Replace 'TLSA 2 1 1' with 'TLSA 2 0 1'.
This commit is contained in:
parent
49ef50b2b9
commit
fc889b5469
@ -1305,6 +1305,7 @@ get_domain_by_hostname=bind_get_domain_by_hostname.sh
|
|||||||
# - TTL for Records "IN TLSA 3 1 1" and "IN TLSA 2 1 1"
|
# - TTL for Records "IN TLSA 3 1 1" and "IN TLSA 2 1 1"
|
||||||
# -
|
# -
|
||||||
ttl_311=3600
|
ttl_311=3600
|
||||||
|
ttl_201=3600
|
||||||
ttl_211=3600
|
ttl_211=3600
|
||||||
|
|
||||||
|
|
||||||
@ -1426,6 +1427,7 @@ get_domain_by_hostname=bind_get_domain_by_hostname.sh
|
|||||||
# - TTL for Records "IN TLSA 3 1 1" and "IN TLSA 2 1 1"
|
# - TTL for Records "IN TLSA 3 1 1" and "IN TLSA 2 1 1"
|
||||||
# -
|
# -
|
||||||
ttl_311=360
|
ttl_311=360
|
||||||
|
ttl_201=360
|
||||||
ttl_211=360
|
ttl_211=360
|
||||||
|
|
||||||
|
|
||||||
@ -1998,15 +2000,14 @@ if [[ -n "\$_successfully_created_hosts" ]] ; then
|
|||||||
|
|
||||||
esac
|
esac
|
||||||
|
|
||||||
# - Generate TLSA 2 1 1 record
|
# - Generate TLSA 2 0 1 record
|
||||||
# -
|
# -
|
||||||
\$verbose && echononl " Generate \\"TLSA 2 1 1\\" record from root certificate (root.ca).."
|
\$verbose && echononl " Generate \\"TLSA 2 0 1\\" record from root certificate (root.ca).."
|
||||||
tlsa_record_211=\$(
|
tlsa_record_201=\$(
|
||||||
printf "_%s._tcp.%s. \$ttl_211 IN TLSA 2 1 1 %s\\n" \\
|
printf "_%s._tcp.%s. \$ttl_201 IN TLSA 2 0 1 %s\\n" \\
|
||||||
\${_tmp_arr[1]} \\
|
\${_tmp_arr[1]} \\
|
||||||
\${_tmp_arr[0]} \\
|
\${_tmp_arr[0]} \\
|
||||||
\$(openssl x509 -in /var/lib/dehydrated/certs/\${_tmp_arr[0]}/chain.pem -noout -pubkey |
|
\$(openssl x509 -in /var/lib/dehydrated/certs/\${_tmp_arr[0]}/chain.pem -outform DER |
|
||||||
openssl pkey -pubin -outform DER |
|
|
||||||
openssl dgst -sha256 -binary |
|
openssl dgst -sha256 -binary |
|
||||||
hexdump -ve '/1 "%02x"')
|
hexdump -ve '/1 "%02x"')
|
||||||
)
|
)
|
||||||
@ -2015,9 +2016,9 @@ if [[ -n "\$_successfully_created_hosts" ]] ; then
|
|||||||
else
|
else
|
||||||
\$verbose && echo_failed
|
\$verbose && echo_failed
|
||||||
if \$verbose ; then
|
if \$verbose ; then
|
||||||
error "Generating \\"TLSA 2 1 1\\" record failed! "
|
error "Generating \\"TLSA 2 0 1\\" record failed! "
|
||||||
else
|
else
|
||||||
echo -e "\\n [ Error ]: Generating \\"TLSA 2 1 1\\" record failed! \\n"
|
echo -e "\\n [ Error ]: Generating \\"TLSA 2 0 1\\" record failed! \\n"
|
||||||
fi
|
fi
|
||||||
continue
|
continue
|
||||||
fi
|
fi
|
||||||
@ -2026,31 +2027,31 @@ if [[ -n "\$_successfully_created_hosts" ]] ; then
|
|||||||
# -
|
# -
|
||||||
\$verbose && echononl " Add/Renew Record in concerning zone file.."
|
\$verbose && echononl " Add/Renew Record in concerning zone file.."
|
||||||
ssh -q -p \$dane_ssh_port -i \$dane_ssh_key \${dane_ssh_user}@\${dane_nameserver} \\
|
ssh -q -p \$dane_ssh_port -i \$dane_ssh_key \${dane_ssh_user}@\${dane_nameserver} \\
|
||||||
"sudo \$renew_tlsa_record \$tlsa_record_211 > /dev/null 2>&1"
|
"sudo \$renew_tlsa_record \$tlsa_record_201 > /dev/null 2>&1"
|
||||||
ret_val=\$?
|
ret_val=\$?
|
||||||
case \$ret_val in
|
case \$ret_val in
|
||||||
0)
|
0)
|
||||||
\$verbose && echo_skipped
|
\$verbose && echo_skipped
|
||||||
if \$verbose ; then
|
if \$verbose ; then
|
||||||
info "TLSA 2 1 1 record for \\"\$hostname\\" is up to date."
|
info "TLSA 2 0 1 record for \\"\$hostname\\" is up to date."
|
||||||
else
|
else
|
||||||
echo -e "\\n [ Info ]: TLSA 2 1 1 record for \\"\$hostname\\" is up to date.\\n"
|
echo -e "\\n [ Info ]: TLSA 2 0 1 record for \\"\$hostname\\" is up to date.\\n"
|
||||||
fi
|
fi
|
||||||
;;
|
;;
|
||||||
1)
|
1)
|
||||||
\$verbose && echo_ok
|
\$verbose && echo_ok
|
||||||
if \$verbose ; then
|
if \$verbose ; then
|
||||||
info "TLSA 2 1 1 record for \\"\$hostname\\" replaced."
|
info "TLSA 2 0 1 record for \\"\$hostname\\" replaced."
|
||||||
else
|
else
|
||||||
echo -e "\\n [ Info ]: TLSA 2 1 1 record for \\"\$hostname\\" replaced.\\n"
|
echo -e "\\n [ Info ]: TLSA 2 0 1 record for \\"\$hostname\\" replaced.\\n"
|
||||||
fi
|
fi
|
||||||
;;
|
;;
|
||||||
2)
|
2)
|
||||||
\$verbose && echo_ok
|
\$verbose && echo_ok
|
||||||
if \$verbose ; then
|
if \$verbose ; then
|
||||||
info "New TLSA 2 1 1 record for \\"\$hostname\\" added."
|
info "New TLSA 2 0 1 record for \\"\$hostname\\" added."
|
||||||
else
|
else
|
||||||
echo -e "\\n [ Info ]: New TLSA 2 1 1 record for \\"\$hostname\\" added.\\n"
|
echo -e "\\n [ Info ]: New TLSA 2 0 1 record for \\"\$hostname\\" added.\\n"
|
||||||
fi
|
fi
|
||||||
;;
|
;;
|
||||||
10)
|
10)
|
||||||
@ -2074,18 +2075,18 @@ if [[ -n "\$_successfully_created_hosts" ]] ; then
|
|||||||
20)
|
20)
|
||||||
\$verbose && echo_failed
|
\$verbose && echo_failed
|
||||||
if \$verbose ; then
|
if \$verbose ; then
|
||||||
error "Replacing TLSA 2 1 1 record for host \\"\$hostname\\" failed!"
|
error "Replacing TLSA 2 0 1 record for host \\"\$hostname\\" failed!"
|
||||||
else
|
else
|
||||||
echo -e "\\n [ Error ]: Replacing TLSA 2 1 1 record for host \\"\$hostname\\" failed! \\n"
|
echo -e "\\n [ Error ]: Replacing TLSA 2 0 1 record for host \\"\$hostname\\" failed! \\n"
|
||||||
fi
|
fi
|
||||||
continue
|
continue
|
||||||
;;
|
;;
|
||||||
21)
|
21)
|
||||||
\$verbose && echo_failed
|
\$verbose && echo_failed
|
||||||
if \$verbose ; then
|
if \$verbose ; then
|
||||||
error "Adding TLSA 2 1 1 record for host \\"\$hostname\\" failed!"
|
error "Adding TLSA 2 0 1 record for host \\"\$hostname\\" failed!"
|
||||||
else
|
else
|
||||||
echo -e "\\n [ Error ]: Adding TLSA 2 1 1 record for host \\"\$hostname\\" failed! \\n"
|
echo -e "\\n [ Error ]: Adding TLSA 2 0 1 record for host \\"\$hostname\\" failed! \\n"
|
||||||
fi
|
fi
|
||||||
continue
|
continue
|
||||||
;;
|
;;
|
||||||
@ -3468,7 +3469,7 @@ hostname=\${_tmp_arr[0]}
|
|||||||
|
|
||||||
cert=/var/lib/dehydrated/certs/\${hostname}/cert.pem
|
cert=/var/lib/dehydrated/certs/\${hostname}/cert.pem
|
||||||
tlsa_record_311=\$(
|
tlsa_record_311=\$(
|
||||||
printf '_%s._tcp.%s. IN TLSA 3 1 1 %s\n' \\
|
printf '_%s._tcp.%s. 360 IN TLSA 3 1 1 %s\n' \\
|
||||||
\$port \\
|
\$port \\
|
||||||
\$hostname \\
|
\$hostname \\
|
||||||
"\$(openssl x509 -in \$cert -noout -pubkey |
|
"\$(openssl x509 -in \$cert -noout -pubkey |
|
||||||
@ -3479,7 +3480,7 @@ tlsa_record_311=\$(
|
|||||||
|
|
||||||
cert=/var/lib/dehydrated/certs/\${hostname}/cert.pem
|
cert=/var/lib/dehydrated/certs/\${hostname}/cert.pem
|
||||||
tlsa_record_301=\$(
|
tlsa_record_301=\$(
|
||||||
printf '_%s._tcp.%s. IN TLSA 3 0 1 %s\n' \\
|
printf '_%s._tcp.%s. 360 IN TLSA 3 0 1 %s\n' \\
|
||||||
\$port \\
|
\$port \\
|
||||||
\$hostname \\
|
\$hostname \\
|
||||||
"\$(openssl x509 -in \$cert -outform DER |
|
"\$(openssl x509 -in \$cert -outform DER |
|
||||||
@ -3490,7 +3491,7 @@ tlsa_record_301=\$(
|
|||||||
|
|
||||||
cert=/var/lib/dehydrated/certs/\${hostname}/chain.pem
|
cert=/var/lib/dehydrated/certs/\${hostname}/chain.pem
|
||||||
tlsa_record_211_chain=\$(
|
tlsa_record_211_chain=\$(
|
||||||
printf '_%s._tcp.%s. IN TLSA 2 1 1 %s\n' \\
|
printf '_%s._tcp.%s. 360 IN TLSA 2 1 1 %s\n' \\
|
||||||
\$port \\
|
\$port \\
|
||||||
\$hostname \\
|
\$hostname \\
|
||||||
"\$(openssl x509 -in \$cert -noout -pubkey |
|
"\$(openssl x509 -in \$cert -noout -pubkey |
|
||||||
@ -3501,7 +3502,7 @@ tlsa_record_211_chain=\$(
|
|||||||
|
|
||||||
cert=/var/lib/dehydrated/certs/\${hostname}/chain.pem
|
cert=/var/lib/dehydrated/certs/\${hostname}/chain.pem
|
||||||
tlsa_record_201_chain=\$(
|
tlsa_record_201_chain=\$(
|
||||||
printf '_%s._tcp.%s. IN TLSA 2 0 1 %s\n' \\
|
printf '_%s._tcp.%s. 360 IN TLSA 2 0 1 %s\n' \\
|
||||||
\$port \\
|
\$port \\
|
||||||
\$hostname \\
|
\$hostname \\
|
||||||
"\$(openssl x509 -in \$cert -outform DER |
|
"\$(openssl x509 -in \$cert -outform DER |
|
||||||
@ -3513,7 +3514,7 @@ tlsa_record_211_root=""
|
|||||||
cert=/var/lib/dehydrated/certs/\${hostname}/root.ca
|
cert=/var/lib/dehydrated/certs/\${hostname}/root.ca
|
||||||
if [[ -f "\$cert" ]]; then
|
if [[ -f "\$cert" ]]; then
|
||||||
tlsa_record_211_root=\$(
|
tlsa_record_211_root=\$(
|
||||||
printf '_%s._tcp.%s. IN TLSA 2 1 1 %s\n' \\
|
printf '_%s._tcp.%s. 360 IN TLSA 2 1 1 %s\n' \\
|
||||||
\$port \\
|
\$port \\
|
||||||
\$hostname \\
|
\$hostname \\
|
||||||
"\$(openssl x509 -in \$cert -noout -pubkey |
|
"\$(openssl x509 -in \$cert -noout -pubkey |
|
||||||
|
|||||||
Loading…
Reference in New Issue
Block a user