\n [ Info ]: TLSA 2 0 1 record for \\"\$hostname\\" is up to date.\\n" + fi + ;; + 1) + \$verbose && echo_ok + if \$verbose ; then + info "TLSA 2 0 1 record for \\"\$hostname\\" replaced." + else + echo -e "\\n [ Info ]: TLSA 2 0 1 record for \\"\$hostname\\" replaced.\\n" + fi + ;; + 2) + \$verbose && echo_ok + if \$verbose ; then + info "New TLSA 2 0 1 record for \\"\$hostname\\" added." + else + echo -e "\\n [ Info ]: New TLSA 2 0 1 record for \\"\$hostname\\" added.\\n" + fi + ;; + 10) + \$verbose && echo_failed + if \$verbose ; then + error "Invalid TLSA record given!" + else + echo -e "\\n [ Error ]: Invalid TLSA record given! \\n" + fi + continue + ;; + 11) + \$verbose && echo_failed + if \$verbose ; then + error "No zonefile for host \\"\$hostname\\" found!" + else + echo -e "\\n [ Error ]: No zonefile for host \\"\$hostname\\" found! \\n" + fi + continue + ;; + 20) + \$verbose && echo_failed + if \$verbose ; then + error "Replacing TLSA 2 0 1 record for host \\"\$hostname\\" failed!" + else + echo -e "\\n [ Error ]: Replacing TLSA 2 0 1 record for host \\"\$hostname\\" failed! \\n" + fi + continue + ;; + 21) + \$verbose && echo_failed + if \$verbose ; then + error "Adding TLSA 2 0 1 record for host \\"\$hostname\\" failed!" + else + echo -e "\\n [ Error ]: Adding TLSA 2 0 1 record for host \\"\$hostname\\" failed! \\n" + fi + continue + ;; + 99) + \$verbose && echo_failed + if \$verbose ; then + error "Fatal Error!" + else + echo -e "\\n [ Error ]: Fatal Error! \\n" + fi + continue + ;; + *) + \$verbose && echo_failed + if \$verbose ; then + error "Unknown exit code from remote script \\"\$renew_tlsa_record\"!" + else + echo -e "\\n [ Error ]: Unknown exit code from remote script \\"\$renew_tlsa_record\"! \\n" + fi + continue + ;; + + esac + + fi # if ! \${generate_tlsa_201} + + + # - Generate TLSA 2 0 2 record + # - + \$verbose && echononl " Generate \\"TLSA 2 0 2\\" record from root certificate (root.ca).." + + if ! \${generate_tlsa_202} ; then + echo_skipped + else + + tlsa_record_202=\$( + printf "_%s._tcp.%s. \$ttl_202 IN TLSA 2 0 2 %s\\n" \\ + \${_tmp_arr[1]} \\ + \${_tmp_arr[0]} \\ + \$(openssl x509 -in ${DH_BASE_DIR}/certs/\${_tmp_arr[0]}/chain.pem -outform DER | + openssl dgst -sha512 -binary | + hexdump -ve '/1 "%02x"') + ) + if [[ \$? -eq 0 ]] ; then + \$verbose && echo_ok + else + \$verbose && echo_failed + if \$verbose ; then + error "Generating \\"TLSA 2 0 2\\" record failed! " + else + echo -e "\\n [ Error ]: Generating \\"TLSA 2 0 2\\" record failed! \\n" + fi + continue + fi + + # - Add/Renew Record in concerning zone file + # - + \$verbose && echononl " Add/Renew Record in concerning zone file.." + ssh -q -p \$dane_ssh_port -i \$dane_ssh_key \${dane_ssh_user}@\${dane_nameserver} \\ + "sudo \$renew_tlsa_record \$tlsa_record_202 > /dev/null 2>&1" + ret_val=\$? + case \$ret_val in + 0) + \$verbose && echo_skipped + if \$verbose ; then + info "TLSA 2 0 2 record for \\"\$hostname\\" is up to date." + else + echo -e "\\n [ Info ]: TLSA 2 0 2 record for \\"\$hostname\\" is up to date.\\n" + fi + ;; + 1) + \$verbose && echo_ok + if \$verbose ; then + info "TLSA 2 0 2 record for \\"\$hostname\\" replaced." + else + echo -e "\\n [ Info ]: TLSA 2 0 2 record for \\"\$hostname\\" replaced.\\n" + fi + ;; + 2) + \$verbose && echo_ok + if \$verbose ; then + info "New TLSA 2 0 2 record for \\"\$hostname\\" added." + else + echo -e "\\n [ Info ]: New TLSA 2 0 2 record for \\"\$hostname\\" added.\\n" + fi + ;; + 10) + \$verbose && echo_failed + if \$verbose ; then + error "Invalid TLSA record given!" + else + echo -e "\\n [ Error ]: Invalid TLSA record given! \\n" + fi + continue + ;; + 11) + \$verbose && echo_failed + if \$verbose ; then + error "No zonefile for host \\"\$hostname\\" found!" + else + echo -e "\\n [ Error ]: No zonefile for host \\"\$hostname\\" found! \\n" + fi + continue + ;; + 20) + \$verbose && echo_failed + if \$verbose ; then + error "Replacing TLSA 2 0 2 record for host \\"\$hostname\\" failed!" + else + echo -e "\\n [ Error ]: Replacing TLSA 2 0 2 record for host \\"\$hostname\\" failed! \\n" + fi + continue + ;; + 21) + \$verbose && echo_failed + if \$verbose ; then + error "Adding TLSA 2 0 2 record for host \\"\$hostname\\" failed!" + else + echo -e "\\n [ Error ]: Adding TLSA 2 0 2 record for host \\"\$hostname\\" failed! \\n" + fi + continue + ;; + 99) + \$verbose && echo_failed + if \$verbose ; then + error "Fatal Error!" + else + echo -e "\\n [ Error ]: Fatal Error! \\n" + fi + continue + ;; + *) + \$verbose && echo_failed + if \$verbose ; then + error "Unknown exit code from remote script \\"\$renew_tlsa_record\"!" + else + echo -e "\\n [ Error ]: Unknown exit code from remote script \\"\$renew_tlsa_record\"! \\n" + fi + continue + ;; + + esac + + fi # if ! \${generate_tlsa_202} ; then # - To avoid multiple reloading og one and the same zone, we only # - collect the zones, having to reload, at this time and do the @@ -3898,6 +4065,19 @@ echononl " Install script \"dh_tlsgen.sh\" into ${DH_BASE_DIR}/tools/" cat < ${DH_BASE_DIR}/tools/dh_tlsgen.sh #!/usr/bin/env bash +## ------------------------------------------------------------------------------ +## --- All Configurations will be done in ${DH_CONF_DIR}/dehydrated_cron.conf +## ------------------------------------------------------------------------------ + +if [[ -f "${DH_CONF_DIR}/dehydrated_cron.conf" ]]; then + source ${DH_CONF_DIR}/dehydrated_cron.conf +else + echo + echo -e " [ Error ]: No Configuration File found. Exiting now!" + echo + exit 1 +fi + if [[ \$# -ne 1 ]] ; then echo -e "\n usage: \$(basename "\$0") \n" exit @@ -3911,9 +4091,9 @@ IFS=\$CUR_IFS port=\${_tmp_arr[1]} hostname=\${_tmp_arr[0]} -cert=/var/lib/dehydrated/certs/\${hostname}/cert.pem +cert=${DH_BASE_DIR}/certs/\${hostname}/cert.pem tlsa_record_311=\$( - printf '_%s._tcp.%s. 3600 IN TLSA 3 1 1 %s\n' \\ + printf "_%s._tcp.%s. \${ttl_311} IN TLSA 3 1 1 %s\n" \\ \$port \\ \$hostname \\ "\$(openssl x509 -in \$cert -noout -pubkey | @@ -3922,9 +4102,9 @@ tlsa_record_311=\$( hexdump -ve '/1 "%02x"')" ) -cert=/var/lib/dehydrated/certs/\${hostname}/cert.pem +cert=${DH_BASE_DIR}/certs/\${hostname}/cert.pem tlsa_record_301=\$( - printf '_%s._tcp.%s. 3600 IN TLSA 3 0 1 %s\n' \\ + printf "_%s._tcp.%s. \${ttl_301} IN TLSA 3 0 1 %s\n" \\ \$port \\ \$hostname \\ "\$(openssl x509 -in \$cert -outform DER | @@ -3933,9 +4113,9 @@ tlsa_record_301=\$( ) -cert=/var/lib/dehydrated/certs/\${hostname}/chain.pem +cert=${DH_BASE_DIR}/certs/\${hostname}/chain.pem tlsa_record_211_chain=\$( - printf '_%s._tcp.%s. 3600 IN TLSA 2 1 1 %s\n' \\ + printf "_%s._tcp.%s. \${ttl_211} IN TLSA 2 1 1 %s\n" \\ \$port \\ \$hostname \\ "\$(openssl x509 -in \$cert -noout -pubkey | @@ -3944,9 +4124,9 @@ tlsa_record_211_chain=\$( hexdump -ve '/1 "%02x"')" ) -cert=/var/lib/dehydrated/certs/\${hostname}/chain.pem +cert=${DH_BASE_DIR}/certs/\${hostname}/chain.pem tlsa_record_201_chain=\$( - printf '_%s._tcp.%s. 3600 IN TLSA 2 0 1 %s\n' \\ + printf "_%s._tcp.%s. \${ttl_201} IN TLSA 2 0 1 %s\n" \\ \$port \\ \$hostname \\ "\$(openssl x509 -in \$cert -outform DER | @@ -3954,9 +4134,9 @@ tlsa_record_201_chain=\$( hexdump -ve '/1 "%02x"')" ) -cert=/var/lib/dehydrated/certs/\${hostname}/chain.pem +cert=${DH_BASE_DIR}/certs/\${hostname}/chain.pem tlsa_record_202_chain=\$( - printf '_%s._tcp.%s. 3600 IN TLSA 2 0 2 %s\n' \\ + printf "_%s._tcp.%s. \${ttl_202} IN TLSA 2 0 2 %s\n" \\ \$port \\ \$hostname \\ "\$(openssl x509 -in \$cert -outform DER | @@ -3965,10 +4145,10 @@ tlsa_record_202_chain=\$( ) tlsa_record_211_root="" -cert=/var/lib/dehydrated/certs/\${hostname}/root.ca +cert=${DH_BASE_DIR}/certs/\${hostname}/root.ca if [[ -f "\$cert" ]]; then tlsa_record_211_root=\$( - printf '_%s._tcp.%s. 3600 IN TLSA 2 1 1 %s\n' \\ + printf "_%s._tcp.%s. \${ttl_211} IN TLSA 2 1 1 %s\n" \\ \$port \\ \$hostname \\ "\$(openssl x509 -in \$cert -noout -pubkey |