Skip to content

Commit 3f8088c

Browse files
author
Kristan Kenney
committed
Add Let's Encrypt DNS CAA records to domain when requesting certificate
1 parent 9c28d33 commit 3f8088c

File tree

2 files changed

+91
-1
lines changed

2 files changed

+91
-1
lines changed

bin/v-add-letsencrypt-domain

Lines changed: 79 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -49,7 +49,11 @@ query_le_v2() {
4949
curl -s -i -d "$post_data" "$1" -H "$content"
5050
}
5151

52-
52+
# Set DNS CAA record retrieval commands
53+
if [ ! -z "$DNS_SYSTEM" ]; then
54+
dns_domain=$($BIN/v-list-dns-domains $user | grep $domain | cut -d' ' -f1)
55+
caa_record=$($BIN/v-list-dns-records $user $domain | grep -i "CAA" | cut -d' ' -f1)
56+
fi
5357

5458
#----------------------------------------------------------#
5559
# Verifications #
@@ -122,11 +126,33 @@ if [ "$proto" = "http-01" ]; then
122126
done
123127
fi
124128

129+
# Ensure DNS CAA record exists for Let's Encrypt before requesting certificate
130+
if [ ! -z "$DNS_SYSTEM" ]; then
131+
# Check for DNS zone
132+
if [ "$dns_domain" = "$domain" ]; then
133+
# Replace DNS domain CAA records with Let's Encrypt values
134+
if [ -z "$caa_record" ]; then
135+
$BIN/v-add-dns-record $user $domain '@' 'CAA' 'issue 0 "letsencrypt.org"'
136+
else
137+
$BIN/v-delete-dns-record $user $domain $caa_record
138+
$BIN/v-add-dns-record $user $domain '@' 'CAA' 'issue 0 "letsencrypt.org"'
139+
fi
140+
fi
141+
fi
142+
125143
# Requesting nonce / STEP 1
126144
answer=$(curl -s -I "$LE_API/directory")
127145
nonce=$(echo "$answer" |grep Nonce |cut -f2 -d \ |tr -d '\r\n')
128146
status=$(echo "$answer"|grep HTTP/1.1 |tail -n1 |cut -f 2 -d ' ')
129147
if [[ "$status" -ne 200 ]]; then
148+
# Delete DNS CAA record
149+
if [ ! -z "$DNS_SYSTEM" ]; then
150+
if [ "$dns_domain" = "$domain" ]; then
151+
if [ ! -z "$caa_record" ]; then
152+
$BIN/v-delete-dns-record $user $domain $caa_record
153+
fi
154+
fi
155+
fi
130156
check_result $E_CONNECT "Let's Encrypt nonce request status $status"
131157
fi
132158

@@ -147,6 +173,14 @@ authz=$(echo "$answer" |grep "acme/authz" |cut -f2 -d '"')
147173
finalize=$(echo "$answer" |grep 'finalize":' |cut -f4 -d '"')
148174
status=$(echo "$answer" |grep HTTP/1.1 |tail -n1 |cut -f2 -d ' ')
149175
if [[ "$status" -ne 201 ]]; then
176+
# Delete DNS CAA record
177+
if [ ! -z "$DNS_SYSTEM" ]; then
178+
if [ "$dns_domain" = "$domain" ]; then
179+
if [ ! -z "$caa_record" ]; then
180+
$BIN/v-delete-dns-record $user $domain $caa_record
181+
fi
182+
fi
183+
fi
150184
check_result $E_CONNECT "Let's Encrypt new auth status $status"
151185
fi
152186

@@ -159,6 +193,17 @@ for auth in $authz; do
159193
nonce=$(echo "$answer" |grep Nonce |cut -f2 -d \ |tr -d '\r\n')
160194
status=$(echo "$answer"|grep HTTP/1.1 |tail -n1 |cut -f 2 -d ' ')
161195
if [[ "$status" -ne 200 ]]; then
196+
# Delete DNS CAA record
197+
if [ ! -z "$DNS_SYSTEM" ]; then
198+
dns_domain=$($BIN/v-list-dns-domains $user | grep $domain | cut -d' ' -f1)
199+
caa_record=$($BIN/v-list-dns-records $user $domain | grep -i "letsencrypt" | cut -d' ' -f1)
200+
201+
if [ "$dns_domain" = "$domain" ]; then
202+
if [ ! -z "$caa_record" ]; then
203+
$BIN/v-delete-dns-record $user $domain $caa_record
204+
fi
205+
fi
206+
fi
162207
check_result $E_CONNECT "Let's Encrypt acme/authz bad status $status"
163208
fi
164209

@@ -232,16 +277,49 @@ for auth in $authz; do
232277
nonce=$(echo "$answer" |grep Nonce |cut -f2 -d \ |tr -d '\r\n')
233278
status=$(echo "$answer"|grep HTTP/1.1 |tail -n1 |cut -f 2 -d ' ')
234279
if [[ "$status" -ne 200 ]]; then
280+
# Delete DNS CAA record
281+
if [ ! -z "$DNS_SYSTEM" ]; then
282+
dns_domain=$($BIN/v-list-dns-domains $user | grep $domain | cut -d' ' -f1)
283+
caa_record=$($BIN/v-list-dns-records $user $domain | grep -i "letsencrypt" | cut -d' ' -f1)
284+
285+
if [ "$dns_domain" = "$domain" ]; then
286+
if [ ! -z "$caa_record" ]; then
287+
$BIN/v-delete-dns-record $user $domain $caa_record
288+
fi
289+
fi
290+
fi
235291
check_result $E_CONNECT "Let's Encrypt validation status $status"
236292
fi
237293

238294
i=$((i + 1))
239295
if [ "$i" -gt 10 ]; then
296+
# Delete DNS CAA record
297+
if [ ! -z "$DNS_SYSTEM" ]; then
298+
dns_domain=$($BIN/v-list-dns-domains $user | grep $domain | cut -d' ' -f1)
299+
caa_record=$($BIN/v-list-dns-records $user $domain | grep -i "letsencrypt" | cut -d' ' -f1)
300+
301+
if [ "$dns_domain" = "$domain" ]; then
302+
if [ ! -z "$caa_record" ]; then
303+
$BIN/v-delete-dns-record $user $domain $caa_record
304+
fi
305+
fi
306+
fi
240307
check_result $E_CONNECT "Let's Encrypt domain validation timeout"
241308
fi
242309
sleep 1
243310
done
244311
if [ "$validation" = 'invalid' ]; then
312+
# Delete DNS CAA record
313+
if [ ! -z "$DNS_SYSTEM" ]; then
314+
dns_domain=$($BIN/v-list-dns-domains $user | grep $domain | cut -d' ' -f1)
315+
caa_record=$($BIN/v-list-dns-records $user $domain | grep -i "letsencrypt" | cut -d' ' -f1)
316+
317+
if [ "$dns_domain" = "$domain" ]; then
318+
if [ ! -z "$caa_record" ]; then
319+
$BIN/v-delete-dns-record $user $domain $caa_record
320+
fi
321+
fi
322+
fi
245323
check_result $E_CONNECT "Let's Encrypt domain verification failed"
246324
fi
247325
done

bin/v-delete-letsencrypt-domain

Lines changed: 12 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -46,6 +46,18 @@ fi
4646
# Action #
4747
#----------------------------------------------------------#
4848

49+
# Delete DNS CAA record
50+
if [ ! -z "$DNS_SYSTEM" ]; then
51+
dns_domain=$($BIN/v-list-dns-domains $user | grep $domain | cut -d' ' -f1)
52+
caa_record=$($BIN/v-list-dns-records $user $domain | grep -i "letsencrypt" | cut -d' ' -f1)
53+
54+
if [ "$dns_domain" = "$domain" ]; then
55+
if [ ! -z "$caa_record" ]; then
56+
$BIN/v-delete-dns-record $user $domain $caa_record
57+
fi
58+
fi
59+
fi
60+
4961
# Delete SSL
5062
if [ -z "$mail" ]; then
5163
$BIN/v-delete-web-domain-ssl $user $domain $restart >/dev/null 2>&1

0 commit comments

Comments
 (0)