certificates/dehydrated-cron
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

install_dehydrated.sh: Fix errors in generatin TLSA records, if both RSA and ECDSA ciphers are allowed.

Browse Source
This commit is contained in:
Christoph 2024-10-03 11:37:10 +02:00
parent 287e41aa00
commit d310f9f276
1 changed files with 623 additions and 443 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

666
install_dehydrated.sh
View File

@ -482,7 +482,7 @@ fi
if [[ -n "$GITLAB_CONF_FILE" ]]; then
if [[ ! -d "/var/lib/dehydrated/certs/${HOST_NAME}" ]]; then
if [[ ! -d "${DH_BASE_DIR}/certs/${HOST_NAME}" ]]; then
URL_SCHEMA="http"
else
URL_SCHEMA="https"
@ -596,7 +596,7 @@ EOF
echo_skipped
fi
if [[ -d "/var/lib/dehydrated/certs/${HOST_NAME}" ]]; then
if [[ -d "${DH_BASE_DIR}/certs/${HOST_NAME}" ]]; then
echononl " Adjust ${GITLAB_CONF_FILE} - letsencrypt['enable']"
@ -700,11 +700,11 @@ EOF
echononl " Create Symlink '/etc/gitlab/ssl/${HOST_NAME}.key'.."
if [[ -h "/etc/gitlab/ssl/${HOST_NAME}.key" ]] \
&& [[ "$(readlink -qs "/etc/gitlab/ssl/${HOST_NAME}.key")" = "/var/lib/dehydrated/certs/${HOST_NAME}/privkey.pem" ]] ; then
&& [[ "$(readlink -qs "/etc/gitlab/ssl/${HOST_NAME}.key")" = "${DH_BASE_DIR}/certs/${HOST_NAME}/privkey.pem" ]] ; then
echo_skipped
else
rm -rf "/etc/gitlab/ssl/${HOST_NAME}.key" > /dev/null 2>&1
ln -s "/var/lib/dehydrated/certs/${HOST_NAME}/privkey.pem" "/etc/gitlab/ssl/${HOST_NAME}.key" > /dev/null 2>&1
ln -s "${DH_BASE_DIR}/certs/${HOST_NAME}/privkey.pem" "/etc/gitlab/ssl/${HOST_NAME}.key" > /dev/null 2>&1
if [[ $? -eq 0 ]] ; then
echo_ok
gitlab_reconfigure=true
@ -715,11 +715,11 @@ EOF
echononl " Create Symlink '/etc/gitlab/ssl/${HOST_NAME}.crt'.."
if [[ -h "/etc/gitlab/ssl/${HOST_NAME}.crt" ]] \
&& [[ "$(readlink -qs "/etc/gitlab/ssl/${HOST_NAME}.crt")" = "/var/lib/dehydrated/certs/${HOST_NAME}/fullchain.pem" ]]; then
&& [[ "$(readlink -qs "/etc/gitlab/ssl/${HOST_NAME}.crt")" = "${DH_BASE_DIR}/certs/${HOST_NAME}/fullchain.pem" ]]; then
echo_skipped
else
rm -rf "/etc/gitlab/ssl/${HOST_NAME}.crt" > /dev/null 2>&1
ln -s "/var/lib/dehydrated/certs/${HOST_NAME}/fullchain.pem" "/etc/gitlab/ssl/${HOST_NAME}.crt" > /dev/null 2>&1
ln -s "${DH_BASE_DIR}/certs/${HOST_NAME}/fullchain.pem" "/etc/gitlab/ssl/${HOST_NAME}.crt" > /dev/null 2>&1
if [[ $? -eq 0 ]] ; then
echo_ok
gitlab_reconfigure=true
@ -1300,9 +1300,19 @@ renew_tlsa_record=bind_set_renew_tlsa.sh
get_domain_by_hostname=bind_get_domain_by_hostname.sh
# - TTL for Records "IN TLSA 3 1 1", "IN TLSA 2 0 1", "IN TLSA 2 0 2" and "IN TLSA 2 1 1"
# Which TLSA Records are to be released?
#
generate_tlsa_311=true
generate_tlsa_301=false
generate_tlsa_211=true
generate_tlsa_201=false
generate_tlsa_202=false
# - TTL for Records "IN TLSA 3 1 1", "IN TLSA 3 0 1", "IN TLSA 2 0 1", "IN TLSA 2 0 2" and "IN TLSA 2 1 1"
# -
ttl_311=3600
ttl_301=3600
ttl_201=3600
ttl_202=3600
ttl_211=3600
@ -1423,9 +1433,19 @@ renew_tlsa_record=bind_set_renew_tlsa.sh
get_domain_by_hostname=bind_get_domain_by_hostname.sh
# - TTL for Records "IN TLSA 3 1 1", "IN TLSA 2 0 1", "IN TLSA 2 0 2" and "IN TLSA 2 1 1"
# Which TLSA Records are to be released?
#
generate_tlsa_311=true
generate_tlsa_301=false
generate_tlsa_211=true
generate_tlsa_201=false
generate_tlsa_202=false
# - TTL for Records "IN TLSA 3 1 1", "IN TLSA 3 0 1", "IN TLSA 2 0 1", "IN TLSA 2 0 2" and "IN TLSA 2 1 1"
# -
ttl_311=3600
ttl_301=3600
ttl_201=3600
ttl_202=3600
ttl_211=3600
@ -1947,11 +1967,15 @@ if [[ -n "\$_successfully_created_hosts" ]] ; then
# - Generate TLSA 3 1 1 record
# -
\$verbose && echononl " Generate \"TLSA 3 1 1\\" record from certificate (\${_tmp_arr[0]}).."
if ! \${generate_tlsa_311} ; then
echo_skipped
else
tlsa_record_311=\$(
printf "_%s._tcp.%s. \$ttl_311 IN TLSA 3 1 1 %s\\n" \\
\${_tmp_arr[1]} \\
\${_tmp_arr[0]} \\
\$(openssl x509 -in /var/lib/dehydrated/certs/\${_tmp_arr[0]}/cert.pem -noout -pubkey |
\$(openssl x509 -in ${DH_BASE_DIR}/certs/\${_tmp_arr[0]}/cert.pem -noout -pubkey |
openssl pkey -pubin -outform DER |
openssl dgst -sha256 -binary |
hexdump -ve '/1 "%02x"')
@ -2055,15 +2079,140 @@ if [[ -n "\$_successfully_created_hosts" ]] ; then
esac
fi # if ! \${generate_tlsa_311}
# - Generate TLSA 3 0 1 record
# -
\$verbose && echononl " Generate \"TLSA 3 0 1\\" record from certificate (\${_tmp_arr[0]}).."
if ! \${generate_tlsa_301} ; then
echo_skipped
else
tlsa_record_311=\$(
printf "_%s._tcp.%s. \$ttl_301 IN TLSA 3 0 1 %s\\n" \\
\${_tmp_arr[1]} \\
\${_tmp_arr[0]} \\
\$(openssl x509 -in ${DH_BASE_DIR}/certs/\${_tmp_arr[0]}/cert.pem -noout -pubkey |
openssl pkey -pubin -outform DER |
openssl dgst -sha256 -binary |
hexdump -ve '/1 "%02x"')
)
if [[ \$? -eq 0 ]] ; then
\$verbose && echo_ok
else
\$verbose && echo_failed
if \$verbose ; then
error "Generating \"TLSA 3 0 1\\" record failed! "
else
echo -e "\\n [ Error ]: Generating \"TLSA 3 0 1\\" record failed! \\n"
fi
continue
fi
# - Add/Renew Record in concerning zone file
# -
\$verbose && echononl " Add/Renew Record in concerning zone file.."
ssh -q -p \$dane_ssh_port -i \$dane_ssh_key \${dane_ssh_user}@\${dane_nameserver} \\
"sudo \$renew_tlsa_record \$tlsa_record_311 > /dev/null 2>&1"
ret_val=\$?
case \$ret_val in
0)
\$verbose && echo_skipped
if \$verbose ; then
info "TLSA 3 0 1 record for \\"\$hostname\\" is up to date."
else
echo -e "\\n [ Info ]: TLSA 3 0 1 record for \\"\$hostname\\" is up to date.\\n"
fi
;;
1)
\$verbose && echo_ok
if \$verbose ; then
info "TLSA 3 0 1 record for \\"\$hostname\\" replaced."
else
echo -e "\\n [ Info ]: TLSA 3 0 1 record for \\"\$hostname\\" replaced.\\n"
fi
;;
2)
\$verbose && echo_ok
if \$verbose ; then
info "New TLSA 3 0 1 record for \\"\$hostname\\" added."
else
echo -e "\\n [ Info ]: New TLSA 3 0 1 record for \\"\$hostname\\" added.\\n"
fi
;;
10)
\$verbose && echo_failed
if \$verbose ; then
error "Invalid TLSA record given!"
else
echo -e "\\n [ Error ]: Invalid TLSA record given! \\n"
fi
continue
;;
11)
\$verbose && echo_failed
if \$verbose ; then
error "No zonefile for host \\"\$hostname\\" found!"
else
echo -e "\\n [ Error ]: No zonefile for host \\"\$hostname\\" found! \\n"
fi
;;
20)
\$verbose && echo_failed
if \$verbose ; then
error "Replacing TLSA 3 0 1 record for host \\"\$hostname\\" failed!"
else
echo -e "\\n [ Error ]: Replacing TLSA 3 0 1 record for host \\"\$hostname\\" failed! \\n"
fi
continue
;;
21)
\$verbose && echo_failed
if \$verbose ; then
error "Adding TLSA 3 0 1 record for host \\"\$hostname\\" failed!"
else
echo -e "\\n [ Error ]: Adding TLSA 3 0 1 record for host \\"\$hostname\\" failed! \\n"
fi
continue
;;
99)
\$verbose && echo_failed
if \$verbose ; then
error "Fatal Error!"
else
echo -e "\\n [ Error ]: Fatal Error! \\n"
fi
continue
;;
*)
\$verbose && echo_failed
if \$verbose ; then
error "Unknown exit code from remote script \\"\$renew_tlsa_record\"!"
else
echo -e "\\n [ Error ]: Unknown exit code from remote script \\"\$renew_tlsa_record\! \\n"
fi
continue
;;
esac
fi # if ! \${generate_tlsa_301}
# - Generate TLSA 2 1 1 record
# -
\$verbose && echononl " Generate \"TLSA 2 1 1\\" record from certificate (\${_tmp_arr[0]}).."
if ! \${generate_tlsa_211} ; then
echo_skipped
else
tlsa_record_211=\$(
printf "_%s._tcp.%s. \$ttl_211 IN TLSA 2 1 1 %s\\n" \\
\${_tmp_arr[1]} \\
\${_tmp_arr[0]} \\
\$(openssl x509 -in /var/lib/dehydrated/certs/\${_tmp_arr[0]}/chain.pem -noout -pubkey |
\$(openssl x509 -in ${DH_BASE_DIR}/certs/\${_tmp_arr[0]}/chain.pem -noout -pubkey |
openssl pkey -pubin -outform DER |
openssl dgst -sha256 -binary |
hexdump -ve '/1 "%02x"')
@ -2167,227 +2316,245 @@ if [[ -n "\$_successfully_created_hosts" ]] ; then
esac
# # - Generate TLSA 2 0 1 record
# # -
# \$verbose && echononl " Generate \\"TLSA 2 0 1\\" record from root certificate (root.ca).."
# tlsa_record_201=\$(
# printf "_%s._tcp.%s. \$ttl_201 IN TLSA 2 0 1 %s\\n" \\
# \${_tmp_arr[1]} \\
# \${_tmp_arr[0]} \\
# \$(openssl x509 -in /var/lib/dehydrated/certs/\${_tmp_arr[0]}/chain.pem -outform DER |
# openssl dgst -sha256 -binary |
# hexdump -ve '/1 "%02x"')
# )
# if [[ \$? -eq 0 ]] ; then
# \$verbose && echo_ok
# else
# \$verbose && echo_failed
# if \$verbose ; then
# error "Generating \\"TLSA 2 0 1\\" record failed! "
# else
# echo -e "\\n [ Error ]: Generating \\"TLSA 2 0 1\\" record failed! \\n"
# fi
# continue
# fi
#
# # - Add/Renew Record in concerning zone file
# # -
# \$verbose && echononl " Add/Renew Record in concerning zone file.."
# ssh -q -p \$dane_ssh_port -i \$dane_ssh_key \${dane_ssh_user}@\${dane_nameserver} \\
# "sudo \$renew_tlsa_record \$tlsa_record_201 > /dev/null 2>&1"
# ret_val=\$?
# case \$ret_val in
# 0)
# \$verbose && echo_skipped
# if \$verbose ; then
# info "TLSA 2 0 1 record for \\"\$hostname\\" is up to date."
# else
# echo -e "\\n [ Info ]: TLSA 2 0 1 record for \\"\$hostname\\" is up to date.\\n"
# fi
# ;;
# 1)
# \$verbose && echo_ok
# if \$verbose ; then
# info "TLSA 2 0 1 record for \\"\$hostname\\" replaced."
# else
# echo -e "\\n [ Info ]: TLSA 2 0 1 record for \\"\$hostname\\" replaced.\\n"
# fi
# ;;
# 2)
# \$verbose && echo_ok
# if \$verbose ; then
# info "New TLSA 2 0 1 record for \\"\$hostname\\" added."
# else
# echo -e "\\n [ Info ]: New TLSA 2 0 1 record for \\"\$hostname\\" added.\\n"
# fi
# ;;
# 10)
# \$verbose && echo_failed
# if \$verbose ; then
# error "Invalid TLSA record given!"
# else
# echo -e "\\n [ Error ]: Invalid TLSA record given! \\n"
# fi
# continue
# ;;
# 11)
# \$verbose && echo_failed
# if \$verbose ; then
# error "No zonefile for host \\"\$hostname\\" found!"
# else
# echo -e "\\n [ Error ]: No zonefile for host \\"\$hostname\\" found! \\n"
# fi
# continue
# ;;
# 20)
# \$verbose && echo_failed
# if \$verbose ; then
# error "Replacing TLSA 2 0 1 record for host \\"\$hostname\\" failed!"
# else
# echo -e "\\n [ Error ]: Replacing TLSA 2 0 1 record for host \\"\$hostname\\" failed! \\n"
# fi
# continue
# ;;
# 21)
# \$verbose && echo_failed
# if \$verbose ; then
# error "Adding TLSA 2 0 1 record for host \\"\$hostname\\" failed!"
# else
# echo -e "\\n [ Error ]: Adding TLSA 2 0 1 record for host \\"\$hostname\\" failed! \\n"
# fi
# continue
# ;;
# 99)
# \$verbose && echo_failed
# if \$verbose ; then
# error "Fatal Error!"
# else
# echo -e "\\n [ Error ]: Fatal Error! \\n"
# fi
# continue
# ;;
# *)
# \$verbose && echo_failed
# if \$verbose ; then
# error "Unknown exit code from remote script \\"\$renew_tlsa_record\"!"
# else
# echo -e "\\n [ Error ]: Unknown exit code from remote script \\"\$renew_tlsa_record\"! \\n"
# fi
# continue
# ;;
#
# esac
#
# # - Generate TLSA 2 0 2 record
# # -
# \$verbose && echononl " Generate \\"TLSA 2 0 2\\" record from root certificate (root.ca).."
# tlsa_record_202=\$(
# printf "_%s._tcp.%s. \$ttl_202 IN TLSA 2 0 2 %s\\n" \\
# \${_tmp_arr[1]} \\
# \${_tmp_arr[0]} \\
# \$(openssl x509 -in /var/lib/dehydrated/certs/\${_tmp_arr[0]}/chain.pem -outform DER |
# openssl dgst -sha512 -binary |
# hexdump -ve '/1 "%02x"')
# )
# if [[ \$? -eq 0 ]] ; then
# \$verbose && echo_ok
# else
# \$verbose && echo_failed
# if \$verbose ; then
# error "Generating \\"TLSA 2 0 2\\" record failed! "
# else
# echo -e "\\n [ Error ]: Generating \\"TLSA 2 0 2\\" record failed! \\n"
# fi
# continue
# fi
#
# # - Add/Renew Record in concerning zone file
# # -
# \$verbose && echononl " Add/Renew Record in concerning zone file.."
# ssh -q -p \$dane_ssh_port -i \$dane_ssh_key \${dane_ssh_user}@\${dane_nameserver} \\
# "sudo \$renew_tlsa_record \$tlsa_record_202 > /dev/null 2>&1"
# ret_val=\$?
# case \$ret_val in
# 0)
# \$verbose && echo_skipped
# if \$verbose ; then
# info "TLSA 2 0 2 record for \\"\$hostname\\" is up to date."
# else
# echo -e "\\n [ Info ]: TLSA 2 0 2 record for \\"\$hostname\\" is up to date.\\n"
# fi
# ;;
# 1)
# \$verbose && echo_ok
# if \$verbose ; then
# info "TLSA 2 0 2 record for \\"\$hostname\\" replaced."
# else
# echo -e "\\n [ Info ]: TLSA 2 0 2 record for \\"\$hostname\\" replaced.\\n"
# fi
# ;;
# 2)
# \$verbose && echo_ok
# if \$verbose ; then
# info "New TLSA 2 0 2 record for \\"\$hostname\\" added."
# else
# echo -e "\\n [ Info ]: New TLSA 2 0 2 record for \\"\$hostname\\" added.\\n"
# fi
# ;;
# 10)
# \$verbose && echo_failed
# if \$verbose ; then
# error "Invalid TLSA record given!"
# else
# echo -e "\\n [ Error ]: Invalid TLSA record given! \\n"
# fi
# continue
# ;;
# 11)
# \$verbose && echo_failed
# if \$verbose ; then
# error "No zonefile for host \\"\$hostname\\" found!"
# else
# echo -e "\\n [ Error ]: No zonefile for host \\"\$hostname\\" found! \\n"
# fi
# continue
# ;;
# 20)
# \$verbose && echo_failed
# if \$verbose ; then
# error "Replacing TLSA 2 0 2 record for host \\"\$hostname\\" failed!"
# else
# echo -e "\\n [ Error ]: Replacing TLSA 2 0 2 record for host \\"\$hostname\\" failed! \\n"
# fi
# continue
# ;;
# 21)
# \$verbose && echo_failed
# if \$verbose ; then
# error "Adding TLSA 2 0 2 record for host \\"\$hostname\\" failed!"
# else
# echo -e "\\n [ Error ]: Adding TLSA 2 0 2 record for host \\"\$hostname\\" failed! \\n"
# fi
# continue
# ;;
# 99)
# \$verbose && echo_failed
# if \$verbose ; then
# error "Fatal Error!"
# else
# echo -e "\\n [ Error ]: Fatal Error! \\n"
# fi
# continue
# ;;
# *)
# \$verbose && echo_failed
# if \$verbose ; then
# error "Unknown exit code from remote script \\"\$renew_tlsa_record\"!"
# else
# echo -e "\\n [ Error ]: Unknown exit code from remote script \\"\$renew_tlsa_record\"! \\n"
# fi
# continue
# ;;
#
# esac
fi # if ! \${generate_tlsa_211}
# - Generate TLSA 2 0 1 record
# -
\$verbose && echononl " Generate \\"TLSA 2 0 1\\" record from root certificate (root.ca).."
if ! \${generate_tlsa_201} ; then
echo_skipped
else
tlsa_record_201=\$(
printf "_%s._tcp.%s. \$ttl_201 IN TLSA 2 0 1 %s\\n" \\
\${_tmp_arr[1]} \\
\${_tmp_arr[0]} \\
\$(openssl x509 -in ${DH_BASE_DIR}/certs/\${_tmp_arr[0]}/chain.pem -outform DER |
openssl dgst -sha256 -binary |
hexdump -ve '/1 "%02x"')
)
if [[ \$? -eq 0 ]] ; then
\$verbose && echo_ok
else
\$verbose && echo_failed
if \$verbose ; then
error "Generating \\"TLSA 2 0 1\\" record failed! "
else
echo -e "\\n [ Error ]: Generating \\"TLSA 2 0 1\\" record failed! \\n"
fi
continue
fi
# - Add/Renew Record in concerning zone file
# -
\$verbose && echononl " Add/Renew Record in concerning zone file.."
ssh -q -p \$dane_ssh_port -i \$dane_ssh_key \${dane_ssh_user}@\${dane_nameserver} \\
"sudo \$renew_tlsa_record \$tlsa_record_201 > /dev/null 2>&1"
ret_val=\$?
case \$ret_val in
0)
\$verbose && echo_skipped
if \$verbose ; then
info "TLSA 2 0 1 record for \\"\$hostname\\" is up to date."
else
echo -e "\\n [ Info ]: TLSA 2 0 1 record for \\"\$hostname\\" is up to date.\\n"
fi
;;
1)
\$verbose && echo_ok
if \$verbose ; then
info "TLSA 2 0 1 record for \\"\$hostname\\" replaced."
else
echo -e "\\n [ Info ]: TLSA 2 0 1 record for \\"\$hostname\\" replaced.\\n"
fi
;;
2)
\$verbose && echo_ok
if \$verbose ; then
info "New TLSA 2 0 1 record for \\"\$hostname\\" added."
else
echo -e "\\n [ Info ]: New TLSA 2 0 1 record for \\"\$hostname\\" added.\\n"
fi
;;
10)
\$verbose && echo_failed
if \$verbose ; then
error "Invalid TLSA record given!"
else
echo -e "\\n [ Error ]: Invalid TLSA record given! \\n"
fi
continue
;;
11)
\$verbose && echo_failed
if \$verbose ; then
error "No zonefile for host \\"\$hostname\\" found!"
else
echo -e "\\n [ Error ]: No zonefile for host \\"\$hostname\\" found! \\n"
fi
continue
;;
20)
\$verbose && echo_failed
if \$verbose ; then
error "Replacing TLSA 2 0 1 record for host \\"\$hostname\\" failed!"
else
echo -e "\\n [ Error ]: Replacing TLSA 2 0 1 record for host \\"\$hostname\\" failed! \\n"
fi
continue
;;
21)
\$verbose && echo_failed
if \$verbose ; then
error "Adding TLSA 2 0 1 record for host \\"\$hostname\\" failed!"
else
echo -e "\\n [ Error ]: Adding TLSA 2 0 1 record for host \\"\$hostname\\" failed! \\n"
fi
continue
;;
99)
\$verbose && echo_failed
if \$verbose ; then
error "Fatal Error!"
else
echo -e "\\n [ Error ]: Fatal Error! \\n"
fi
continue
;;
*)
\$verbose && echo_failed
if \$verbose ; then
error "Unknown exit code from remote script \\"\$renew_tlsa_record\"!"
else
echo -e "\\n [ Error ]: Unknown exit code from remote script \\"\$renew_tlsa_record\"! \\n"
fi
continue
;;
esac
fi # if ! \${generate_tlsa_201}
# - Generate TLSA 2 0 2 record
# -
\$verbose && echononl " Generate \\"TLSA 2 0 2\\" record from root certificate (root.ca).."
if ! \${generate_tlsa_202} ; then
echo_skipped
else
tlsa_record_202=\$(
printf "_%s._tcp.%s. \$ttl_202 IN TLSA 2 0 2 %s\\n" \\
\${_tmp_arr[1]} \\
\${_tmp_arr[0]} \\
\$(openssl x509 -in ${DH_BASE_DIR}/certs/\${_tmp_arr[0]}/chain.pem -outform DER |
openssl dgst -sha512 -binary |
hexdump -ve '/1 "%02x"')
)
if [[ \$? -eq 0 ]] ; then
\$verbose && echo_ok
else
\$verbose && echo_failed
if \$verbose ; then
error "Generating \\"TLSA 2 0 2\\" record failed! "
else
echo -e "\\n [ Error ]: Generating \\"TLSA 2 0 2\\" record failed! \\n"
fi
continue
fi
# - Add/Renew Record in concerning zone file
# -
\$verbose && echononl " Add/Renew Record in concerning zone file.."
ssh -q -p \$dane_ssh_port -i \$dane_ssh_key \${dane_ssh_user}@\${dane_nameserver} \\
"sudo \$renew_tlsa_record \$tlsa_record_202 > /dev/null 2>&1"
ret_val=\$?
case \$ret_val in
0)
\$verbose && echo_skipped
if \$verbose ; then
info "TLSA 2 0 2 record for \\"\$hostname\\" is up to date."
else
echo -e "\\n [ Info ]: TLSA 2 0 2 record for \\"\$hostname\\" is up to date.\\n"
fi
;;
1)
\$verbose && echo_ok
if \$verbose ; then
info "TLSA 2 0 2 record for \\"\$hostname\\" replaced."
else
echo -e "\\n [ Info ]: TLSA 2 0 2 record for \\"\$hostname\\" replaced.\\n"
fi
;;
2)
\$verbose && echo_ok
if \$verbose ; then
info "New TLSA 2 0 2 record for \\"\$hostname\\" added."
else
echo -e "\\n [ Info ]: New TLSA 2 0 2 record for \\"\$hostname\\" added.\\n"
fi
;;
10)
\$verbose && echo_failed
if \$verbose ; then
error "Invalid TLSA record given!"
else
echo -e "\\n [ Error ]: Invalid TLSA record given! \\n"
fi
continue
;;
11)
\$verbose && echo_failed
if \$verbose ; then
error "No zonefile for host \\"\$hostname\\" found!"
else
echo -e "\\n [ Error ]: No zonefile for host \\"\$hostname\\" found! \\n"
fi
continue
;;
20)
\$verbose && echo_failed
if \$verbose ; then
error "Replacing TLSA 2 0 2 record for host \\"\$hostname\\" failed!"
else
echo -e "\\n [ Error ]: Replacing TLSA 2 0 2 record for host \\"\$hostname\\" failed! \\n"
fi
continue
;;
21)
\$verbose && echo_failed
if \$verbose ; then
error "Adding TLSA 2 0 2 record for host \\"\$hostname\\" failed!"
else
echo -e "\\n [ Error ]: Adding TLSA 2 0 2 record for host \\"\$hostname\\" failed! \\n"
fi
continue
;;
99)
\$verbose && echo_failed
if \$verbose ; then
error "Fatal Error!"
else
echo -e "\\n [ Error ]: Fatal Error! \\n"
fi
continue
;;
*)
\$verbose && echo_failed
if \$verbose ; then
error "Unknown exit code from remote script \\"\$renew_tlsa_record\"!"
else
echo -e "\\n [ Error ]: Unknown exit code from remote script \\"\$renew_tlsa_record\"! \\n"
fi
continue
;;
esac
fi # if ! \${generate_tlsa_202} ; then
# - To avoid multiple reloading og one and the same zone, we only
# - collect the zones, having to reload, at this time and do the
@ -3898,6 +4065,19 @@ echononl " Install script \"dh_tlsgen.sh\" into ${DH_BASE_DIR}/tools/"
cat <<EOF > ${DH_BASE_DIR}/tools/dh_tlsgen.sh
#!/usr/bin/env bash
## ------------------------------------------------------------------------------
## --- All Configurations will be done in ${DH_CONF_DIR}/dehydrated_cron.conf
## ------------------------------------------------------------------------------
if [[ -f "${DH_CONF_DIR}/dehydrated_cron.conf" ]]; then
source ${DH_CONF_DIR}/dehydrated_cron.conf
else
echo
echo -e " [ Error ]: No Configuration File found. Exiting now!"
echo
exit 1
fi
if [[ \$# -ne 1 ]] ; then
echo -e "\n usage: \$(basename "\$0") <hostname:port>\n"
exit
@ -3911,9 +4091,9 @@ IFS=\$CUR_IFS
port=\${_tmp_arr[1]}
hostname=\${_tmp_arr[0]}
cert=/var/lib/dehydrated/certs/\${hostname}/cert.pem
cert=${DH_BASE_DIR}/certs/\${hostname}/cert.pem
tlsa_record_311=\$(
printf '_%s._tcp.%s. 3600 IN TLSA 3 1 1 %s\n' \\
printf "_%s._tcp.%s. \${ttl_311} IN TLSA 3 1 1 %s\n" \\
\$port \\
\$hostname \\
"\$(openssl x509 -in \$cert -noout -pubkey |
@ -3922,9 +4102,9 @@ tlsa_record_311=\$(
hexdump -ve '/1 "%02x"')"
)
cert=/var/lib/dehydrated/certs/\${hostname}/cert.pem
cert=${DH_BASE_DIR}/certs/\${hostname}/cert.pem
tlsa_record_301=\$(
printf '_%s._tcp.%s. 3600 IN TLSA 3 0 1 %s\n' \\
printf "_%s._tcp.%s. \${ttl_301} IN TLSA 3 0 1 %s\n" \\
\$port \\
\$hostname \\
"\$(openssl x509 -in \$cert -outform DER |
@ -3933,9 +4113,9 @@ tlsa_record_301=\$(
)
cert=/var/lib/dehydrated/certs/\${hostname}/chain.pem
cert=${DH_BASE_DIR}/certs/\${hostname}/chain.pem
tlsa_record_211_chain=\$(
printf '_%s._tcp.%s. 3600 IN TLSA 2 1 1 %s\n' \\
printf "_%s._tcp.%s. \${ttl_211} IN TLSA 2 1 1 %s\n" \\
\$port \\
\$hostname \\
"\$(openssl x509 -in \$cert -noout -pubkey |
@ -3944,9 +4124,9 @@ tlsa_record_211_chain=\$(
hexdump -ve '/1 "%02x"')"
)
cert=/var/lib/dehydrated/certs/\${hostname}/chain.pem
cert=${DH_BASE_DIR}/certs/\${hostname}/chain.pem
tlsa_record_201_chain=\$(
printf '_%s._tcp.%s. 3600 IN TLSA 2 0 1 %s\n' \\
printf "_%s._tcp.%s. \${ttl_201} IN TLSA 2 0 1 %s\n" \\
\$port \\
\$hostname \\
"\$(openssl x509 -in \$cert -outform DER |
@ -3954,9 +4134,9 @@ tlsa_record_201_chain=\$(
hexdump -ve '/1 "%02x"')"
)
cert=/var/lib/dehydrated/certs/\${hostname}/chain.pem
cert=${DH_BASE_DIR}/certs/\${hostname}/chain.pem
tlsa_record_202_chain=\$(
printf '_%s._tcp.%s. 3600 IN TLSA 2 0 2 %s\n' \\
printf "_%s._tcp.%s. \${ttl_202} IN TLSA 2 0 2 %s\n" \\
\$port \\
\$hostname \\
"\$(openssl x509 -in \$cert -outform DER |
@ -3965,10 +4145,10 @@ tlsa_record_202_chain=\$(
)
tlsa_record_211_root=""
cert=/var/lib/dehydrated/certs/\${hostname}/root.ca
cert=${DH_BASE_DIR}/certs/\${hostname}/root.ca
if [[ -f "\$cert" ]]; then
tlsa_record_211_root=\$(
printf '_%s._tcp.%s. 3600 IN TLSA 2 1 1 %s\n' \\
printf "_%s._tcp.%s. \${ttl_211} IN TLSA 2 1 1 %s\n" \\
\$port \\
\$hostname \\
"\$(openssl x509 -in \$cert -noout -pubkey |