Add letsencrypt-tlsa.sh

oh2fih · oh2fih · commit 4e5db3a93893 · 2024-07-23T16:20:30.000+03:00
diff --git a/README.md b/README.md
@@ -8,6 +8,7 @@ Miscellaneous scripts for different purposes. Mostly unrelated to each other.
 | Category | Script & Language | Purpose & Usage |
 |:---|:---|:---|
 | Automation | [`find-inactive-ssh-sessions.sh`](bin/find-inactive-ssh-sessions.sh) <br> Shell (bash) | Find inactive (idle) SSH sessions or kill (`-k`) them.<br>`find-inactive-ssh-sessions.sh [-k] [-i seconds] [-s]`<br>Could be used as a [workaround](https://serverfault.com/a/1162840/274176) for OpenSSH < 9.2 that did not have the [sshd_config(5)](https://man.openbsd.org/sshd_config) keywords `ChannelTimeout` & `UnusedConnectionTimeout`.|
+| DNS <br> DANE | [`letsencrypt-tlsa.sh`](bin/letsencrypt-tlsa.sh) <br> Shell (bash) | Create TLSA records from the current & backup Let's Encrypt Intermediate CAs. |
 | Email | [`mail-prepender.sh`](bin/mail-prepender.sh) <br> Shell (bash) | Prepends (to stdin/stdout) email header strings given in as flags `i`, `I`, `a`, or `A`; after possible mbox `From` & `Return-Path` header lines. Intended as a limited `formail` replacement that ignores the nyanses of the flags and simply prepends the valid (RFC 5322, 2.2) non-empty headers keeping the other headers as is. Flags `x` & `X` are implemented. Any other flags are ignored. |
 | Git | [`git-find-commits-by-file-hash.sh`](bin/git-find-commits-by-file-hash.sh) <br> Shell (bash) | Search Git repository history for commits with SHA-256 checksum of a file. Answers the question "Has this version of this file ever been committed as the file on this path of this Git repository?" and shows a summary (`git show --stat`) of the matching commit(s). The `path` should be relative to the repository root. <br> `git-find-commits-by-file-hash.sh sha256sum path`|
 | Infosec | [`netcat-proxy.sh`](bin/netcat-proxy.sh) <br> Shell (sh) | Creates a simple persistent TCP proxy with netcat & named pipes. <br> `netcat-proxy.sh listenport targethost targetport` |
diff --git a/bin/letsencrypt-tlsa.sh b/bin/letsencrypt-tlsa.sh
@@ -0,0 +1,63 @@
+#!/bin/bash
+# ------------------------------------------------------------------------------
+# Create TLSA records from the current & backup Let's Encrypt Intermediate CAs
+#
+# Author : Esa Jokinen (oh2fih)
+# Home   : https://github.com/oh2fih/Misc-Scripts
+# ------------------------------------------------------------------------------
+
+SOURCE="/certificates/"
+BASE_URL="https://letsencrypt.org"
+
+# Check for requirements. Print all unmet requirements at once.
+
+required_command() {
+  if ! command -v "$1" &> /dev/null; then
+    if [ -z ${2+x} ]; then
+      echo -e "\033[0;31mThis script requires ${1}!\033[0m" >&2
+    else
+      echo -e "\033[0;31mThis script requires ${1} ${2}!\033[0m" >&2
+    fi
+    ((UNMET=UNMET+1))
+  fi
+}
+
+UNMET=0
+
+required_command "openssl" "for creating TLSA records"
+required_command "curl" "for fetching data"
+required_command "grep"
+required_command "sed"
+required_command "awk"
+
+if [ "$UNMET" -gt 0 ]; then
+  exit 1
+fi
+
+# Get URLs for the Subordinate (Intermediate) CAs, including backups
+
+INTERMEDIATE_PATHS=$(
+  curl --silent "${BASE_URL}${SOURCE}" \
+    | sed '/subordinate-intermediate-cas/d' \
+    | sed '/.summary.Retired..summary./q' \
+    | grep -oE "/certs/[0-9]+/[0-9a-zA-Z]+(-cross)?.pem"
+)
+
+if [ "$INTERMEDIATE_PATHS" = "" ]; then
+  echo "Failed to fetch certificate list from ${BASE_URL}${SOURCE}" >&2
+  exit 1
+fi
+
+# Create TLSA records
+
+while IFS= read -r path ; do
+  echo "[${BASE_URL}${path}]" >&2
+  PEM=$(curl --silent "${BASE_URL}${path}")
+  if [[ "$PEM" =~ ^[-]+BEGIN[[:space:]]CERTIFICATE[-]+ ]]; then
+    echo "$PEM" \
+    | openssl x509 -outform DER \
+    | openssl dgst -sha256 -hex \
+    | awk '{print "le-ca TLSA 2 1 1", $NF}'
+  fi
+
+done <<< "$INTERMEDIATE_PATHS"
