Automatically add TLSA records with letsencrypt updates


Enter Your Query:
Use '%' for wildcards and quotes for "exact phrases"


Top Level » DNS » DNSSEC

Automatically add TLSA records with letsencrypt updatesLast Modified: Feb 5, 2020, 11:02 pm

NOTE

This guide is incomplete.  The smtp checks are still failing.
If you must use it, do it for 443 only, comment out the _25._tcp lines for now.

This guide assumes you've already got DNSSEC up and running on your domain.

The first step is to setup a script that will actually generate and add the records to your zone.
Create the script here (not directly called by DA):

/usr/local/directadmin/scripts/custom/set_tlsa.sh

with code

#!/bin/sh

DOMAIN=$1
TQ=/usr/local/directadmin/data/task.queue
DTQ=/usr/local/directadmin/dataskq

if [ "${DOMAIN}" = "" ] || [ ! -d /etc/virtual/$DOMAIN ]; then
       echo "$DOMAIN is not a valid domain";
       exit 1;
fi

#F=lets-encrypt-x2-cross-signed.pem
#F=lets-encrypt-x1-cross-signed.pem
F=lets-encrypt-x3-cross-signed.pem
wget -O $F https://letsencrypt.org/certs/$F
V=`openssl x509 -in $F -outform DER | openssl dgst -sha256 -hex | awk '{print "2 0 1", $NF}'`

echo "Value is: $V"

#clear the old le-ca
echo "action=dns&do=delete&domain=${DOMAIN}&type=CNAME&name=_443._tcp&value=*" >> ${TQ}.cb;
echo "action=dns&do=delete&domain=${DOMAIN}&type=CNAME&name=_25._tcp.mail&value=*" >> ${TQ}.cb;
echo "action=dns&do=delete&domain=${DOMAIN}&type=TLSA&name=le-ca&value=*" >> ${TQ}.cb; ${DTQ} --custombuild

#add the new one
echo "action=dns&do=add&domain=${DOMAIN}&type=TLSA&name=le-ca&value=$V" >> ${TQ}

#adding
echo "action=dns&do=add&domain=${DOMAIN}&type=CNAME&name=_443._tcp&value=le-ca" >> ${TQ}
echo "action=dns&do=add&domain=${DOMAIN}&type=CNAME&name=_25._tcp.mail&value=le-ca" >> ${TQ}

echo 'action=named&value=reload' >> ${TQ}

exit 0;

and ensure the script is chmod to 755.

Next, create this custom script to call it, triggered by any LE update:

/usr/local/directadmin/scripts/custom/letsencrypt_post.sh

with the following code:

#!/bin/sh
/usr/local/directadmin/scripts/custom/set_tlsa.sh $domain
exit 0;

and ensure this script is chmod to 755.

This will set the TLSA on *all* domains that are using LetEncrypt, so be sure they're *all* using DNSSEC before setting this up.

© 2018 JBMC Software, Suite 173  3-11 Bellerose Drive, St Albert, AB  T8N 1P7  Canada.  Mon-Fri 9AM-5PM MST