53 lines
1.4 KiB
Bash
Executable file
53 lines
1.4 KiB
Bash
Executable file
#!/bin/bash
|
|
|
|
# Monitor certificate file and update TLSA records when it changes.
|
|
# This script checks the certificate modification time and updates TLSA if changed.
|
|
|
|
set -e
|
|
|
|
# Configuration.
|
|
certFile="/var/deploy/mailcow/data/assets/ssl/cert.pem"
|
|
stateFile="/var/deploy/scripts/.tlsa-state"
|
|
updateScript="/var/deploy/scripts/update-tlsa.sh"
|
|
|
|
# Check if certificate file exists.
|
|
if [ ! -f "$certFile" ]; then
|
|
echo "Certificate file not found: $certFile"
|
|
exit 1
|
|
fi
|
|
|
|
# Get certificate modification time and hash.
|
|
currentMtime=$(stat -c %Y "$certFile" 2>/dev/null || stat -f %m "$certFile" 2>/dev/null)
|
|
currentHash=$(openssl x509 -in "$certFile" -noout -fingerprint -sha256 | cut -d= -f2 | tr -d ':')
|
|
|
|
# Read previous state.
|
|
if [ -f "$stateFile" ]; then
|
|
# shellcheck source=/dev/null
|
|
source "$stateFile"
|
|
else
|
|
previousMtime=0
|
|
previousHash=""
|
|
fi
|
|
|
|
# Check if certificate has changed.
|
|
if [ "$currentMtime" != "$previousMtime" ] || [ "$currentHash" != "$previousHash" ]; then
|
|
echo "Certificate changed detected. Updating TLSA records..."
|
|
|
|
# Run update script.
|
|
if [ -x "$updateScript" ]; then
|
|
"$updateScript"
|
|
else
|
|
echo "ERROR: Update script not found or not executable: $updateScript"
|
|
exit 1
|
|
fi
|
|
|
|
# Save new state.
|
|
cat > "$stateFile" <<EOF
|
|
previousMtime=$currentMtime
|
|
previousHash=$currentHash
|
|
EOF
|
|
|
|
echo "TLSA records updated successfully"
|
|
else
|
|
echo "No certificate changes detected"
|
|
fi
|