now with dnsec
This commit is contained in:
rnsrk
parent
b006c8f809
commit
fb22e9cab4
118 changed files with 8306 additions and 2337 deletions
95
scripts/update-tlsa.sh
Executable file
95
scripts/update-tlsa.sh
Executable file
|
|
@ -0,0 +1,95 @@
|
|||
#!/bin/bash
|
||||
|
||||
# Script to automatically update TLSA records when certificates are renewed.
|
||||
# This should be triggered by certdumper or Traefik certificate renewal.
|
||||
|
||||
set -e
|
||||
|
||||
# Configuration.
|
||||
mailcowHostname="${MAILCOW_HOSTNAME:-mail.nasarek.dev}"
|
||||
domain="${DOMAIN:-nasarek.dev}"
|
||||
dnsApiKey="${DNS_API_KEY:-}"
|
||||
dnsApiPassword="${DNS_API_PASSWORD:-}"
|
||||
dnsCustomerNumber="${DNS_CUSTOMER_NUMBER:-}"
|
||||
|
||||
# Paths.
|
||||
certFile="/var/deploy/mailcow/data/assets/ssl/cert.pem"
|
||||
logFile="/var/deploy/scripts/tlsa-update.log"
|
||||
|
||||
# Logging function.
|
||||
log() {
|
||||
echo "[$(date '+%Y-%m-%d %H:%M:%S')] $*" | tee -a "$logFile"
|
||||
}
|
||||
|
||||
# Check if certificate file exists.
|
||||
if [ ! -f "$certFile" ]; then
|
||||
log "ERROR: Certificate file not found: $certFile"
|
||||
exit 1
|
||||
fi
|
||||
|
||||
# Generate TLSA hash from certificate.
|
||||
generateTlsaHash() {
|
||||
local certPath="$1"
|
||||
if [ ! -f "$certPath" ]; then
|
||||
log "ERROR: Certificate file not found: $certPath"
|
||||
return 1
|
||||
fi
|
||||
|
||||
openssl x509 -in "$certPath" -noout -pubkey | \
|
||||
openssl pkey -pubin -outform der | \
|
||||
openssl dgst -sha256 | \
|
||||
awk '{print $2}'
|
||||
}
|
||||
|
||||
# Update TLSA record via DNS provider API.
|
||||
updateTlsaRecord() {
|
||||
local port="$1"
|
||||
local hash="$2"
|
||||
local recordName="_${port}._tcp.${mailcowHostname}"
|
||||
|
||||
log "Updating TLSA record: ${recordName}"
|
||||
|
||||
# Check if DNS provider API credentials are configured.
|
||||
if [ -z "$dnsApiKey" ] || [ -z "$dnsApiPassword" ] || [ -z "$dnsCustomerNumber" ]; then
|
||||
log "WARNING: DNS provider API credentials not configured. TLSA record needs manual update:"
|
||||
log " ${recordName} TLSA 3 1 1 ${hash}"
|
||||
return 1
|
||||
fi
|
||||
|
||||
# DNS provider API call would go here.
|
||||
# For now, we'll log the required values.
|
||||
log "INFO: Use DNS provider API to update:"
|
||||
log " Record: ${recordName}"
|
||||
log " Type: TLSA"
|
||||
log " Value: 3 1 1 ${hash}"
|
||||
|
||||
# TODO: Implement DNS provider API call.
|
||||
# Example for Netcup:
|
||||
# curl -X POST https://ccp.netcup.net/run/webservice/servers/endpoint.php \
|
||||
# -d "apikey=${dnsApiKey}&apipassword=${dnsApiPassword}&customernumber=${dnsCustomerNumber}&domainname=${domain}&dnsrecordset=..."
|
||||
}
|
||||
|
||||
# Main execution.
|
||||
main() {
|
||||
log "Starting TLSA record update check..."
|
||||
|
||||
# Generate hash from current certificate.
|
||||
local tlsaHash
|
||||
tlsaHash=$(generateTlsaHash "$certFile")
|
||||
|
||||
if [ -z "$tlsaHash" ]; then
|
||||
log "ERROR: Failed to generate TLSA hash"
|
||||
exit 1
|
||||
fi
|
||||
|
||||
log "Generated TLSA hash: ${tlsaHash}"
|
||||
|
||||
# Update TLSA records for all mail ports.
|
||||
updateTlsaRecord "25" "$tlsaHash"
|
||||
updateTlsaRecord "465" "$tlsaHash"
|
||||
updateTlsaRecord "587" "$tlsaHash"
|
||||
|
||||
log "TLSA update check completed"
|
||||
}
|
||||
|
||||
main "$@"
|
||||
Loading…
Add table
Add a link
Reference in a new issue