Automized TLSA and DANE Records

Manti · December 29, 2015, 8:21am

I’ve created a little script to automatically publish the TLSA records. Just in case someone needs it. It creates new TLSA records and adds them to DNS but is not replacing the old certificates because you should wait a few hours until they are publish to all DNS servers.

#!/bin/bash

LE=/etc/letsencrypt
LEROOT=/root/letsencrypt
LEBIN=letsencrypt-auto
NSU=/root/nsupdate.txt

cd $LEROOT

COUNT=0;

for DOMAIN in d1.tld d2.tld d3.tld
do
    case $COUNT in
    0 )
            WEBROOT=/var/www/d1
            ;;
    1 )
            WEBROOT=/var/www/d2
            ;;
    2 )
            WEBROOT=/var/www/d3
            ;;
    * )
            WEBROOT=/var/www/d1
    esac

    ./$LEBIN certonly -d $DOMAIN --server https://acme-v01.api.letsencrypt.org/directory -a webroot --webroot-path $WEBROOT --renew-by-default --rsa-key-size 4096

    echo $DOMAIN $WEBROOT

    let "COUNT += 1"
done


/etc/init.d/nginx stop

./$LEBIN certonly -d mx01.d1.tld --server https://acme-v01.api.letsencrypt.org/directory --renew-by-default

/etc/init.d/nginx start

KEY=`openssl x509 -in $LE/live/mx01.d1.tld/fullchain.pem -outform DER |openssl sha256|awk '{print $2}'`
KEY2=`openssl x509 -in $LE/live/d1.tld/fullchain.pem -outform DER |openssl sha256|awk '{print $2}'`

for DOMAIN in d1.tld mx01.d1.tld
do

    cd $LE/live/$DOMAIN
    rm -f *

    FULLPATH=`ls -tr $LE/archive/$DOMAIN/cert*.pem|head -n -1|tail -1`
    CERT=`basename $FULLPATH`
    NUMBER=`echo $CERT|sed 's/cert//;s/.pem//'`

    ln -s ../../archive/$DOMAIN/cert$NUMBER.pem cert.pem
    ln -s ../../archive/$DOMAIN/chain$NUMBER.pem chain.pem
    ln -s ../../archive/$DOMAIN/fullchain$NUMBER.pem fullchain.pem
    ln -s ../../archive/$DOMAIN/privkey$NUMBER.pem privkey.pem
done

/etc/init.d/dovecot restart
/etc/init.d/postfix restart


echo ttl 60 > $NSU
echo update add _25._tcp.mx01.d1.tld.  IN TLSA 3 0 1 $KEY >> $NSU
echo update add _443._tcp.d1.tld. IN TLSA 3 0 1 $KEY2 >> $NSU
echo send >> $NSU

nsupdate -l $NSU

Replacing the old certificates require another script to run a few hours later:

#!/bin/bash                                                                                                                                                                                                                         
LE=/etc/letsencrypt
NSU=/root/nsupdate_del.txt

for DOMAIN in d1.tld mx01.d1.tld
do

    cd $LE/live/$DOMAIN
    rm -f *

    FULLPATH=`ls -tr $LE/archive/$DOMAIN/cert*.pem|tail -1`
    CERT=`basename $FULLPATH`
    NUMBER=`echo $CERT|sed 's/cert//;s/.pem//'`

    ln -s ../../archive/$DOMAIN/cert$NUMBER.pem cert.pem
    ln -s ../../archive/$DOMAIN/chain$NUMBER.pem chain.pem
    ln -s ../../archive/$DOMAIN/fullchain$NUMBER.pem fullchain.pem
    ln -s ../../archive/$DOMAIN/privkey$NUMBER.pem privkey.pem

done

KEY=`openssl x509 -in $LE/live/mx01.d1.tld/fullchain.pem -outform DER |openssl sha256|awk '{print $2}'`
KEY2=`openssl x509 -in $LE/live/d1.tld/fullchain.pem -outform DER |openssl sha256|awk '{print $2}'`

echo ttl 60 > $NSU
echo update delete _25._tcp.mx01.d1.tld >> $NSU
echo update add _25._tcp.mx01.d1.tld.  IN TLSA 3 0 1 $KEY >> $NSU

echo update delete _443._tcp.d1.tld >> $NSU
echo update add _443._tcp.d1.tld. IN TLSA 3 0 1 $KEY2 >> $NSU
echo send >> $NSU

nsupdate -l $NSU

/etc/init.d/dovecot restart
/etc/init.d/postfix restart
/etc/init.d/nginx restart

So are there any suggestion for improvement?

Topic		Replies	Views
Tlsa update problem / dane validation Help	5	910	January 6, 2021
Please avoid "3 0 1" and "3 0 2" DANE TLSA records with LE certificates Server	18	35895	October 14, 2018
Making a DANE TLSA to work with LE Server	11	18283	January 12, 2018
DANE and upcoming LE issuer certs Issuance Tech	18	6001	November 25, 2020
TLSA record changes with every renewal process which breaks DANE Help	9	5922	March 2, 2021

Automized TLSA and DANE Records

Related topics