diff --git a/Dockerfile b/Dockerfile index 218864e..2bcdc7d 100644 --- a/Dockerfile +++ b/Dockerfile @@ -10,6 +10,8 @@ FROM debian:stable-slim RUN apt update && apt install -y ca-certificates openssl && rm -rf /var/lib/apt/lists/* +ADD https://letsencrypt.org/certs/isrgrootx1.pem /root/issuer.pem + COPY --from=builder /root/target/release/tlsa /root/tlsa CMD ["/root/tlsa"] diff --git a/src/main.rs b/src/main.rs index 3c3c8b0..7d1813b 100644 --- a/src/main.rs +++ b/src/main.rs @@ -2,7 +2,7 @@ use hyper_tls::HttpsConnector; use hyper::{Client, client::HttpConnector}; use walkdir::WalkDir; use crate::{ - utils::{OVHClient, get_delta, get_subdomain_zone_domain_from_pem, compute_certificate}, + utils::{OVHClient, get_delta, get_subdomain_zone_domain_from_pem, compute_certificate, get_hash_from_cert}, records::{get_all_records_from_zone, flush_tlsa_record_for_subdomain}}; use publicsuffix::List; use notify::{Watcher, RecursiveMode, RawEvent, raw_watcher, Op}; @@ -12,7 +12,7 @@ mod utils; mod records; async fn scan_and_update_whole_folder(base_cert_dir: &str, list: &List, - ovh_client: &OVHClient, + ovh_client: &OVHClient, issuer_hash: &str, client: &Client>) { let interesting_records = vec!["A", "AAAA", "MX", "CNAME"]; for entry in WalkDir::new(base_cert_dir).into_iter().filter_map(|e| e.ok()) { @@ -30,14 +30,14 @@ async fn scan_and_update_whole_folder(base_cert_dir: &str, list: &List, println!(); continue; } - compute_certificate(ovh_client, client, &entry.path(), base_cert_dir, list).await; + compute_certificate(ovh_client, client, &entry.path(), base_cert_dir, issuer_hash, list).await; println!(); } } async fn watch_folder(base_cert_dir: &str, ovh_client: &OVHClient, list: &List, client: &Client>, - rx: &Receiver) { + rx: &Receiver, issuer_hash: &str) { loop { match rx.recv() { Ok(RawEvent{path: Some(path), op: Ok(op), cookie: _c}) => { @@ -45,7 +45,7 @@ async fn watch_folder(base_cert_dir: &str, ovh_client: &OVHClient, list: &List, || (op != Op::CLOSE_WRITE && op != Op::REMOVE) { continue; } if op == Op::CLOSE_WRITE { println!("Certificate '{}' modified or created. Updating.", path.display()); - compute_certificate(ovh_client, client, &path.as_path(), base_cert_dir, list).await; + compute_certificate(ovh_client, client, &path.as_path(), base_cert_dir, issuer_hash, list).await; } if op == Op::REMOVE { println!("Certificate '{}' deleted. Flushing.", path.display()); @@ -69,6 +69,7 @@ async fn main() { let list = List::fetch().unwrap(); let base_cert_dir = "/etc/nginx/certs/"; + let issuer_hash = get_hash_from_cert("./issuer.pem"); let mut ovh_client = OVHClient { app_key: env::var("OVH_APP_KEY") .expect("Missing key value 'OVH_APP_KEY'."), @@ -89,9 +90,9 @@ async fn main() { println!("Starting initialization procedure."); scan_and_update_whole_folder(base_cert_dir, &list, &ovh_client, - &client).await; + issuer_hash.as_str(), &client).await; println!("Initializing sequence finished. Entering sentinel mode."); - watch_folder(base_cert_dir, &ovh_client, &list, &client, &rx).await; + watch_folder(base_cert_dir, &ovh_client, &list, &client, &rx, issuer_hash.as_str()).await; } diff --git a/src/records.rs b/src/records.rs index 176ebb1..33819b2 100644 --- a/src/records.rs +++ b/src/records.rs @@ -118,30 +118,23 @@ pub async fn flush_tlsa_record_for_subdomain(ovh_client: &OVHClient, pub async fn update_tlsa_for_subdomain(ovh_client: &OVHClient, client: &Client>, - zone: &str, subdomain: &str, hash: &str, port: u32, protocol: &str) { - let mut tlsa = get_records_from_zone(ovh_client, client, zone, "TLSA", - get_tlsa_subdomain(subdomain, port, protocol) - .as_str()).await; - if tlsa.is_empty() { - add_record_to_zone(ovh_client, client, zone, &Record { - sub_domain: get_tlsa_subdomain(subdomain, port, protocol), - target: format!("3 1 1 {}", hash).to_string(), - field_type: "TLSA".to_string(), - ttl: 60, - id: 0 - }).await; - } else { - let (mut first, others) = tlsa.split_first_mut().unwrap(); - let target = format!("3 1 1 {}", hash).to_string(); - if first.target != target || first.ttl != 60 { - first.target = target; - first.ttl = 60; - update_record_in_zone(ovh_client, client, zone, first).await; - } - for record in others { - delete_record_from_zone(ovh_client, client, zone, record.id).await; - } - } + zone: &str, subdomain: &str, hash: &str, + issuer_hash: &str, port: u32, protocol: &str) { + flush_tlsa_record_for_subdomain(ovh_client, client, zone, subdomain).await; + add_record_to_zone(ovh_client, client, zone, &Record { + sub_domain: get_tlsa_subdomain(subdomain, port, protocol), + target: format!("3 1 1 {}", hash).to_string(), + field_type: "TLSA".to_string(), + ttl: 0, + id: 0 + }).await; + add_record_to_zone(ovh_client, client, zone, &Record { + sub_domain: get_tlsa_subdomain(subdomain, port, protocol), + target: format!("2 1 1 {}", issuer_hash).to_string(), + field_type: "TLSA".to_string(), + ttl: 0, + id: 0 + }).await; refresh_zone(ovh_client, client, zone).await; } diff --git a/src/utils.rs b/src/utils.rs index 21b693e..6cab000 100644 --- a/src/utils.rs +++ b/src/utils.rs @@ -79,7 +79,7 @@ pub fn get_tlsa_subdomain(subdomain: &str, port: u32, protocol: &str) -> String pub async fn compute_certificate(ovh_client: &OVHClient, client: &Client>, - path: &Path, base_cert_dir: &str, list: &List) { + path: &Path, base_cert_dir: &str, issuer_hash: &str, list: &List) { let (subdomain, zone, domain) = get_subdomain_zone_domain_from_pem(path, base_cert_dir, list); let (subdomain, zone, domain) = (subdomain.as_str(), zone.as_str(), domain.as_str()); let records = get_all_records_from_zone(&ovh_client, &client, zone, subdomain).await; @@ -88,11 +88,11 @@ pub async fn compute_certificate(ovh_client: &OVHClient, || r.field_type == "CNAME") { println!("\tDomain '{}' is associated with website. Updating.", domain); update_tlsa_for_subdomain(&ovh_client, &client, zone, subdomain, - hash.as_str(), 443, "tcp").await; + hash.as_str(), issuer_hash, 443, "tcp").await; } if records.iter().any(|r| r.field_type == "MX" && r.sub_domain == subdomain) { println!("\tDomain '{}' is associated with mail. Updating.", domain); update_tlsa_for_subdomain(&ovh_client, &client, zone, subdomain, - hash.as_str(), 25, "tcp").await; + hash.as_str(), issuer_hash, 25, "tcp").await; } }