Added 211 record for 311+211, but flush and reset TLSA is a bit bruteforce-y

Signed-off-by: Louis Vallat <louis@louis-vallat.xyz>

Dockerfile

@@ -10,6 +10,8 @@ FROM debian:stable-slim
 
 RUN apt update && apt install -y ca-certificates openssl && rm -rf /var/lib/apt/lists/*
 
+ADD https://letsencrypt.org/certs/isrgrootx1.pem /root/issuer.pem
+
 COPY --from=builder /root/target/release/tlsa /root/tlsa
 
 CMD ["/root/tlsa"]

src/main.rs

@@ -2,7 +2,7 @@ use hyper_tls::HttpsConnector;
 use hyper::{Client, client::HttpConnector};
 use walkdir::WalkDir;
 use crate::{
-    utils::{OVHClient, get_delta, get_subdomain_zone_domain_from_pem, compute_certificate},
+    utils::{OVHClient, get_delta, get_subdomain_zone_domain_from_pem, compute_certificate, get_hash_from_cert},
     records::{get_all_records_from_zone, flush_tlsa_record_for_subdomain}};
 use publicsuffix::List;
 use notify::{Watcher, RecursiveMode, RawEvent, raw_watcher, Op};
@@ -12,7 +12,7 @@ mod utils;
 mod records;
 
 async fn scan_and_update_whole_folder(base_cert_dir: &str, list: &List,
-                                      ovh_client: &OVHClient,
+                                      ovh_client: &OVHClient, issuer_hash: &str,
                                       client: &Client<HttpsConnector<HttpConnector>>) {
     let interesting_records = vec!["A", "AAAA", "MX", "CNAME"];
     for entry in WalkDir::new(base_cert_dir).into_iter().filter_map(|e| e.ok()) {
@@ -30,14 +30,14 @@ async fn scan_and_update_whole_folder(base_cert_dir: &str, list: &List,
             println!();
             continue;
         }
-        compute_certificate(ovh_client, client, &entry.path(), base_cert_dir, list).await;
+        compute_certificate(ovh_client, client, &entry.path(), base_cert_dir, issuer_hash, list).await;
         println!();
     }
 }
 
 async fn watch_folder(base_cert_dir: &str, ovh_client: &OVHClient, list: &List,
                       client: &Client<HttpsConnector<HttpConnector>>,
-                      rx: &Receiver<RawEvent>) {
+                      rx: &Receiver<RawEvent>, issuer_hash: &str) {
     loop {
         match rx.recv() {
            Ok(RawEvent{path: Some(path), op: Ok(op), cookie: _c}) => {
@@ -45,7 +45,7 @@ async fn watch_folder(base_cert_dir: &str, ovh_client: &OVHClient, list: &List,
                     || (op != Op::CLOSE_WRITE && op != Op::REMOVE) { continue; }
                 if op == Op::CLOSE_WRITE {
                     println!("Certificate '{}' modified or created. Updating.", path.display());
-                    compute_certificate(ovh_client, client, &path.as_path(), base_cert_dir, list).await;
+                    compute_certificate(ovh_client, client, &path.as_path(), base_cert_dir, issuer_hash, list).await;
                 }
                 if op == Op::REMOVE {
                     println!("Certificate '{}' deleted. Flushing.", path.display());
@@ -69,6 +69,7 @@ async fn main() {
     let list = List::fetch().unwrap();
 
     let base_cert_dir = "/etc/nginx/certs/";
+    let issuer_hash = get_hash_from_cert("./issuer.pem");
     let mut ovh_client = OVHClient {
         app_key: env::var("OVH_APP_KEY")
             .expect("Missing key value 'OVH_APP_KEY'."),
@@ -89,9 +90,9 @@ async fn main() {
     println!("Starting initialization procedure.");
 
     scan_and_update_whole_folder(base_cert_dir, &list, &ovh_client,
-                                 &client).await;
+                                 issuer_hash.as_str(), &client).await;
 
     println!("Initializing sequence finished. Entering sentinel mode.");
-    watch_folder(base_cert_dir, &ovh_client, &list, &client, &rx).await;
+    watch_folder(base_cert_dir, &ovh_client, &list, &client, &rx, issuer_hash.as_str()).await;
 }
 

src/records.rs

@@ -118,30 +118,23 @@ pub async fn flush_tlsa_record_for_subdomain(ovh_client: &OVHClient,
 
 pub async fn update_tlsa_for_subdomain(ovh_client: &OVHClient,
                                        client: &Client<HttpsConnector<HttpConnector>>,
-                                       zone: &str, subdomain: &str, hash: &str, port: u32, protocol: &str) {
+                                       zone: &str, subdomain: &str, hash: &str,
-    let mut tlsa = get_records_from_zone(ovh_client, client, zone, "TLSA",
+                                       issuer_hash: &str, port: u32, protocol: &str) {
-                                        get_tlsa_subdomain(subdomain, port, protocol)
+    flush_tlsa_record_for_subdomain(ovh_client, client, zone, subdomain).await;
-                                        .as_str()).await;
+    add_record_to_zone(ovh_client, client, zone, &Record {
-    if tlsa.is_empty() {
+        sub_domain: get_tlsa_subdomain(subdomain, port, protocol),
-        add_record_to_zone(ovh_client, client, zone, &Record {
+        target: format!("3 1 1 {}", hash).to_string(),
-            sub_domain: get_tlsa_subdomain(subdomain, port, protocol),
+        field_type: "TLSA".to_string(),
-            target: format!("3 1 1 {}", hash).to_string(),
+        ttl: 0,
-            field_type: "TLSA".to_string(),
+        id: 0
-            ttl: 60,
+    }).await;
-            id: 0
+    add_record_to_zone(ovh_client, client, zone, &Record {
-        }).await;
+        sub_domain: get_tlsa_subdomain(subdomain, port, protocol),
-    } else {
+        target: format!("2 1 1 {}", issuer_hash).to_string(),
-        let (mut first, others) = tlsa.split_first_mut().unwrap();
+        field_type: "TLSA".to_string(),
-        let target = format!("3 1 1 {}", hash).to_string();
+        ttl: 0,
-        if first.target != target || first.ttl != 60 {
+        id: 0
-            first.target = target;
+    }).await;
-            first.ttl = 60;
-            update_record_in_zone(ovh_client, client, zone, first).await;
-        }
-        for record in others {
-            delete_record_from_zone(ovh_client, client, zone, record.id).await;
-        }
-    }
     refresh_zone(ovh_client, client, zone).await;
 }
 

src/utils.rs

@@ -79,7 +79,7 @@ pub fn get_tlsa_subdomain(subdomain: &str, port: u32, protocol: &str) -> String
 
 pub async fn compute_certificate(ovh_client: &OVHClient,
                                  client: &Client<HttpsConnector<HttpConnector>>,
-                                 path: &Path, base_cert_dir: &str, list: &List) {
+                                 path: &Path, base_cert_dir: &str, issuer_hash: &str, list: &List) {
     let (subdomain, zone, domain) = get_subdomain_zone_domain_from_pem(path, base_cert_dir, list);
     let (subdomain, zone, domain) = (subdomain.as_str(), zone.as_str(), domain.as_str());
     let records = get_all_records_from_zone(&ovh_client, &client, zone, subdomain).await;
@@ -88,11 +88,11 @@ pub async fn compute_certificate(ovh_client: &OVHClient,
                           || r.field_type == "CNAME") {
         println!("\tDomain '{}' is associated with website. Updating.", domain);
         update_tlsa_for_subdomain(&ovh_client, &client, zone, subdomain,
-                                  hash.as_str(), 443, "tcp").await;
+                                  hash.as_str(), issuer_hash, 443, "tcp").await;
     }
     if records.iter().any(|r| r.field_type == "MX" && r.sub_domain == subdomain) {
         println!("\tDomain '{}' is associated with mail. Updating.", domain);
         update_tlsa_for_subdomain(&ovh_client, &client, zone, subdomain,
-                                  hash.as_str(), 25, "tcp").await;
+                                  hash.as_str(), issuer_hash, 25, "tcp").await;
     }
 }