Add DANE automated cert records

2025-02-08 16:28:49 +00:00 · 2025-02-08 16:28:49 +00:00 · 02a6ad7165
commit 02a6ad7165
parent f6d42dc437
6 changed files with 90 additions and 3 deletions
--- a/redxen.eu/config.mk
+++ b/redxen.eu/config.mk
@ -34,8 +34,14 @@ redxen.eu/daemons/nsd/${BUILD_ID_OUT}: %/${BUILD_ID_OUT} : \
 redxen.eu/data/dns/zone/${BUILD_ID_OUT}: %/${BUILD_ID_OUT} : \
 	%/redxen.eu \
 	%/internal \
-	redxen.eu/data/dns/dnssec/${BUILD_ID_OUT} \
-	redxen.eu/data/opendkim/${BUILD_ID_OUT}
+	redxen.eu/data/opendkim/${BUILD_ID_OUT} \
+	redxen.eu/data/dns/dane/${BUILD_ID_OUT} \
+	redxen.eu/data/dns/dnssec/${BUILD_ID_OUT}
+
+redxen.eu/data/dns/dane/${BUILD_ID_OUT}: %/${BUILD_ID_OUT} : \
+	%/recordlist \
+	%/gen-record.sh \
+	redxen.eu/data/pki/letsencrypt/${BUILD_ID_OUT}

 # Certificates
 redxen.eu/data/pki/self/client/dovecot/${BUILD_ID_OUT}: %/${BUILD_ID_OUT} : \
--- a/redxen.eu/data/dns/dane/Containerfile
+++ b/redxen.eu/data/dns/dane/Containerfile
@ -0,0 +1,16 @@
+FROM alpine AS preparer
+
+RUN --network=host apk add cmd:xxd cmd:openssl
+
+WORKDIR /root
+ADD recordlist recordlist
+ADD gen-record.sh gen-record.sh
+RUN chmod +x ./gen-record.sh
+
+RUN \
+	--mount=type=bind,from=redxen.eu/data/pki/letsencrypt:latest,src=/,dst=/letsencrypt \
+	< ./recordlist ./gen-record.sh /letsencrypt/cert.cer | tee ./records
+
+FROM scratch
+
+COPY --from=preparer /root/records /redxen.eu
--- a/redxen.eu/data/dns/dane/gen-record.sh
+++ b/redxen.eu/data/dns/dane/gen-record.sh
@ -0,0 +1,15 @@
+#!/bin/sh
+
+set -e
+
+CERT="$1"
+grep -v '^#' | \
+grep -v '^\s*$' | \
+while read -r RECORD; do
+	SHA256="$(openssl x509 -in "$1" -pubkey -noout | \
+		openssl pkey -pubin -outform der | \
+		openssl dgst -sha256 -binary | \
+		xxd -p -u -c 32)"
+
+	echo "$RECORD TLSA 3 1 1 $SHA256"
+done
--- a/redxen.eu/data/dns/dane/recordlist
+++ b/redxen.eu/data/dns/dane/recordlist
@ -0,0 +1,42 @@
+#
+# HAProxy
+#
+
+_443._tcp
+_443._tcp.stats
+_443._tcp.git
+_443._tcp.sd
+_443._tcp.seed
+_443._tcp.packages
+_443._tcp.cal
+_443._tcp.wssproxy
+
+##
+## SMTP (legacy/well-known with StartTLS)
+##
+#_25._tcp.mail
+#_25._tcp.smtp
+#
+##
+## SMTP (TLS only)
+##
+#_465._tcp.mail
+#_465._tcp.smtp
+#
+##
+## SMTP (StartTLS, non-legacy)
+##
+#_587._tcp.mail
+#_587._tcp.smtp
+#
+##
+## IMAP (legacy)
+##
+#_143._tcp.mail
+#_143._tcp.imap
+#
+##
+## IMAP (TLS)
+##
+#_993._tcp.mail
+#_993._tcp.imap
--- a/redxen.eu/data/dns/zone/Containerfile
+++ b/redxen.eu/data/dns/zone/Containerfile
@ -24,6 +24,11 @@ RUN \
 	--mount=type=bind,from=redxen.eu/data/opendkim:latest,src=/redxen.eu,dst=/tmp/opendkim/redxen.eu \
 	cat /tmp/opendkim/redxen.eu/*.txt | tee -a /tmp/zones/redxen.eu

+# Add DANE records to zone
+RUN \
+	--mount=type=bind,from=redxen.eu/data/dns/dane:latest,src=/,dst=/tmp/dane/ \
+	cat /tmp/dane/redxen.eu | tee -a /tmp/zones/redxen.eu
+
 # Sign zone
 RUN \
 	--mount=type=bind,from=redxen.eu/data/dns/dnssec:latest,src=/redxen.eu,dst=/tmp/keys/redxen.eu \
--- a/redxen.eu/data/pki/letsencrypt/Containerfile
+++ b/redxen.eu/data/pki/letsencrypt/Containerfile
@ -21,13 +21,16 @@ RUN --network=host acme.sh \
 	--stateless \
 		-d 'redxen.eu' \
 		-d 'stats.redxen.eu' \
-		-d 'social.redxen.eu' \
 		-d 'git.redxen.eu' \
 		-d 'sd.redxen.eu' \
 		-d 'seed.redxen.eu' \
 		-d 'packages.redxen.eu' \
 		-d 'cal.redxen.eu' \
 		-d 'wssproxy.redxen.eu'
+#		TODO: Route these via HAProxy to allow easy cert gen
+#		-d 'mail.redxen.eu' \
+#		-d 'smtp.redxen.eu' \
+#		-d 'imap.redxen.eu' \

 FROM scratch