Added 211 record for 311+211, but flush and reset TLSA is a bit bruteforce-y
Signed-off-by: Louis Vallat <louis@louis-vallat.xyz>
This commit is contained in:
parent
366f7d4361
commit
20ed493e31
@ -10,6 +10,8 @@ FROM debian:stable-slim
|
||||
|
||||
RUN apt update && apt install -y ca-certificates openssl && rm -rf /var/lib/apt/lists/*
|
||||
|
||||
ADD https://letsencrypt.org/certs/isrgrootx1.pem /root/issuer.pem
|
||||
|
||||
COPY --from=builder /root/target/release/tlsa /root/tlsa
|
||||
|
||||
CMD ["/root/tlsa"]
|
||||
|
15
src/main.rs
15
src/main.rs
@ -2,7 +2,7 @@ use hyper_tls::HttpsConnector;
|
||||
use hyper::{Client, client::HttpConnector};
|
||||
use walkdir::WalkDir;
|
||||
use crate::{
|
||||
utils::{OVHClient, get_delta, get_subdomain_zone_domain_from_pem, compute_certificate},
|
||||
utils::{OVHClient, get_delta, get_subdomain_zone_domain_from_pem, compute_certificate, get_hash_from_cert},
|
||||
records::{get_all_records_from_zone, flush_tlsa_record_for_subdomain}};
|
||||
use publicsuffix::List;
|
||||
use notify::{Watcher, RecursiveMode, RawEvent, raw_watcher, Op};
|
||||
@ -12,7 +12,7 @@ mod utils;
|
||||
mod records;
|
||||
|
||||
async fn scan_and_update_whole_folder(base_cert_dir: &str, list: &List,
|
||||
ovh_client: &OVHClient,
|
||||
ovh_client: &OVHClient, issuer_hash: &str,
|
||||
client: &Client<HttpsConnector<HttpConnector>>) {
|
||||
let interesting_records = vec!["A", "AAAA", "MX", "CNAME"];
|
||||
for entry in WalkDir::new(base_cert_dir).into_iter().filter_map(|e| e.ok()) {
|
||||
@ -30,14 +30,14 @@ async fn scan_and_update_whole_folder(base_cert_dir: &str, list: &List,
|
||||
println!();
|
||||
continue;
|
||||
}
|
||||
compute_certificate(ovh_client, client, &entry.path(), base_cert_dir, list).await;
|
||||
compute_certificate(ovh_client, client, &entry.path(), base_cert_dir, issuer_hash, list).await;
|
||||
println!();
|
||||
}
|
||||
}
|
||||
|
||||
async fn watch_folder(base_cert_dir: &str, ovh_client: &OVHClient, list: &List,
|
||||
client: &Client<HttpsConnector<HttpConnector>>,
|
||||
rx: &Receiver<RawEvent>) {
|
||||
rx: &Receiver<RawEvent>, issuer_hash: &str) {
|
||||
loop {
|
||||
match rx.recv() {
|
||||
Ok(RawEvent{path: Some(path), op: Ok(op), cookie: _c}) => {
|
||||
@ -45,7 +45,7 @@ async fn watch_folder(base_cert_dir: &str, ovh_client: &OVHClient, list: &List,
|
||||
|| (op != Op::CLOSE_WRITE && op != Op::REMOVE) { continue; }
|
||||
if op == Op::CLOSE_WRITE {
|
||||
println!("Certificate '{}' modified or created. Updating.", path.display());
|
||||
compute_certificate(ovh_client, client, &path.as_path(), base_cert_dir, list).await;
|
||||
compute_certificate(ovh_client, client, &path.as_path(), base_cert_dir, issuer_hash, list).await;
|
||||
}
|
||||
if op == Op::REMOVE {
|
||||
println!("Certificate '{}' deleted. Flushing.", path.display());
|
||||
@ -69,6 +69,7 @@ async fn main() {
|
||||
let list = List::fetch().unwrap();
|
||||
|
||||
let base_cert_dir = "/etc/nginx/certs/";
|
||||
let issuer_hash = get_hash_from_cert("./issuer.pem");
|
||||
let mut ovh_client = OVHClient {
|
||||
app_key: env::var("OVH_APP_KEY")
|
||||
.expect("Missing key value 'OVH_APP_KEY'."),
|
||||
@ -89,9 +90,9 @@ async fn main() {
|
||||
println!("Starting initialization procedure.");
|
||||
|
||||
scan_and_update_whole_folder(base_cert_dir, &list, &ovh_client,
|
||||
&client).await;
|
||||
issuer_hash.as_str(), &client).await;
|
||||
|
||||
println!("Initializing sequence finished. Entering sentinel mode.");
|
||||
watch_folder(base_cert_dir, &ovh_client, &list, &client, &rx).await;
|
||||
watch_folder(base_cert_dir, &ovh_client, &list, &client, &rx, issuer_hash.as_str()).await;
|
||||
}
|
||||
|
||||
|
@ -118,30 +118,23 @@ pub async fn flush_tlsa_record_for_subdomain(ovh_client: &OVHClient,
|
||||
|
||||
pub async fn update_tlsa_for_subdomain(ovh_client: &OVHClient,
|
||||
client: &Client<HttpsConnector<HttpConnector>>,
|
||||
zone: &str, subdomain: &str, hash: &str, port: u32, protocol: &str) {
|
||||
let mut tlsa = get_records_from_zone(ovh_client, client, zone, "TLSA",
|
||||
get_tlsa_subdomain(subdomain, port, protocol)
|
||||
.as_str()).await;
|
||||
if tlsa.is_empty() {
|
||||
zone: &str, subdomain: &str, hash: &str,
|
||||
issuer_hash: &str, port: u32, protocol: &str) {
|
||||
flush_tlsa_record_for_subdomain(ovh_client, client, zone, subdomain).await;
|
||||
add_record_to_zone(ovh_client, client, zone, &Record {
|
||||
sub_domain: get_tlsa_subdomain(subdomain, port, protocol),
|
||||
target: format!("3 1 1 {}", hash).to_string(),
|
||||
field_type: "TLSA".to_string(),
|
||||
ttl: 60,
|
||||
ttl: 0,
|
||||
id: 0
|
||||
}).await;
|
||||
add_record_to_zone(ovh_client, client, zone, &Record {
|
||||
sub_domain: get_tlsa_subdomain(subdomain, port, protocol),
|
||||
target: format!("2 1 1 {}", issuer_hash).to_string(),
|
||||
field_type: "TLSA".to_string(),
|
||||
ttl: 0,
|
||||
id: 0
|
||||
}).await;
|
||||
} else {
|
||||
let (mut first, others) = tlsa.split_first_mut().unwrap();
|
||||
let target = format!("3 1 1 {}", hash).to_string();
|
||||
if first.target != target || first.ttl != 60 {
|
||||
first.target = target;
|
||||
first.ttl = 60;
|
||||
update_record_in_zone(ovh_client, client, zone, first).await;
|
||||
}
|
||||
for record in others {
|
||||
delete_record_from_zone(ovh_client, client, zone, record.id).await;
|
||||
}
|
||||
}
|
||||
refresh_zone(ovh_client, client, zone).await;
|
||||
}
|
||||
|
||||
|
@ -79,7 +79,7 @@ pub fn get_tlsa_subdomain(subdomain: &str, port: u32, protocol: &str) -> String
|
||||
|
||||
pub async fn compute_certificate(ovh_client: &OVHClient,
|
||||
client: &Client<HttpsConnector<HttpConnector>>,
|
||||
path: &Path, base_cert_dir: &str, list: &List) {
|
||||
path: &Path, base_cert_dir: &str, issuer_hash: &str, list: &List) {
|
||||
let (subdomain, zone, domain) = get_subdomain_zone_domain_from_pem(path, base_cert_dir, list);
|
||||
let (subdomain, zone, domain) = (subdomain.as_str(), zone.as_str(), domain.as_str());
|
||||
let records = get_all_records_from_zone(&ovh_client, &client, zone, subdomain).await;
|
||||
@ -88,11 +88,11 @@ pub async fn compute_certificate(ovh_client: &OVHClient,
|
||||
|| r.field_type == "CNAME") {
|
||||
println!("\tDomain '{}' is associated with website. Updating.", domain);
|
||||
update_tlsa_for_subdomain(&ovh_client, &client, zone, subdomain,
|
||||
hash.as_str(), 443, "tcp").await;
|
||||
hash.as_str(), issuer_hash, 443, "tcp").await;
|
||||
}
|
||||
if records.iter().any(|r| r.field_type == "MX" && r.sub_domain == subdomain) {
|
||||
println!("\tDomain '{}' is associated with mail. Updating.", domain);
|
||||
update_tlsa_for_subdomain(&ovh_client, &client, zone, subdomain,
|
||||
hash.as_str(), 25, "tcp").await;
|
||||
hash.as_str(), issuer_hash, 25, "tcp").await;
|
||||
}
|
||||
}
|
||||
|
Loading…
Reference in New Issue
Block a user