forked from FlippingBinary/lets-encrypt-tlsa
-
Notifications
You must be signed in to change notification settings - Fork 0
/
letsencrypt-hash
70 lines (63 loc) · 2.33 KB
/
letsencrypt-hash
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
#!/usr/bin/env bash
##
## letsencrypt-hash
##
## This script hashes a TLS certificate and produces a valid TLSA record.
##
## Source: https://flippingbinary.com
##
## Copyright 2017 Jonathan Musselwhite
##
## Permission is hereby granted, free of charge, to any person obtaining a copy
## of this software and associated documentation files (the "Software"), to
## deal in the Software without restriction, including without limitation the
## rights to use, copy, modify, merge, publish, distribute, sublicense, and/or
## sell copies of the Software, and to permit persons to whom the Software is
## furnished to do so, subject to the following conditions:
##
## The above copyright notice and this permission notice shall be included in
## all copies or substantial portions of the Software.
##
## THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
## IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
## FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
## AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
## LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
## OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
## THE SOFTWARE.
##
###
###### CHECK SETTINGS ######
MAIN_DIR=/etc/ssl/letsencrypt
###### CHECK SETTINGS ######
[ -f /etc/default/letsencrypt-tlsa ] && . /etc/default/letsencrypt-tlsa
if [ "$#" -lt 1 ]
then
echo "Usage: $0 domain" >&2
echo " domain MUST be the first listed domain" >&2
echo " additional arguments (such as alternate domains) are ignored" >&2
exit 1
fi
COMMON_NAME="$1"
ARCHIVE_DIR=${MAIN_DIR}/archive/${COMMON_NAME}
# Find the latest certificate. This will fail if le-request has not yet run.
unset -v latest
for file in "${ARCHIVE_DIR}"/cert-*.pem; do
[[ $file -nt $latest ]] && latest=$file
done
if [ ! -f "${latest}" ]
then
echo "Error: Couldn't find a certificate to hash!" >&2
echo " Cannot generate TLSA record!" >&2
exit 1
fi
# Hash the certificate
HASH=$(openssl x509 -in ${latest} -noout -pubkey |
openssl pkey -pubin -outform DER |
openssl dgst -sha256 -binary |
hexdump -ve '/1 "%02x"')
# Print out an example TLSA record for each listed domain
for x in "$@"
do
echo " _443._tcp.${x}. IN TLSA 3 1 1 ${HASH}"
done