Attached is a bash script that I am developing to automate the
generation of TLSA records from Letsencrypt certificates.
the script is called from the certbot renew hook, it can also be run
stand alone - Certbot_TLSAgen path-to-certificate "space separated list
of domains included in cert"
It seems to work, but would some kind sole take a look and where I have
or are about to screw up.
Any suggestions as to how to get the output into my DNS (Bind9)
preferably without using nsupdate. I am not keen on nsupdate as it makes
a mess of the zone files, which I use as documentation for my DNS.
Has anybody heard of a electronic "one time pad" system.
TIA
JohnA
#!/bin/bash
#=====================================================================================================================
#
# Copyright (c) 2017 John L. Allen
#
# This program is free software: you can redistribute it and/or modify it
under the terms of the
# GNU General Public License as published by the Free Software Foundation,
either version 3 of the License,
# or (at your option) any later version.
#
# This program is distributed in the hope that it will be useful, but
WITHOUT ANY WARRANTY;
# without even the implied warranty of MERCHANTABILITY or FITNESS FOR A
PARTICULAR PURPOSE.
# See the GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>.
#
#=====================================================================================================================
declare -a TLSA_Services=( smtp imap submission sieve dav davical https )
# An arrrayof services for which TLSA might be needed
# these two variables are ????
Certbot_Lineage=
# path to the certbot generated cert ...(RENEWED_LINEAGE or $1)
declare -a Certbot_Domains
# An array into which RENEWED_DOMAINS or $2 Domains are split
# default values
#TLSA_File_Path="/etc/bind/tlsa/"
# where do you want to put the TLSA records, default values
TLSA_File_Path="./tlsa_test/"
# where do you want to put the TLSA records, default values -
during testing
TLSA_Filename_Base="tlsa"
# base filename for the TLSA records - generated as
base_filename.sequence_number
TLSA_TTL=3600
# TLSA DNS record TTL
TLSA_Usage=3
# TLSA usage
TLSA_Selector=1
# TLSA selector
TLSA_Type=1
# TLSA type
#
#=====================================================================================================================
#===================Message output function - will need changing to output
multi language message=====================
function error_message() {
echo $1 1>&2
exit 1
}
#=====================================================================================================================
#================ Check of either the Certbot set environment variables or the
command line paramater=================
#================ depending upon how this script is invocked
=================
#=====================================================================================================================
function Check_Env_Variables()
{
# Has command line parameter 1 or the environment variable
RENEWED_LINEAGE been set.
# The Command line parameter overides the environment variable
[[ -z $RENEWED_LINEAGE ]] && Certbot_Lineage=$1 ||
Certbot_Lineage=$RENEWED_LINEAGE
if [[ -z $Certbot_Lineage ]]; then
error_code= $(error_message "Command line parameter 1 or the
evironment variable \"RENEWED_LINEAGE\" was not set, exiting")
elif ! [[ -d $Certbot_Lineage ]]; then
error_code= $(error_message "Command line parameter 1 or the
evironment variable \"RENEWED_LINEAGE\" is not a directory, exiting")
fi
# Has command line parameter 2 or the environment variable
RENEWED_DOMAINS been set.
# The Command line parameter overides the environment variable
# If more than one domain is specified they are expected to be in
the form of a space seperated list
[[ -z $RENEWED_DOMAINS ]] && Certbot_Domains=( $2 ) ||
Certbot_Domains=( ${RENEWED_DOMAINS} )
if [[ ${#Certbot_Domains[@]} -le 0 ]]; then
error_code=$(error_message "Command line parameter 2 or the
evironment variable \"RENEWED_DOMAINS\" was not set, exiting")
fi
# Check that the TLSA_File_Path is the location (directory) where files
containing the generated TLSA records will be put
#
if ! [ -d $TLSA_File_Path ]; then
error_code=$(error_message "the directory $TLSA_File_Path does not
exist, please specify where the generated records are to be stored")
fi
# Check that the TLSA filename base has been set.
# The filename base is used to generate actual filenames in the
form of base.sequence
#
if [ -z "$TLSA_Filename_Base" ]; then
error_code=$(error_message "Please specify a base filename into
which the generated TLSA records can be placed")
fi
return $error_code
}
#=====================================================================================================================
#=======Set the output file name, including path.
#=======The filename is derived from TLSA_Filename_Base plus a generated serial
number suffix
zzz=" "
function Set_Output_Destination()
{
count=$( ls -1 $1 | wc -l )
name=$(printf "%s%s.%04d" "$1" "$2" "$count")
while [ -a $name ]; do
count=$(( $count+1))
name=$(printf "%s%s.%04d" "$1" "$2" "$count")
done
echo $name
}
#=====================================================================================================================
#********************************************************************************************************************
#********************************************************************************************************************
# THe following functions were stolen from Viktor Dukhovni's
tlsagen
#********************************************************************************************************************
#********************************************************************************************************************
#=====================================================================================================================
extract() {
case "$1" in
0) openssl x509 -in "$2" -outform DER;;
1) openssl x509 -in "$2" -noout -pubkey | openssl pkey -pubin -outform DER;;
esac
}
digest() {
case "$1" in
0) cat;;
1) openssl dgst -sha256 -binary;;
2) openssl dgst -sha512 -binary;;
esac
}
Set_TLSA_Usage() {
case "$(echo $1 | tr '[A-Z]' '[a-z]')" in
0|pkix-[ct]a) TLSA_usage=0;;
1|pkix-ee) TLSA_usage=1;;
2|dane-[ct]a) TLSA_usage=2;;
3|dane-ee) TLSA_usage=3;;
*) error "Invalid certificate usage: $1";;
esac
}
Set_TLSA_Selector() {
case "$(echo $1 | tr '[A-Z]' '[a-z]')" in
0|cert) TLSA_selector=0;;
1|spki|pkey) TLSA_selector=1;;
*) error "Invalid selector: $1";;
esac
}
Set_TLSA_Type() {
case "$(echo $1 | tr '[A-Z]' '[a-z]')" in
0|full) TLSA_Type=0;;
1|sha2-256|sha256|sha-256) TLSA_Type=1;;
2|sha2-512|sha512|sha-512) TLSA_Type=2;;
*) error "Invalid matching type: $1";;
esac
}
#=====================================================================================================================
#=====================================================================================================================
# as we cannot pass and parameters when this is called from the
certbot renew hooks
# we will have to put them somewhere else,
# Defailt for general parameters
#
if [ -f /etc/default/Cerbot_TLSAgen.cf ]; then .
/etc/default/Cerbot_TLSAgen.cf; fi
Check_Env_Variables "$1" "$2"
# If we are running as a command then
these two should be set, if not certbot environment variables should be
[[ $? != 0 ]] && exit
# ooops! exit. this needs some
improvement
#******needs testing
# Certbot_Lineage should now be set, so pick up any cert based
paramamters from the ".../live/certname" directory
#
if [ -f ${Certbot_Lineage}Certbot_TLSAgen.cf ]; then .
${Certbot_Lineage}Certbot_TLSAgen.cf; fi
TLSA_Record_Store=$(Set_Output_Destination $TLSA_File_Path $TLSA_Filename_Base)
# generate the output file location
Path + generate filename
[[ $? != 0 ]] && exit
# ooops! exit. this needs some
improvement
TLSA_Digest=$( extract $TLSA_Selector ${Certbot_Lineage}cert.pem | digest
$TLSA_Type | od -vAn -tx1 | tr -d ' \012' # Generate the TLSA key as a HEX
string. As we are dealiing with a single cert do this once
exit $(( ${PIPESTATUS[0]} | ${PIPESTATUS[1]} |
${PIPESTATUS[2]} )) )
[[ $? != 0 ]] && exit
# ooops! exit. this needs some
improvement
# for each (sub)domain listed, check to see if it is a service
doamin that we might like to have a TLSA record for
#
for domain in $( seq 0 $((${#Certbot_Domains[@]} -1 )) ); do
TLSA_target=${Certbot_Domains[domain]%.}
# I am not sure whether the Cerbot list
of (sub)domains has a trailing "."
TLSA_domain=${TLSA_target#*.}
# Hopefully this will strip off the
sub-domain part giving me a domain-name + TLD
if [[ -z "${TLSA_domain##*.*}" ]]; then
# Primitive test - if there is a "."
this is likely to be domin + TLD
for service in $( seq 0 $((${#TLSA_Services[@]} -1 )) ); do
# Do this for each of the services that
might us a TLSA record
while read srv_priority srv_weight srv_port srv_host;
# read the out put of a DIG for a SRV
record
do
if [ ${srv_host%.} == $TLSA_target ]; then
# if the host returned by dig = the
Cerbot target output a TLSA record
printf "_%d._tcp.%s %d IN TLSA %d %d %d %s\n"\
"$srv_port" "$srv_host" "$TLSA_TTL"
"$TLSA_Usage" "$TLSA_Selector" "$TLSA_Type" "$TLSA_Digest" >>
$TLSA_Record_Store
fi
done < <(dig SRV
_${TLSA_Services[$service]}._tcp.${TLSA_domain} +short)
#
done
# SOA_domain=$TLSA_domain
# read soa_ns soa_admin soa_seq soa_t1 soa_t2 soa_t3 soa_t4 < <(dig SOA
$SOA_domain +short)
fi
done
