certificates/dehydrated-cron
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

install_dehydrated.sh: Fix errors in generatin TLSA records, if both RSA and ECDSA ciphers are allowed.

Browse Source
This commit is contained in:
Christoph 2024-10-03 11:37:10 +02:00
parent 287e41aa00
commit d310f9f276
1 changed files with 623 additions and 443 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

666
install_dehydrated.sh
View File

@ -482,7 +482,7 @@ fi
if [[ -n "$GITLAB_CONF_FILE" ]]; then if [[ -n "$GITLAB_CONF_FILE" ]]; then
if [[ ! -d "/var/lib/dehydrated/certs/${HOST_NAME}" ]]; then if [[ ! -d "${DH_BASE_DIR}/certs/${HOST_NAME}" ]]; then
URL_SCHEMA="http" URL_SCHEMA="http"
else else
URL_SCHEMA="https" URL_SCHEMA="https"
@ -596,7 +596,7 @@ EOF
echo_skipped echo_skipped
fi fi
if [[ -d "/var/lib/dehydrated/certs/${HOST_NAME}" ]]; then if [[ -d "${DH_BASE_DIR}/certs/${HOST_NAME}" ]]; then
echononl " Adjust ${GITLAB_CONF_FILE} - letsencrypt['enable']" echononl " Adjust ${GITLAB_CONF_FILE} - letsencrypt['enable']"
@ -700,11 +700,11 @@ EOF
echononl " Create Symlink '/etc/gitlab/ssl/${HOST_NAME}.key'.." echononl " Create Symlink '/etc/gitlab/ssl/${HOST_NAME}.key'.."
if [[ -h "/etc/gitlab/ssl/${HOST_NAME}.key" ]] \ if [[ -h "/etc/gitlab/ssl/${HOST_NAME}.key" ]] \
&& [[ "$(readlink -qs "/etc/gitlab/ssl/${HOST_NAME}.key")" = "/var/lib/dehydrated/certs/${HOST_NAME}/privkey.pem" ]] ; then && [[ "$(readlink -qs "/etc/gitlab/ssl/${HOST_NAME}.key")" = "${DH_BASE_DIR}/certs/${HOST_NAME}/privkey.pem" ]] ; then
echo_skipped echo_skipped
else else
rm -rf "/etc/gitlab/ssl/${HOST_NAME}.key" > /dev/null 2>&1 rm -rf "/etc/gitlab/ssl/${HOST_NAME}.key" > /dev/null 2>&1
ln -s "/var/lib/dehydrated/certs/${HOST_NAME}/privkey.pem" "/etc/gitlab/ssl/${HOST_NAME}.key" > /dev/null 2>&1 ln -s "${DH_BASE_DIR}/certs/${HOST_NAME}/privkey.pem" "/etc/gitlab/ssl/${HOST_NAME}.key" > /dev/null 2>&1
if [[ $? -eq 0 ]] ; then if [[ $? -eq 0 ]] ; then
echo_ok echo_ok
gitlab_reconfigure=true gitlab_reconfigure=true
@ -715,11 +715,11 @@ EOF
echononl " Create Symlink '/etc/gitlab/ssl/${HOST_NAME}.crt'.." echononl " Create Symlink '/etc/gitlab/ssl/${HOST_NAME}.crt'.."
if [[ -h "/etc/gitlab/ssl/${HOST_NAME}.crt" ]] \ if [[ -h "/etc/gitlab/ssl/${HOST_NAME}.crt" ]] \
&& [[ "$(readlink -qs "/etc/gitlab/ssl/${HOST_NAME}.crt")" = "/var/lib/dehydrated/certs/${HOST_NAME}/fullchain.pem" ]]; then && [[ "$(readlink -qs "/etc/gitlab/ssl/${HOST_NAME}.crt")" = "${DH_BASE_DIR}/certs/${HOST_NAME}/fullchain.pem" ]]; then
echo_skipped echo_skipped
else else
rm -rf "/etc/gitlab/ssl/${HOST_NAME}.crt" > /dev/null 2>&1 rm -rf "/etc/gitlab/ssl/${HOST_NAME}.crt" > /dev/null 2>&1
ln -s "/var/lib/dehydrated/certs/${HOST_NAME}/fullchain.pem" "/etc/gitlab/ssl/${HOST_NAME}.crt" > /dev/null 2>&1 ln -s "${DH_BASE_DIR}/certs/${HOST_NAME}/fullchain.pem" "/etc/gitlab/ssl/${HOST_NAME}.crt" > /dev/null 2>&1
if [[ $? -eq 0 ]] ; then if [[ $? -eq 0 ]] ; then
echo_ok echo_ok
gitlab_reconfigure=true gitlab_reconfigure=true
@ -1300,9 +1300,19 @@ renew_tlsa_record=bind_set_renew_tlsa.sh
get_domain_by_hostname=bind_get_domain_by_hostname.sh get_domain_by_hostname=bind_get_domain_by_hostname.sh
# - TTL for Records "IN TLSA 3 1 1", "IN TLSA 2 0 1", "IN TLSA 2 0 2" and "IN TLSA 2 1 1" # Which TLSA Records are to be released?
#
generate_tlsa_311=true
generate_tlsa_301=false
generate_tlsa_211=true
generate_tlsa_201=false
generate_tlsa_202=false
# - TTL for Records "IN TLSA 3 1 1", "IN TLSA 3 0 1", "IN TLSA 2 0 1", "IN TLSA 2 0 2" and "IN TLSA 2 1 1"
# - # -
ttl_311=3600 ttl_311=3600
ttl_301=3600
ttl_201=3600 ttl_201=3600
ttl_202=3600 ttl_202=3600
ttl_211=3600 ttl_211=3600
@ -1423,9 +1433,19 @@ renew_tlsa_record=bind_set_renew_tlsa.sh
get_domain_by_hostname=bind_get_domain_by_hostname.sh get_domain_by_hostname=bind_get_domain_by_hostname.sh
# - TTL for Records "IN TLSA 3 1 1", "IN TLSA 2 0 1", "IN TLSA 2 0 2" and "IN TLSA 2 1 1" # Which TLSA Records are to be released?
#
generate_tlsa_311=true
generate_tlsa_301=false
generate_tlsa_211=true
generate_tlsa_201=false
generate_tlsa_202=false
# - TTL for Records "IN TLSA 3 1 1", "IN TLSA 3 0 1", "IN TLSA 2 0 1", "IN TLSA 2 0 2" and "IN TLSA 2 1 1"
# - # -
ttl_311=3600 ttl_311=3600
ttl_301=3600
ttl_201=3600 ttl_201=3600
ttl_202=3600 ttl_202=3600
ttl_211=3600 ttl_211=3600
@ -1947,11 +1967,15 @@ if [[ -n "\$_successfully_created_hosts" ]] ; then
# - Generate TLSA 3 1 1 record # - Generate TLSA 3 1 1 record
# - # -
\$verbose && echononl " Generate \"TLSA 3 1 1\\" record from certificate (\${_tmp_arr[0]}).." \$verbose && echononl " Generate \"TLSA 3 1 1\\" record from certificate (\${_tmp_arr[0]}).."
if ! \${generate_tlsa_311} ; then
echo_skipped
else
tlsa_record_311=\$( tlsa_record_311=\$(
printf "_%s._tcp.%s. \$ttl_311 IN TLSA 3 1 1 %s\\n" \\ printf "_%s._tcp.%s. \$ttl_311 IN TLSA 3 1 1 %s\\n" \\
\${_tmp_arr[1]} \\ \${_tmp_arr[1]} \\
\${_tmp_arr[0]} \\ \${_tmp_arr[0]} \\
\$(openssl x509 -in /var/lib/dehydrated/certs/\${_tmp_arr[0]}/cert.pem -noout -pubkey | \$(openssl x509 -in ${DH_BASE_DIR}/certs/\${_tmp_arr[0]}/cert.pem -noout -pubkey |
openssl pkey -pubin -outform DER | openssl pkey -pubin -outform DER |
openssl dgst -sha256 -binary | openssl dgst -sha256 -binary |
hexdump -ve '/1 "%02x"') hexdump -ve '/1 "%02x"')
@ -2055,15 +2079,140 @@ if [[ -n "\$_successfully_created_hosts" ]] ; then
esac esac
fi # if ! \${generate_tlsa_311}
# - Generate TLSA 3 0 1 record
# -
\$verbose && echononl " Generate \"TLSA 3 0 1\\" record from certificate (\${_tmp_arr[0]}).."
if ! \${generate_tlsa_301} ; then
echo_skipped
else
tlsa_record_311=\$(
printf "_%s._tcp.%s. \$ttl_301 IN TLSA 3 0 1 %s\\n" \\
\${_tmp_arr[1]} \\
\${_tmp_arr[0]} \\
\$(openssl x509 -in ${DH_BASE_DIR}/certs/\${_tmp_arr[0]}/cert.pem -noout -pubkey |
openssl pkey -pubin -outform DER |
openssl dgst -sha256 -binary |
hexdump -ve '/1 "%02x"')
)
if [[ \$? -eq 0 ]] ; then
\$verbose && echo_ok
else
\$verbose && echo_failed
if \$verbose ; then
error "Generating \"TLSA 3 0 1\\" record failed! "
else
echo -e "\\n [ Error ]: Generating \"TLSA 3 0 1\\" record failed! \\n"
fi
continue
fi
# - Add/Renew Record in concerning zone file
# -
\$verbose && echononl " Add/Renew Record in concerning zone file.."
ssh -q -p \$dane_ssh_port -i \$dane_ssh_key \${dane_ssh_user}@\${dane_nameserver} \\
"sudo \$renew_tlsa_record \$tlsa_record_311 > /dev/null 2>&1"
ret_val=\$?
case \$ret_val in
0)
\$verbose && echo_skipped
if \$verbose ; then
info "TLSA 3 0 1 record for \\"\$hostname\\" is up to date."
else
echo -e "\\n [ Info ]: TLSA 3 0 1 record for \\"\$hostname\\" is up to date.\\n"
fi
;;
1)
\$verbose && echo_ok
if \$verbose ; then
info "TLSA 3 0 1 record for \\"\$hostname\\" replaced."
else
echo -e "\\n [ Info ]: TLSA 3 0 1 record for \\"\$hostname\\" replaced.\\n"
fi
;;
2)
\$verbose && echo_ok
if \$verbose ; then
info "New TLSA 3 0 1 record for \\"\$hostname\\" added."
else
echo -e "\\n [ Info ]: New TLSA 3 0 1 record for \\"\$hostname\\" added.\\n"
fi
;;
10)
\$verbose && echo_failed
if \$verbose ; then
error "Invalid TLSA record given!"
else
echo -e "\\n [ Error ]: Invalid TLSA record given! \\n"
fi
continue
;;
11)
\$verbose && echo_failed
if \$verbose ; then
error "No zonefile for host \\"\$hostname\\" found!"
else
echo -e "\\n [ Error ]: No zonefile for host \\"\$hostname\\" found! \\n"
fi
;;
20)
\$verbose && echo_failed
if \$verbose ; then
error "Replacing TLSA 3 0 1 record for host \\"\$hostname\\" failed!"
else
echo -e "\\n [ Error ]: Replacing TLSA 3 0 1 record for host \\"\$hostname\\" failed! \\n"
fi
continue
;;
21)
\$verbose && echo_failed
if \$verbose ; then
error "Adding TLSA 3 0 1 record for host \\"\$hostname\\" failed!"
else
echo -e "\\n [ Error ]: Adding TLSA 3 0 1 record for host \\"\$hostname\\" failed! \\n"
fi
continue
;;
99)
\$verbose && echo_failed
if \$verbose ; then
error "Fatal Error!"
else
echo -e "\\n [ Error ]: Fatal Error! \\n"
fi
continue
;;
*)
\$verbose && echo_failed
if \$verbose ; then
error "Unknown exit code from remote script \\"\$renew_tlsa_record\"!"
else
echo -e "\\n [ Error ]: Unknown exit code from remote script \\"\$renew_tlsa_record\! \\n"
fi
continue
;;
esac
fi # if ! \${generate_tlsa_301}
# - Generate TLSA 2 1 1 record # - Generate TLSA 2 1 1 record
# - # -
\$verbose && echononl " Generate \"TLSA 2 1 1\\" record from certificate (\${_tmp_arr[0]}).." \$verbose && echononl " Generate \"TLSA 2 1 1\\" record from certificate (\${_tmp_arr[0]}).."
if ! \${generate_tlsa_211} ; then
echo_skipped
else
tlsa_record_211=\$( tlsa_record_211=\$(
printf "_%s._tcp.%s. \$ttl_211 IN TLSA 2 1 1 %s\\n" \\ printf "_%s._tcp.%s. \$ttl_211 IN TLSA 2 1 1 %s\\n" \\
\${_tmp_arr[1]} \\ \${_tmp_arr[1]} \\
\${_tmp_arr[0]} \\ \${_tmp_arr[0]} \\
\$(openssl x509 -in /var/lib/dehydrated/certs/\${_tmp_arr[0]}/chain.pem -noout -pubkey | \$(openssl x509 -in ${DH_BASE_DIR}/certs/\${_tmp_arr[0]}/chain.pem -noout -pubkey |
openssl pkey -pubin -outform DER | openssl pkey -pubin -outform DER |
openssl dgst -sha256 -binary | openssl dgst -sha256 -binary |
hexdump -ve '/1 "%02x"') hexdump -ve '/1 "%02x"')
@ -2167,227 +2316,245 @@ if [[ -n "\$_successfully_created_hosts" ]] ; then
esac esac
# # - Generate TLSA 2 0 1 record fi # if ! \${generate_tlsa_211}
# # -
# \$verbose && echononl " Generate \\"TLSA 2 0 1\\" record from root certificate (root.ca).."
# tlsa_record_201=\$( # - Generate TLSA 2 0 1 record
# printf "_%s._tcp.%s. \$ttl_201 IN TLSA 2 0 1 %s\\n" \\ # -
# \${_tmp_arr[1]} \\ \$verbose && echononl " Generate \\"TLSA 2 0 1\\" record from root certificate (root.ca).."
# \${_tmp_arr[0]} \\
# \$(openssl x509 -in /var/lib/dehydrated/certs/\${_tmp_arr[0]}/chain.pem -outform DER | if ! \${generate_tlsa_201} ; then
# openssl dgst -sha256 -binary | echo_skipped
# hexdump -ve '/1 "%02x"') else
# )
# if [[ \$? -eq 0 ]] ; then tlsa_record_201=\$(
# \$verbose && echo_ok printf "_%s._tcp.%s. \$ttl_201 IN TLSA 2 0 1 %s\\n" \\
# else \${_tmp_arr[1]} \\
# \$verbose && echo_failed \${_tmp_arr[0]} \\
# if \$verbose ; then \$(openssl x509 -in ${DH_BASE_DIR}/certs/\${_tmp_arr[0]}/chain.pem -outform DER |
# error "Generating \\"TLSA 2 0 1\\" record failed! " openssl dgst -sha256 -binary |
# else hexdump -ve '/1 "%02x"')
# echo -e "\\n [ Error ]: Generating \\"TLSA 2 0 1\\" record failed! \\n" )
# fi if [[ \$? -eq 0 ]] ; then
# continue \$verbose && echo_ok
# fi else
# \$verbose && echo_failed
# # - Add/Renew Record in concerning zone file if \$verbose ; then
# # - error "Generating \\"TLSA 2 0 1\\" record failed! "
# \$verbose && echononl " Add/Renew Record in concerning zone file.." else
# ssh -q -p \$dane_ssh_port -i \$dane_ssh_key \${dane_ssh_user}@\${dane_nameserver} \\ echo -e "\\n [ Error ]: Generating \\"TLSA 2 0 1\\" record failed! \\n"
# "sudo \$renew_tlsa_record \$tlsa_record_201 > /dev/null 2>&1" fi
# ret_val=\$? continue
# case \$ret_val in fi
# 0)
# \$verbose && echo_skipped # - Add/Renew Record in concerning zone file
# if \$verbose ; then # -
# info "TLSA 2 0 1 record for \\"\$hostname\\" is up to date." \$verbose && echononl " Add/Renew Record in concerning zone file.."
# else ssh -q -p \$dane_ssh_port -i \$dane_ssh_key \${dane_ssh_user}@\${dane_nameserver} \\
# echo -e "\\n [ Info ]: TLSA 2 0 1 record for \\"\$hostname\\" is up to date.\\n" "sudo \$renew_tlsa_record \$tlsa_record_201 > /dev/null 2>&1"
# fi ret_val=\$?
# ;; case \$ret_val in
# 1) 0)
# \$verbose && echo_ok \$verbose && echo_skipped
# if \$verbose ; then if \$verbose ; then
# info "TLSA 2 0 1 record for \\"\$hostname\\" replaced." info "TLSA 2 0 1 record for \\"\$hostname\\" is up to date."
# else else
# echo -e "\\n [ Info ]: TLSA 2 0 1 record for \\"\$hostname\\" replaced.\\n" echo -e "\\n [ Info ]: TLSA 2 0 1 record for \\"\$hostname\\" is up to date.\\n"
# fi fi
# ;; ;;
# 2) 1)
# \$verbose && echo_ok \$verbose && echo_ok
# if \$verbose ; then if \$verbose ; then
# info "New TLSA 2 0 1 record for \\"\$hostname\\" added." info "TLSA 2 0 1 record for \\"\$hostname\\" replaced."
# else else
# echo -e "\\n [ Info ]: New TLSA 2 0 1 record for \\"\$hostname\\" added.\\n" echo -e "\\n [ Info ]: TLSA 2 0 1 record for \\"\$hostname\\" replaced.\\n"
# fi fi
# ;; ;;
# 10) 2)
# \$verbose && echo_failed \$verbose && echo_ok
# if \$verbose ; then if \$verbose ; then
# error "Invalid TLSA record given!" info "New TLSA 2 0 1 record for \\"\$hostname\\" added."
# else else
# echo -e "\\n [ Error ]: Invalid TLSA record given! \\n" echo -e "\\n [ Info ]: New TLSA 2 0 1 record for \\"\$hostname\\" added.\\n"
# fi fi
# continue ;;
# ;; 10)
# 11) \$verbose && echo_failed
# \$verbose && echo_failed if \$verbose ; then
# if \$verbose ; then error "Invalid TLSA record given!"
# error "No zonefile for host \\"\$hostname\\" found!" else
# else echo -e "\\n [ Error ]: Invalid TLSA record given! \\n"
# echo -e "\\n [ Error ]: No zonefile for host \\"\$hostname\\" found! \\n" fi
# fi continue
# continue ;;
# ;; 11)
# 20) \$verbose && echo_failed
# \$verbose && echo_failed if \$verbose ; then
# if \$verbose ; then error "No zonefile for host \\"\$hostname\\" found!"
# error "Replacing TLSA 2 0 1 record for host \\"\$hostname\\" failed!" else
# else echo -e "\\n [ Error ]: No zonefile for host \\"\$hostname\\" found! \\n"
# echo -e "\\n [ Error ]: Replacing TLSA 2 0 1 record for host \\"\$hostname\\" failed! \\n" fi
# fi continue
# continue ;;
# ;; 20)
# 21) \$verbose && echo_failed
# \$verbose && echo_failed if \$verbose ; then
# if \$verbose ; then error "Replacing TLSA 2 0 1 record for host \\"\$hostname\\" failed!"
# error "Adding TLSA 2 0 1 record for host \\"\$hostname\\" failed!" else
# else echo -e "\\n [ Error ]: Replacing TLSA 2 0 1 record for host \\"\$hostname\\" failed! \\n"
# echo -e "\\n [ Error ]: Adding TLSA 2 0 1 record for host \\"\$hostname\\" failed! \\n" fi
# fi continue
# continue ;;
# ;; 21)
# 99) \$verbose && echo_failed
# \$verbose && echo_failed if \$verbose ; then
# if \$verbose ; then error "Adding TLSA 2 0 1 record for host \\"\$hostname\\" failed!"
# error "Fatal Error!" else
# else echo -e "\\n [ Error ]: Adding TLSA 2 0 1 record for host \\"\$hostname\\" failed! \\n"
# echo -e "\\n [ Error ]: Fatal Error! \\n" fi
# fi continue
# continue ;;
# ;; 99)
# *) \$verbose && echo_failed
# \$verbose && echo_failed if \$verbose ; then
# if \$verbose ; then error "Fatal Error!"
# error "Unknown exit code from remote script \\"\$renew_tlsa_record\"!" else
# else echo -e "\\n [ Error ]: Fatal Error! \\n"
# echo -e "\\n [ Error ]: Unknown exit code from remote script \\"\$renew_tlsa_record\"! \\n" fi
# fi continue
# continue ;;
# ;; *)
# \$verbose && echo_failed
# esac if \$verbose ; then
# error "Unknown exit code from remote script \\"\$renew_tlsa_record\"!"
# # - Generate TLSA 2 0 2 record else
# # - echo -e "\\n [ Error ]: Unknown exit code from remote script \\"\$renew_tlsa_record\"! \\n"
# \$verbose && echononl " Generate \\"TLSA 2 0 2\\" record from root certificate (root.ca).." fi
# tlsa_record_202=\$( continue
# printf "_%s._tcp.%s. \$ttl_202 IN TLSA 2 0 2 %s\\n" \\ ;;
# \${_tmp_arr[1]} \\
# \${_tmp_arr[0]} \\ esac
# \$(openssl x509 -in /var/lib/dehydrated/certs/\${_tmp_arr[0]}/chain.pem -outform DER |
# openssl dgst -sha512 -binary | fi # if ! \${generate_tlsa_201}
# hexdump -ve '/1 "%02x"')
# )
# if [[ \$? -eq 0 ]] ; then # - Generate TLSA 2 0 2 record
# \$verbose && echo_ok # -
# else \$verbose && echononl " Generate \\"TLSA 2 0 2\\" record from root certificate (root.ca).."
# \$verbose && echo_failed
# if \$verbose ; then if ! \${generate_tlsa_202} ; then
# error "Generating \\"TLSA 2 0 2\\" record failed! " echo_skipped
# else else
# echo -e "\\n [ Error ]: Generating \\"TLSA 2 0 2\\" record failed! \\n"
# fi tlsa_record_202=\$(
# continue printf "_%s._tcp.%s. \$ttl_202 IN TLSA 2 0 2 %s\\n" \\
# fi \${_tmp_arr[1]} \\
# \${_tmp_arr[0]} \\
# # - Add/Renew Record in concerning zone file \$(openssl x509 -in ${DH_BASE_DIR}/certs/\${_tmp_arr[0]}/chain.pem -outform DER |
# # - openssl dgst -sha512 -binary |
# \$verbose && echononl " Add/Renew Record in concerning zone file.." hexdump -ve '/1 "%02x"')
# ssh -q -p \$dane_ssh_port -i \$dane_ssh_key \${dane_ssh_user}@\${dane_nameserver} \\ )
# "sudo \$renew_tlsa_record \$tlsa_record_202 > /dev/null 2>&1" if [[ \$? -eq 0 ]] ; then
# ret_val=\$? \$verbose && echo_ok
# case \$ret_val in else
# 0) \$verbose && echo_failed
# \$verbose && echo_skipped if \$verbose ; then
# if \$verbose ; then error "Generating \\"TLSA 2 0 2\\" record failed! "
# info "TLSA 2 0 2 record for \\"\$hostname\\" is up to date." else
# else echo -e "\\n [ Error ]: Generating \\"TLSA 2 0 2\\" record failed! \\n"
# echo -e "\\n [ Info ]: TLSA 2 0 2 record for \\"\$hostname\\" is up to date.\\n" fi
# fi continue
# ;; fi
# 1)
# \$verbose && echo_ok # - Add/Renew Record in concerning zone file
# if \$verbose ; then # -
# info "TLSA 2 0 2 record for \\"\$hostname\\" replaced." \$verbose && echononl " Add/Renew Record in concerning zone file.."
# else ssh -q -p \$dane_ssh_port -i \$dane_ssh_key \${dane_ssh_user}@\${dane_nameserver} \\
# echo -e "\\n [ Info ]: TLSA 2 0 2 record for \\"\$hostname\\" replaced.\\n" "sudo \$renew_tlsa_record \$tlsa_record_202 > /dev/null 2>&1"
# fi ret_val=\$?
# ;; case \$ret_val in
# 2) 0)
# \$verbose && echo_ok \$verbose && echo_skipped
# if \$verbose ; then if \$verbose ; then
# info "New TLSA 2 0 2 record for \\"\$hostname\\" added." info "TLSA 2 0 2 record for \\"\$hostname\\" is up to date."
# else else
# echo -e "\\n [ Info ]: New TLSA 2 0 2 record for \\"\$hostname\\" added.\\n" echo -e "\\n [ Info ]: TLSA 2 0 2 record for \\"\$hostname\\" is up to date.\\n"
# fi fi
# ;; ;;
# 10) 1)
# \$verbose && echo_failed \$verbose && echo_ok
# if \$verbose ; then if \$verbose ; then
# error "Invalid TLSA record given!" info "TLSA 2 0 2 record for \\"\$hostname\\" replaced."
# else else
# echo -e "\\n [ Error ]: Invalid TLSA record given! \\n" echo -e "\\n [ Info ]: TLSA 2 0 2 record for \\"\$hostname\\" replaced.\\n"
# fi fi
# continue ;;
# ;; 2)
# 11) \$verbose && echo_ok
# \$verbose && echo_failed if \$verbose ; then
# if \$verbose ; then info "New TLSA 2 0 2 record for \\"\$hostname\\" added."
# error "No zonefile for host \\"\$hostname\\" found!" else
# else echo -e "\\n [ Info ]: New TLSA 2 0 2 record for \\"\$hostname\\" added.\\n"
# echo -e "\\n [ Error ]: No zonefile for host \\"\$hostname\\" found! \\n" fi
# fi ;;
# continue 10)
# ;; \$verbose && echo_failed
# 20) if \$verbose ; then
# \$verbose && echo_failed error "Invalid TLSA record given!"
# if \$verbose ; then else
# error "Replacing TLSA 2 0 2 record for host \\"\$hostname\\" failed!" echo -e "\\n [ Error ]: Invalid TLSA record given! \\n"
# else fi
# echo -e "\\n [ Error ]: Replacing TLSA 2 0 2 record for host \\"\$hostname\\" failed! \\n" continue
# fi ;;
# continue 11)
# ;; \$verbose && echo_failed
# 21) if \$verbose ; then
# \$verbose && echo_failed error "No zonefile for host \\"\$hostname\\" found!"
# if \$verbose ; then else
# error "Adding TLSA 2 0 2 record for host \\"\$hostname\\" failed!" echo -e "\\n [ Error ]: No zonefile for host \\"\$hostname\\" found! \\n"
# else fi
# echo -e "\\n [ Error ]: Adding TLSA 2 0 2 record for host \\"\$hostname\\" failed! \\n" continue
# fi ;;
# continue 20)
# ;; \$verbose && echo_failed
# 99) if \$verbose ; then
# \$verbose && echo_failed error "Replacing TLSA 2 0 2 record for host \\"\$hostname\\" failed!"
# if \$verbose ; then else
# error "Fatal Error!" echo -e "\\n [ Error ]: Replacing TLSA 2 0 2 record for host \\"\$hostname\\" failed! \\n"
# else fi
# echo -e "\\n [ Error ]: Fatal Error! \\n" continue
# fi ;;
# continue 21)
# ;; \$verbose && echo_failed
# *) if \$verbose ; then
# \$verbose && echo_failed error "Adding TLSA 2 0 2 record for host \\"\$hostname\\" failed!"
# if \$verbose ; then else
# error "Unknown exit code from remote script \\"\$renew_tlsa_record\"!" echo -e "\\n [ Error ]: Adding TLSA 2 0 2 record for host \\"\$hostname\\" failed! \\n"
# else fi
# echo -e "\\n [ Error ]: Unknown exit code from remote script \\"\$renew_tlsa_record\"! \\n" continue
# fi ;;
# continue 99)
# ;; \$verbose && echo_failed
# if \$verbose ; then
# esac error "Fatal Error!"
else
echo -e "\\n [ Error ]: Fatal Error! \\n"
fi
continue
;;
*)
\$verbose && echo_failed
if \$verbose ; then
error "Unknown exit code from remote script \\"\$renew_tlsa_record\"!"
else
echo -e "\\n [ Error ]: Unknown exit code from remote script \\"\$renew_tlsa_record\"! \\n"
fi
continue
;;
esac
fi # if ! \${generate_tlsa_202} ; then
# - To avoid multiple reloading og one and the same zone, we only # - To avoid multiple reloading og one and the same zone, we only
# - collect the zones, having to reload, at this time and do the # - collect the zones, having to reload, at this time and do the
@ -3898,6 +4065,19 @@ echononl " Install script \"dh_tlsgen.sh\" into ${DH_BASE_DIR}/tools/"
cat <<EOF > ${DH_BASE_DIR}/tools/dh_tlsgen.sh cat <<EOF > ${DH_BASE_DIR}/tools/dh_tlsgen.sh
#!/usr/bin/env bash #!/usr/bin/env bash
## ------------------------------------------------------------------------------
## --- All Configurations will be done in ${DH_CONF_DIR}/dehydrated_cron.conf
## ------------------------------------------------------------------------------
if [[ -f "${DH_CONF_DIR}/dehydrated_cron.conf" ]]; then
source ${DH_CONF_DIR}/dehydrated_cron.conf
else
echo
echo -e " [ Error ]: No Configuration File found. Exiting now!"
echo
exit 1
fi
if [[ \$# -ne 1 ]] ; then if [[ \$# -ne 1 ]] ; then
echo -e "\n usage: \$(basename "\$0") <hostname:port>\n" echo -e "\n usage: \$(basename "\$0") <hostname:port>\n"
exit exit
@ -3911,9 +4091,9 @@ IFS=\$CUR_IFS
port=\${_tmp_arr[1]} port=\${_tmp_arr[1]}
hostname=\${_tmp_arr[0]} hostname=\${_tmp_arr[0]}
cert=/var/lib/dehydrated/certs/\${hostname}/cert.pem cert=${DH_BASE_DIR}/certs/\${hostname}/cert.pem
tlsa_record_311=\$( tlsa_record_311=\$(
printf '_%s._tcp.%s. 3600 IN TLSA 3 1 1 %s\n' \\ printf "_%s._tcp.%s. \${ttl_311} IN TLSA 3 1 1 %s\n" \\
\$port \\ \$port \\
\$hostname \\ \$hostname \\
"\$(openssl x509 -in \$cert -noout -pubkey | "\$(openssl x509 -in \$cert -noout -pubkey |
@ -3922,9 +4102,9 @@ tlsa_record_311=\$(
hexdump -ve '/1 "%02x"')" hexdump -ve '/1 "%02x"')"
) )
cert=/var/lib/dehydrated/certs/\${hostname}/cert.pem cert=${DH_BASE_DIR}/certs/\${hostname}/cert.pem
tlsa_record_301=\$( tlsa_record_301=\$(
printf '_%s._tcp.%s. 3600 IN TLSA 3 0 1 %s\n' \\ printf "_%s._tcp.%s. \${ttl_301} IN TLSA 3 0 1 %s\n" \\
\$port \\ \$port \\
\$hostname \\ \$hostname \\
"\$(openssl x509 -in \$cert -outform DER | "\$(openssl x509 -in \$cert -outform DER |
@ -3933,9 +4113,9 @@ tlsa_record_301=\$(
) )
cert=/var/lib/dehydrated/certs/\${hostname}/chain.pem cert=${DH_BASE_DIR}/certs/\${hostname}/chain.pem
tlsa_record_211_chain=\$( tlsa_record_211_chain=\$(
printf '_%s._tcp.%s. 3600 IN TLSA 2 1 1 %s\n' \\ printf "_%s._tcp.%s. \${ttl_211} IN TLSA 2 1 1 %s\n" \\
\$port \\ \$port \\
\$hostname \\ \$hostname \\
"\$(openssl x509 -in \$cert -noout -pubkey | "\$(openssl x509 -in \$cert -noout -pubkey |
@ -3944,9 +4124,9 @@ tlsa_record_211_chain=\$(
hexdump -ve '/1 "%02x"')" hexdump -ve '/1 "%02x"')"
) )
cert=/var/lib/dehydrated/certs/\${hostname}/chain.pem cert=${DH_BASE_DIR}/certs/\${hostname}/chain.pem
tlsa_record_201_chain=\$( tlsa_record_201_chain=\$(
printf '_%s._tcp.%s. 3600 IN TLSA 2 0 1 %s\n' \\ printf "_%s._tcp.%s. \${ttl_201} IN TLSA 2 0 1 %s\n" \\
\$port \\ \$port \\
\$hostname \\ \$hostname \\
"\$(openssl x509 -in \$cert -outform DER | "\$(openssl x509 -in \$cert -outform DER |
@ -3954,9 +4134,9 @@ tlsa_record_201_chain=\$(
hexdump -ve '/1 "%02x"')" hexdump -ve '/1 "%02x"')"
) )
cert=/var/lib/dehydrated/certs/\${hostname}/chain.pem cert=${DH_BASE_DIR}/certs/\${hostname}/chain.pem
tlsa_record_202_chain=\$( tlsa_record_202_chain=\$(
printf '_%s._tcp.%s. 3600 IN TLSA 2 0 2 %s\n' \\ printf "_%s._tcp.%s. \${ttl_202} IN TLSA 2 0 2 %s\n" \\
\$port \\ \$port \\
\$hostname \\ \$hostname \\
"\$(openssl x509 -in \$cert -outform DER | "\$(openssl x509 -in \$cert -outform DER |
@ -3965,10 +4145,10 @@ tlsa_record_202_chain=\$(
) )
tlsa_record_211_root="" tlsa_record_211_root=""
cert=/var/lib/dehydrated/certs/\${hostname}/root.ca cert=${DH_BASE_DIR}/certs/\${hostname}/root.ca
if [[ -f "\$cert" ]]; then if [[ -f "\$cert" ]]; then
tlsa_record_211_root=\$( tlsa_record_211_root=\$(
printf '_%s._tcp.%s. 3600 IN TLSA 2 1 1 %s\n' \\ printf "_%s._tcp.%s. \${ttl_211} IN TLSA 2 1 1 %s\n" \\
\$port \\ \$port \\
\$hostname \\ \$hostname \\
"\$(openssl x509 -in \$cert -noout -pubkey | "\$(openssl x509 -in \$cert -noout -pubkey |