Skip to content

Instantly share code, notes, and snippets.

@DmitriiMukhin

DmitriiMukhin/cloudflare_tlsa_mailcow.sh

Forked from wardpieters/cloudflare_tlsa_mailcow.sh
Created September 1, 2024 12:06
Show Gist options

  • Select an option

    Learn more about clone URLs
  • Save DmitriiMukhin/be15a2a6928ec761f16c9bae073886b8 to your computer and use it in GitHub Desktop.

Select an option

Learn more about clone URLs
Save DmitriiMukhin/be15a2a6928ec761f16c9bae073886b8 to your computer and use it in GitHub Desktop.
Download ZIP

Revisions

  1. @wardpieters wardpieters revised this gist Jan 28, 2021. 2 changed files with 18 additions and 59 deletions.
    28 changes: 18 additions & 10 deletions cloudflare_tlsa_mailcow.sh
    View file
    Original file line number Diff line number Diff line change
    @@ -17,14 +17,17 @@ zone_id=$(curl -s -X GET "https://api.cloudflare.com/client/v4/zones?name=$zone&

    echo "ID for $zone is $zone_id"

    ports=("_25._tcp" "_110._tcp" "_143._tcp" "_465._tcp" "_587._tcp" "_993._tcp" "_995._tcp" "_4190._tcp")
    ports=("_25._tcp")

    for i in "${ports[@]}"
    do
    # get the dns record id
    dnsrecord_id=$(curl -s -X GET "https://api.cloudflare.com/client/v4/zones/$zone_id/dns_records?type=TLSA&name=$i.$dnsrecord" \
    dnsrecord_req=$(curl -s -X GET "https://api.cloudflare.com/client/v4/zones/$zone_id/dns_records?type=TLSA&name=$i.$dnsrecord" \
    -H "Authorization: Bearer $cloudflare_token" \
    -H "Content-Type: application/json" | jq -r '{"result"}[] | .[0] | .id')
    -H "Content-Type: application/json")

    dnsrecord_id=$(echo "$dnsrecord_req" | jq -r '{"result"}[] | .[0] | .id')
    dnsrecord_hash=$(echo "$dnsrecord_req" | jq -r '{"result"}[] | .[0] | .data.certificate')

    echo "Processing record $i.$dnsrecord ..."

    @@ -38,12 +41,17 @@ do

    echo "Record $i.$dnsrecord added!"
    else
    # Update the record
    curl -s -X PUT "https://api.cloudflare.com/client/v4/zones/$zone_id/dns_records/$dnsrecord_id" \
    -H "Authorization: Bearer $cloudflare_token" \
    -H "Content-Type: application/json" \
    --data "{\"type\":\"TLSA\",\"name\":\"$i.$dnsrecord\", \"data\": {\"usage\": \"3\", \"selector\": \"1\", \"matching_type\": \"1\", \"certificate\":\"$chain_hash\"},\"ttl\":1,\"proxied\":false}" | jq

    echo "Record $i.$dnsrecord updated!"
    if [[ "$dnsrecord_hash" != "$chain_hash" ]]
    then
    # Update the record
    curl -s -X PUT "https://api.cloudflare.com/client/v4/zones/$zone_id/dns_records/$dnsrecord_id" \
    -H "Authorization: Bearer $cloudflare_token" \
    -H "Content-Type: application/json" \
    --data "{\"type\":\"TLSA\",\"name\":\"$i.$dnsrecord\", \"data\": {\"usage\": \"3\", \"selector\": \"1\", \"matching_type\": \"1\", \"certificate\":\"$chain_hash\"},\"ttl\":1,\"proxied\":false}" | jq

    echo "Record $i.$dnsrecord updated!"
    else
    echo "Record $i.$dnsrecord does not need to be updated!"
    fi
    fi
    done
    49 changes: 0 additions & 49 deletions cloudflare_tlsa_proxy.sh
    View file
    Original file line number Diff line number Diff line change
    @@ -1,49 +0,0 @@
    #!/bin/bash

    zone=domain.nl
    dnsrecord=some-server.domain.nl

    ## Cloudflare authentication details
    ## keep these private
    cloudflare_token="XXXXXX"

    # get certificate hash
    chain_hash=$(openssl x509 -in /etc/letsencrypt/live/$dnsrecord/cert.pem -outform DER | openssl dgst -sha256 -hex | awk '{print $NF}')

    # get the zone id for the requested zone
    zone_id=$(curl -s -X GET "https://api.cloudflare.com/client/v4/zones?name=$zone&status=active" \
    -H "Authorization: Bearer $cloudflare_token" \
    -H "Content-Type: application/json" | jq -r '{"result"}[] | .[0] | .id')

    echo "ID for $zone is $zone_id"

    ports=("_443._tcp")

    for i in "${ports[@]}"
    do
    # get the dns record id
    dnsrecord_id=$(curl -s -X GET "https://api.cloudflare.com/client/v4/zones/$zone_id/dns_records?type=TLSA&name=$i.$dnsrecord" \
    -H "Authorization: Bearer $cloudflare_token" \
    -H "Content-Type: application/json" | jq -r '{"result"}[] | .[0] | .id')

    echo "Processing record $i.$dnsrecord ..."

    if [ -z "$dnsrecord_id" ] || [ $dnsrecord_id == "null" ]
    then
    # Add the record
    curl -s -X POST "https://api.cloudflare.com/client/v4/zones/$zone_id/dns_records" \
    -H "Authorization: Bearer $cloudflare_token" \
    -H "Content-Type: application/json" \
    --data "{\"type\":\"TLSA\",\"name\":\"$i.$dnsrecord\", \"data\": {\"usage\": \"3\", \"selector\": \"0\", \"matching_type\": \"1\", \"certificate\":\"$chain_hash\"},\"ttl\":1,\"proxied\":false}" | jq

    echo "Record $i.$dnsrecord added!"
    else
    # Update the record
    curl -s -X PUT "https://api.cloudflare.com/client/v4/zones/$zone_id/dns_records/$dnsrecord_id" \
    -H "Authorization: Bearer $cloudflare_token" \
    -H "Content-Type: application/json" \
    --data "{\"type\":\"TLSA\",\"name\":\"$i.$dnsrecord\", \"data\": {\"usage\": \"3\", \"selector\": \"0\", \"matching_type\": \"1\", \"certificate\":\"$chain_hash\"},\"ttl\":1,\"proxied\":false}" | jq

    echo "Record $i.$dnsrecord updated!"
    fi
    done
  2. @wardpieters wardpieters created this gist Dec 25, 2020.
    49 changes: 49 additions & 0 deletions cloudflare_tlsa_mailcow.sh
    View file
    Original file line number Diff line number Diff line change
    @@ -0,0 +1,49 @@
    #!/bin/bash

    zone=domain.nl
    dnsrecord=some-server.domain.nl

    ## Cloudflare authentication details
    ## keep these private
    cloudflare_token="XXXXXX"

    # get certificate hash
    chain_hash=$(openssl x509 -in /opt/mailcow-dockerized/data/assets/ssl/cert.pem -noout -pubkey | openssl pkey -pubin -outform DER | openssl dgst -sha256 -binary | hexdump -ve '/1 "%02x"')

    # get the zone id for the requested zone
    zone_id=$(curl -s -X GET "https://api.cloudflare.com/client/v4/zones?name=$zone&status=active" \
    -H "Authorization: Bearer $cloudflare_token" \
    -H "Content-Type: application/json" | jq -r '{"result"}[] | .[0] | .id')

    echo "ID for $zone is $zone_id"

    ports=("_25._tcp" "_110._tcp" "_143._tcp" "_465._tcp" "_587._tcp" "_993._tcp" "_995._tcp" "_4190._tcp")

    for i in "${ports[@]}"
    do
    # get the dns record id
    dnsrecord_id=$(curl -s -X GET "https://api.cloudflare.com/client/v4/zones/$zone_id/dns_records?type=TLSA&name=$i.$dnsrecord" \
    -H "Authorization: Bearer $cloudflare_token" \
    -H "Content-Type: application/json" | jq -r '{"result"}[] | .[0] | .id')

    echo "Processing record $i.$dnsrecord ..."

    if [ -z "$dnsrecord_id" ] || [ $dnsrecord_id == "null" ]
    then
    # Add the record
    curl -s -X POST "https://api.cloudflare.com/client/v4/zones/$zone_id/dns_records" \
    -H "Authorization: Bearer $cloudflare_token" \
    -H "Content-Type: application/json" \
    --data "{\"type\":\"TLSA\",\"name\":\"$i.$dnsrecord\", \"data\": {\"usage\": \"3\", \"selector\": \"1\", \"matching_type\": \"1\", \"certificate\":\"$chain_hash\"},\"ttl\":1,\"proxied\":false}" | jq

    echo "Record $i.$dnsrecord added!"
    else
    # Update the record
    curl -s -X PUT "https://api.cloudflare.com/client/v4/zones/$zone_id/dns_records/$dnsrecord_id" \
    -H "Authorization: Bearer $cloudflare_token" \
    -H "Content-Type: application/json" \
    --data "{\"type\":\"TLSA\",\"name\":\"$i.$dnsrecord\", \"data\": {\"usage\": \"3\", \"selector\": \"1\", \"matching_type\": \"1\", \"certificate\":\"$chain_hash\"},\"ttl\":1,\"proxied\":false}" | jq

    echo "Record $i.$dnsrecord updated!"
    fi
    done
    49 changes: 49 additions & 0 deletions cloudflare_tlsa_proxy.sh
    View file
    Original file line number Diff line number Diff line change
    @@ -0,0 +1,49 @@
    #!/bin/bash

    zone=domain.nl
    dnsrecord=some-server.domain.nl

    ## Cloudflare authentication details
    ## keep these private
    cloudflare_token="XXXXXX"

    # get certificate hash
    chain_hash=$(openssl x509 -in /etc/letsencrypt/live/$dnsrecord/cert.pem -outform DER | openssl dgst -sha256 -hex | awk '{print $NF}')

    # get the zone id for the requested zone
    zone_id=$(curl -s -X GET "https://api.cloudflare.com/client/v4/zones?name=$zone&status=active" \
    -H "Authorization: Bearer $cloudflare_token" \
    -H "Content-Type: application/json" | jq -r '{"result"}[] | .[0] | .id')

    echo "ID for $zone is $zone_id"

    ports=("_443._tcp")

    for i in "${ports[@]}"
    do
    # get the dns record id
    dnsrecord_id=$(curl -s -X GET "https://api.cloudflare.com/client/v4/zones/$zone_id/dns_records?type=TLSA&name=$i.$dnsrecord" \
    -H "Authorization: Bearer $cloudflare_token" \
    -H "Content-Type: application/json" | jq -r '{"result"}[] | .[0] | .id')

    echo "Processing record $i.$dnsrecord ..."

    if [ -z "$dnsrecord_id" ] || [ $dnsrecord_id == "null" ]
    then
    # Add the record
    curl -s -X POST "https://api.cloudflare.com/client/v4/zones/$zone_id/dns_records" \
    -H "Authorization: Bearer $cloudflare_token" \
    -H "Content-Type: application/json" \
    --data "{\"type\":\"TLSA\",\"name\":\"$i.$dnsrecord\", \"data\": {\"usage\": \"3\", \"selector\": \"0\", \"matching_type\": \"1\", \"certificate\":\"$chain_hash\"},\"ttl\":1,\"proxied\":false}" | jq

    echo "Record $i.$dnsrecord added!"
    else
    # Update the record
    curl -s -X PUT "https://api.cloudflare.com/client/v4/zones/$zone_id/dns_records/$dnsrecord_id" \
    -H "Authorization: Bearer $cloudflare_token" \
    -H "Content-Type: application/json" \
    --data "{\"type\":\"TLSA\",\"name\":\"$i.$dnsrecord\", \"data\": {\"usage\": \"3\", \"selector\": \"0\", \"matching_type\": \"1\", \"certificate\":\"$chain_hash\"},\"ttl\":1,\"proxied\":false}" | jq

    echo "Record $i.$dnsrecord updated!"
    fi
    done