From: Jean-Marc Pigeon (Delson) Date: Tue, 22 Jul 2025 14:42:17 +0000 (-0400) Subject: Adding do_dns_tlsa.sh X-Git-Tag: tag-0.14~37 X-Git-Url: https://jmp-git.ovh.safe.ca/?a=commitdiff_plain;h=eee7fe50a33e161cdbee451be48bcb3893e51a4f;p=jmp%2Fmailleur Adding do_dns_tlsa.sh --- diff --git a/conf/mailleur.conf b/conf/mailleur.conf index 78565a5..8bdd026 100644 --- a/conf/mailleur.conf +++ b/conf/mailleur.conf @@ -39,7 +39,7 @@ CA_KEY_SRV="/etc/pki/mailleur/mailleur-key.pem" CA_VERIFY_SRV=0 #to check PEER/client remote certificate #------------------------------------------------ #Defining CLIENT mode Certificate data -CA_ROOT_SRV="/etc/pki/tls/make-ca/ca-bundle.crt" +CA_ROOT_CLT="/etc/pki/tls/make-ca/ca-bundle.crt" CA_CERT_CLT="/etc/pki/mailleur/mailleur-cert.pem" CA_KEY_CLT="/etc/pki/mailleur/mailleur-key.pem" CA_VERIFY_CLT=0 #to check PEER/server remote certificate diff --git a/support/do_dns_tlsa.sh b/support/do_dns_tlsa.sh new file mode 100644 index 0000000..38b2f05 --- /dev/null +++ b/support/do_dns_tlsa.sh @@ -0,0 +1,61 @@ +#! /usr/bin/bash +#------------------------------------------------------------------- +#procedure to generate a lets encrypt certificate with a contanst +#public/private key +#------------------------------------------------------------------- +#comment in if working in production +DRY_RUN="--dry-run" +#------------------------------------------------------------------- +WRKDIR=/tmp +MRKR=`date +"%F"` + +( +#Set working directory +cd $WRKDIR +mkdir -p data + +#Generate an Elliptic Curve Digital Signature Algorithm +openssl ecparam \ + -out ./data/ec_key.pem \ + -genkey \ + -name prime256v1 + +#generate a config file +cat > ./data/cnffile << EOT +[req] +distinguished_name=req_dn +[req_dn] +commonName=`uname -n` +[SAN] +subjectAltName=DNS:`uname -n` +EOT + +#Generate the CSR request +openssl req \ + -config ./data/cnffile \ + -outform PEM \ + -new \ + -nodes \ + -subj '/' \ + -reqexts SAN \ + -out ./data/request.csr \ + -keyout ./data/privkey.pem \ + -key ./data/ec_key.pem + + +#Request certificate (with a steady key) via cerbot +#Note" this is done in dry-run mode (remove it to +#pass in production mode) +ls -ails ./data/request.csr +certbot certonly \ + --apache \ + --csr ./data/request.csr \ + --fullchain-path ./data/$MRKR-fullchain.pem \ + --chain-path ./data/$MRKR-chain.pem \ + --cert-path ./data/$MRKR-cert.pem \ + --work-dir ./data \ + --logs-dir ./data \ + --config-dir ./data \ + $DRY_RUN + +)