florian/tlsa
1
0
Fork 0
Code Releases Activity

No longer restart services & copy certs around.

Browse Source 
Signal need to do so via exit code like acme-client.
This commit is contained in:
Florian Obser 2017-04-28 10:25:22 +02:00
parent 1630703c56
commit e3a86b476b
1 changed files with 13 additions and 19 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

32
tlsaroll
View File

@ -20,7 +20,6 @@ use autodie;
use Data::Dumper; use Data::Dumper;
use Digest::SHA; use Digest::SHA;
use File::Copy;
use Getopt::Long; use Getopt::Long;
use MIME::Base64; use MIME::Base64;
use Net::DNS; use Net::DNS;
@ -37,9 +36,9 @@ my $port = 53;
my $ttl = 3600; my $ttl = 3600;
my $help = 0; my $help = 0;
my $tsigalgo = 'hmac-sha256'; my $tsigalgo = 'hmac-sha256';
my $serviceaction = 'reload'; my $exit_code = 1;
my ($current_cert, $new_cert, $tsigname, $tsigkey, $server, $verbose, $tsig); my ($current_cert, $new_cert, $tsigname, $tsigkey, $server, $verbose, $tsig);
my ($service, $domain, $dnsname, $state_file); my ($domain, $dnsname, $state_file);
my ($current_cert_tlsa, $new_cert_tlsa, $state, $update, $wait_until, $now); my ($current_cert_tlsa, $new_cert_tlsa, $state, $update, $wait_until, $now);
GetOptions("help|?" => \$help, GetOptions("help|?" => \$help,
@ -51,9 +50,7 @@ GetOptions("help|?" => \$help,
"tsigkey=s" => \$tsigkey, "tsigkey=s" => \$tsigkey,
"tsigalgo=s" => \$tsigalgo, "tsigalgo=s" => \$tsigalgo,
"domain=s" => \$domain, "domain=s" => \$domain,
"dnsname=s" => \$dnsname, "dnsname=s" => \$dnsname)
"service=s" => \$service,
"serviceaction=s" => \$serviceaction)
or die("Error in command line arguments\n"); or die("Error in command line arguments\n");
pod2usage(1) if ($help or scalar(@ARGV) != 2); pod2usage(1) if ($help or scalar(@ARGV) != 2);
@ -75,11 +72,6 @@ if (!defined $dnsname) {
pod2usage(1); pod2usage(1);
} }
if (!defined $service) {
say STDERR "service to restart missing.";
pod2usage(1);
}
$state_file = STATE_DIR.$dnsname; $state_file = STATE_DIR.$dnsname;
$current_cert_tlsa = gen_tlsa($dnsname, $current_cert); $current_cert_tlsa = gen_tlsa($dnsname, $current_cert);
@ -101,17 +93,19 @@ say($state->{'state'}, "\n", ('-' x length($state->{'state'})), "\n\t",
if ($state->{state} eq 'OK') { if ($state->{state} eq 'OK') {
# nothing to do # nothing to do
unlink $state_file if (-f $state_file); unlink $state_file if (-f $state_file);
exit(0); $exit_code = 2;
} elsif ($state->{state} eq 'NXDOMAIN') { } elsif ($state->{state} eq 'NXDOMAIN') {
# no TLSA record what so ever, add record for current cert # no TLSA record what so ever, add record for current cert
unlink $state_file if (-f $state_file); unlink $state_file if (-f $state_file);
$update = new Net::DNS::Update($domain); $update = new Net::DNS::Update($domain);
$update->push(update => rr_add($current_cert_tlsa->string)); $update->push(update => rr_add($current_cert_tlsa->string));
$exit_code = 0;
} elsif ($state->{state} eq 'NEED2ND') { } elsif ($state->{state} eq 'NEED2ND') {
# we generated a new cert, add tlsa record # we generated a new cert, add tlsa record
unlink $state_file if (-f $state_file); unlink $state_file if (-f $state_file);
$update = new Net::DNS::Update($domain); $update = new Net::DNS::Update($domain);
$update->push(update => rr_add($new_cert_tlsa->string)); $update->push(update => rr_add($new_cert_tlsa->string));
$exit_code = 2;
} elsif ($state->{state} eq '2TLSA') { } elsif ($state->{state} eq '2TLSA') {
$now = time(); $now = time();
$wait_until = get_wait_until($server, $port, $domain, $dnsname, $wait_until = get_wait_until($server, $port, $domain, $dnsname,
@ -119,23 +113,22 @@ if ($state->{state} eq 'OK') {
if (defined $wait_until) { if (defined $wait_until) {
if ($wait_until > $now) { if ($wait_until > $now) {
say 'need to wait until '.localtime($wait_until) if ($verbose); say 'need to wait until '.localtime($wait_until) if ($verbose);
exit(0); $exit_code = 2;
} else { } else {
copy($new_cert, $current_cert);
system '/usr/sbin/rcctl', $serviceaction, $service;
$update = new Net::DNS::Update($domain); $update = new Net::DNS::Update($domain);
$update->push(update => rr_del($current_cert_tlsa->string)); $update->push(update => rr_del($current_cert_tlsa->string));
unlink $state_file if (-f $state_file); unlink $state_file if (-f $state_file);
$exit_code = 0;
} }
} else { } else {
say $state->{state},': not yet propagated to auths, wait' say $state->{state},': not yet propagated to auths, wait'
if ($verbose); if ($verbose);
exit(0); $exit_code = 2;
} }
} else { } else {
say STDERR "don't know how to handle ", '"', $state->{state}, '" ', say STDERR "don't know how to handle ", '"', $state->{state}, '" ',
'("', $state->{msg}, '")'; '("', $state->{msg}, '")';
exit(1); $exit_code=1;
} }
if ($update && defined $tsigname && defined $tsigkey) { if ($update && defined $tsigname && defined $tsigkey) {
@ -146,6 +139,9 @@ if ($update && defined $tsigname && defined $tsigkey) {
handle_update($server, $port, $domain, $update) if (defined $update); handle_update($server, $port, $domain, $update) if (defined $update);
say "exit: ", $exit_code;
exit($exit_code);
sub handle_update { sub handle_update {
my ($server, $port, $domain, $update) = @_; my ($server, $port, $domain, $update) = @_;
my ($resolver, $reply); my ($resolver, $reply);
@ -338,8 +334,6 @@ tlsaroll [options] currentcert newcert
-tsigalgo tsig algorithm -tsigalgo tsig algorithm
-domain DNS domain -domain DNS domain
-dnsname DNS name for TLSA record -dnsname DNS name for TLSA record
-service service to restart or reload
-serviceaction rrctl action
=head1 OPTIONS =head1 OPTIONS