Automized TLSA and DANE Records


#1

I’ve created a little script to automatically publish the TLSA records. Just in case someone needs it. It creates new TLSA records and adds them to DNS but is not replacing the old certificates because you should wait a few hours until they are publish to all DNS servers.

#!/bin/bash

LE=/etc/letsencrypt
LEROOT=/root/letsencrypt
LEBIN=letsencrypt-auto
NSU=/root/nsupdate.txt

cd $LEROOT

COUNT=0;

for DOMAIN in d1.tld d2.tld d3.tld
do
    case $COUNT in
    0 )
            WEBROOT=/var/www/d1
            ;;
    1 )
            WEBROOT=/var/www/d2
            ;;
    2 )
            WEBROOT=/var/www/d3
            ;;
    * )
            WEBROOT=/var/www/d1
    esac

    ./$LEBIN certonly -d $DOMAIN --server https://acme-v01.api.letsencrypt.org/directory -a webroot --webroot-path $WEBROOT --renew-by-default --rsa-key-size 4096

    echo $DOMAIN $WEBROOT

    let "COUNT += 1"
done


/etc/init.d/nginx stop

./$LEBIN certonly -d mx01.d1.tld --server https://acme-v01.api.letsencrypt.org/directory --renew-by-default

/etc/init.d/nginx start

KEY=`openssl x509 -in $LE/live/mx01.d1.tld/fullchain.pem -outform DER |openssl sha256|awk '{print $2}'`
KEY2=`openssl x509 -in $LE/live/d1.tld/fullchain.pem -outform DER |openssl sha256|awk '{print $2}'`

for DOMAIN in d1.tld mx01.d1.tld
do

    cd $LE/live/$DOMAIN
    rm -f *

    FULLPATH=`ls -tr $LE/archive/$DOMAIN/cert*.pem|head -n -1|tail -1`
    CERT=`basename $FULLPATH`
    NUMBER=`echo $CERT|sed 's/cert//;s/.pem//'`

    ln -s ../../archive/$DOMAIN/cert$NUMBER.pem cert.pem
    ln -s ../../archive/$DOMAIN/chain$NUMBER.pem chain.pem
    ln -s ../../archive/$DOMAIN/fullchain$NUMBER.pem fullchain.pem
    ln -s ../../archive/$DOMAIN/privkey$NUMBER.pem privkey.pem
done

/etc/init.d/dovecot restart
/etc/init.d/postfix restart


echo ttl 60 > $NSU
echo update add _25._tcp.mx01.d1.tld.  IN TLSA 3 0 1 $KEY >> $NSU
echo update add _443._tcp.d1.tld. IN TLSA 3 0 1 $KEY2 >> $NSU
echo send >> $NSU

nsupdate -l $NSU

Replacing the old certificates require another script to run a few hours later:

#!/bin/bash                                                                                                                                                                                                                         
LE=/etc/letsencrypt
NSU=/root/nsupdate_del.txt

for DOMAIN in d1.tld mx01.d1.tld
do

    cd $LE/live/$DOMAIN
    rm -f *

    FULLPATH=`ls -tr $LE/archive/$DOMAIN/cert*.pem|tail -1`
    CERT=`basename $FULLPATH`
    NUMBER=`echo $CERT|sed 's/cert//;s/.pem//'`

    ln -s ../../archive/$DOMAIN/cert$NUMBER.pem cert.pem
    ln -s ../../archive/$DOMAIN/chain$NUMBER.pem chain.pem
    ln -s ../../archive/$DOMAIN/fullchain$NUMBER.pem fullchain.pem
    ln -s ../../archive/$DOMAIN/privkey$NUMBER.pem privkey.pem

done

KEY=`openssl x509 -in $LE/live/mx01.d1.tld/fullchain.pem -outform DER |openssl sha256|awk '{print $2}'`
KEY2=`openssl x509 -in $LE/live/d1.tld/fullchain.pem -outform DER |openssl sha256|awk '{print $2}'`

echo ttl 60 > $NSU
echo update delete _25._tcp.mx01.d1.tld >> $NSU
echo update add _25._tcp.mx01.d1.tld.  IN TLSA 3 0 1 $KEY >> $NSU

echo update delete _443._tcp.d1.tld >> $NSU
echo update add _443._tcp.d1.tld. IN TLSA 3 0 1 $KEY2 >> $NSU
echo send >> $NSU

nsupdate -l $NSU

/etc/init.d/dovecot restart
/etc/init.d/postfix restart
/etc/init.d/nginx restart

So are there any suggestion for improvement?