[dnsdist] dnscrypt cert roller

Sun, 16 Feb 2020 15:20:09 -0800 

I've written a lua script to help roll over dnscrypt certs hourly.
Making it avail to anyone who might find it helpful, no claims about
how many bugs it may have.  Feel free to update and repost.

To use: call `certrot_init(privkeyfile)` on load in config, and call
`certrot_genRotate()` hourly via cron

Default valid range is from -1h to +2h. genRotate will create a new
cert, apply it to all binds, move all other certs to inactive
status, and remove them if Now is past validUntil.

< file attached and avail: https://pastebin.com/bNdygNxz >

--certrot v1 for dnsdist v1.3+
function certrot_getDNSCryptBindAmount()
    local n = 0
    while pcall(function () getDNSCryptBind(n):getCertificatePair(0) end) do
        n = n + 1
    end
    return n
end
function certrot_init(keyfile) --call this function on load, param: full path to provider private key
    certrot_keyfile = keyfile
    for i=0,certrot_getDNSCryptBindAmount()-1 do --load old cert inactive, if exists
        if not pcall(function () getDNSCryptBind(i):loadNewCertificate("/tmp/resolver.cert", "/tmp/resolver.key", false) end) then break end
    end
    certrot_genRotate()
end
function certrot_genRotate() --cron this function hourly
    local timeNow = os.time()
    local validFrom = timeNow - 3660 --1h1m in past
    local validUntil = timeNow + 7260 --2h1m in future
    generateDNSCryptCertificate(certrot_keyfile, "/tmp/resolver.cert", "/tmp/resolver.key", timeNow, validFrom, validUntil) --gen cert
    for i=0,certrot_getDNSCryptBindAmount()-1 do
        getDNSCryptBind(i):loadNewCertificate("/tmp/resolver.cert", "/tmp/resolver.key") --apply cert
        for key, value in pairs(getDNSCryptBind(i):getCertificatePairs()) do
            if value:getCertificate():getSerial() ~= timeNow then
                if value:isActive() then --mark everything but the new one inactive
                    getDNSCryptBind(i):markInactive(value:getCertificate():getSerial())
                end
                if value:getCertificate():getTSEnd() < timeNow then --remove expired certs
                    getDNSCryptBind(i):removeInactiveCertificate(value:getCertificate():getSerial())
                end
            end
        end
    end
end

_______________________________________________
dnsdist mailing list
[email protected]
https://mailman.powerdns.com/mailman/listinfo/dnsdist

Reply via email to