95 lines
2.5 KiB
Bash
Executable file
95 lines
2.5 KiB
Bash
Executable file
#!/bin/bash
|
|
|
|
# Script to automatically update TLSA records when certificates are renewed.
|
|
# This should be triggered by certdumper or Traefik certificate renewal.
|
|
|
|
set -e
|
|
|
|
# Configuration.
|
|
mailcowHostname="${MAILCOW_HOSTNAME:-mail.nasarek.dev}"
|
|
domain="${DOMAIN:-nasarek.dev}"
|
|
dnsApiKey="${DNS_API_KEY:-}"
|
|
dnsApiPassword="${DNS_API_PASSWORD:-}"
|
|
dnsCustomerNumber="${DNS_CUSTOMER_NUMBER:-}"
|
|
|
|
# Paths.
|
|
certFile="/var/deploy/mailcow/data/assets/ssl/cert.pem"
|
|
logFile="/var/deploy/scripts/tlsa-update.log"
|
|
|
|
# Logging function.
|
|
log() {
|
|
echo "[$(date '+%Y-%m-%d %H:%M:%S')] $*" | tee -a "$logFile"
|
|
}
|
|
|
|
# Check if certificate file exists.
|
|
if [ ! -f "$certFile" ]; then
|
|
log "ERROR: Certificate file not found: $certFile"
|
|
exit 1
|
|
fi
|
|
|
|
# Generate TLSA hash from certificate.
|
|
generateTlsaHash() {
|
|
local certPath="$1"
|
|
if [ ! -f "$certPath" ]; then
|
|
log "ERROR: Certificate file not found: $certPath"
|
|
return 1
|
|
fi
|
|
|
|
openssl x509 -in "$certPath" -noout -pubkey | \
|
|
openssl pkey -pubin -outform der | \
|
|
openssl dgst -sha256 | \
|
|
awk '{print $2}'
|
|
}
|
|
|
|
# Update TLSA record via DNS provider API.
|
|
updateTlsaRecord() {
|
|
local port="$1"
|
|
local hash="$2"
|
|
local recordName="_${port}._tcp.${mailcowHostname}"
|
|
|
|
log "Updating TLSA record: ${recordName}"
|
|
|
|
# Check if DNS provider API credentials are configured.
|
|
if [ -z "$dnsApiKey" ] || [ -z "$dnsApiPassword" ] || [ -z "$dnsCustomerNumber" ]; then
|
|
log "WARNING: DNS provider API credentials not configured. TLSA record needs manual update:"
|
|
log " ${recordName} TLSA 3 1 1 ${hash}"
|
|
return 1
|
|
fi
|
|
|
|
# DNS provider API call would go here.
|
|
# For now, we'll log the required values.
|
|
log "INFO: Use DNS provider API to update:"
|
|
log " Record: ${recordName}"
|
|
log " Type: TLSA"
|
|
log " Value: 3 1 1 ${hash}"
|
|
|
|
# TODO: Implement DNS provider API call.
|
|
# Example for Netcup:
|
|
# curl -X POST https://ccp.netcup.net/run/webservice/servers/endpoint.php \
|
|
# -d "apikey=${dnsApiKey}&apipassword=${dnsApiPassword}&customernumber=${dnsCustomerNumber}&domainname=${domain}&dnsrecordset=..."
|
|
}
|
|
|
|
# Main execution.
|
|
main() {
|
|
log "Starting TLSA record update check..."
|
|
|
|
# Generate hash from current certificate.
|
|
local tlsaHash
|
|
tlsaHash=$(generateTlsaHash "$certFile")
|
|
|
|
if [ -z "$tlsaHash" ]; then
|
|
log "ERROR: Failed to generate TLSA hash"
|
|
exit 1
|
|
fi
|
|
|
|
log "Generated TLSA hash: ${tlsaHash}"
|
|
|
|
# Update TLSA records for all mail ports.
|
|
updateTlsaRecord "25" "$tlsaHash"
|
|
updateTlsaRecord "465" "$tlsaHash"
|
|
updateTlsaRecord "587" "$tlsaHash"
|
|
|
|
log "TLSA update check completed"
|
|
}
|
|
|
|
main "$@"
|