Add netcup/update_tlsa_record.md
This commit is contained in:
160
netcup/update_tlsa_record.md
Normal file
160
netcup/update_tlsa_record.md
Normal file
@@ -0,0 +1,160 @@
|
||||
# TLSA Records setzen über die API von NetCup
|
||||
|
||||
Mit diesem Script kann man automatisiert den TLSA Record setzen. Es wird zunächst geprüft ob er bereits vorhanden ist, wenn ja wird er nicht aktualisiert.
|
||||
|
||||
Die `netcup.env` Datei sollte dabei im gleichen Verzeichnis liegen und folgenden Inhalt haben:
|
||||
|
||||
```python
|
||||
CUSTOMER_NUMBER=DEINE_KUNDENNUMMER
|
||||
API_KEY=DEIN_API_KEY
|
||||
API_PASSWORD=DEIN_API_PASSWORT
|
||||
DOMAIN=deine-domain.de
|
||||
CERTIFICATE_PATH=PFAD_ZUR_fullchain.pem
|
||||
```
|
||||
|
||||
```python
|
||||
#!/bin/bash
|
||||
|
||||
# .env Datei laden
|
||||
if [ -f netcup.env ]; then
|
||||
export $(grep -v '^#' netcup.env | xargs)
|
||||
else
|
||||
echo "Fehler: .env Datei nicht gefunden!"
|
||||
exit 1
|
||||
fi
|
||||
|
||||
# URL der Netcup API
|
||||
API_URL="https://ccp.netcup.net/run/webservice/servers/endpoint.php?JSON"
|
||||
|
||||
# Prüfen, ob das Zertifikat existiert
|
||||
if [[ ! -f "$CERTIFICATE_PATH" ]]; then
|
||||
echo "Fehler: Zertifikat unter $CERTIFICATE_PATH nicht gefunden!"
|
||||
exit 1
|
||||
fi
|
||||
|
||||
echo "Zertifikat gefunden: $CERTIFICATE_PATH"
|
||||
|
||||
# TLSA-Hash generieren
|
||||
TLSA_HASH=$(openssl x509 -in "$CERTIFICATE_PATH" -pubkey -noout | \
|
||||
openssl pkey -pubin -outform DER | \
|
||||
openssl dgst -sha256 -binary | hexdump -ve '1/1 "%.2x"')
|
||||
|
||||
if [[ -z "$TLSA_HASH" ]]; then
|
||||
echo "Fehler beim Generieren des TLSA-Hashes!"
|
||||
exit 1
|
||||
fi
|
||||
|
||||
echo "TLSA-Record-Hash generiert: $TLSA_HASH"
|
||||
|
||||
# Login zur Netcup API
|
||||
LOGIN_RESPONSE=$(curl -s -X POST -H "Content-Type: application/json" \
|
||||
-d '{
|
||||
"action": "login",
|
||||
"param": {
|
||||
"customernumber": "'"$CUSTOMER_NUMBER"'",
|
||||
"apikey": "'"$API_KEY"'",
|
||||
"apipassword": "'"$API_PASSWORD"'"
|
||||
}
|
||||
}' "$API_URL")
|
||||
|
||||
SESSION_ID=$(echo "$LOGIN_RESPONSE" | jq -r '.responsedata.apisessionid')
|
||||
|
||||
if [[ -z "$SESSION_ID" || "$SESSION_ID" == "null" ]]; then
|
||||
echo "Fehler beim Login!"
|
||||
echo "$LOGIN_RESPONSE"
|
||||
exit 1
|
||||
fi
|
||||
|
||||
echo "Erfolgreich eingeloggt. Session-ID: $SESSION_ID"
|
||||
|
||||
# DNS Records abrufen
|
||||
DNS_RESPONSE=$(curl -s -X POST -H "Content-Type: application/json" \
|
||||
-d '{
|
||||
"action": "infoDnsRecords",
|
||||
"param": {
|
||||
"customernumber": "'"$CUSTOMER_NUMBER"'",
|
||||
"apikey": "'"$API_KEY"'",
|
||||
"apisessionid": "'"$SESSION_ID"'",
|
||||
"domainname": "'"$DOMAIN"'"
|
||||
}
|
||||
}' "$API_URL")
|
||||
|
||||
# TLSA-Record prüfen
|
||||
RECORDS=$(echo "$DNS_RESPONSE" | jq -r '.responsedata.dnsrecords')
|
||||
EXISTING_TLSA_RECORD=$(echo "$RECORDS" | jq -r ".[] | select(.hostname == \"_25._tcp.mail\" and .type == \"TLSA\")")
|
||||
|
||||
if [[ -n "$EXISTING_TLSA_RECORD" ]]; then
|
||||
EXISTING_DESTINATION=$(echo "$EXISTING_TLSA_RECORD" | jq -r '.destination')
|
||||
RECORD_ID=$(echo "$EXISTING_TLSA_RECORD" | jq -r '.id')
|
||||
echo "Bestehender TLSA-Record gefunden: ID $RECORD_ID mit Wert $EXISTING_DESTINATION"
|
||||
|
||||
if [[ "$EXISTING_DESTINATION" == "3 1 1 $TLSA_HASH" ]]; then
|
||||
echo "Der bestehende TLSA-Record hat bereits den korrekten Wert. Keine Änderungen erforderlich."
|
||||
# Logout
|
||||
curl -s -X POST -H "Content-Type: application/json" \
|
||||
-d '{
|
||||
"action": "logout",
|
||||
"param": {
|
||||
"customernumber": "'"$CUSTOMER_NUMBER"'",
|
||||
"apikey": "'"$API_KEY"'",
|
||||
"apisessionid": "'"$SESSION_ID"'"
|
||||
}
|
||||
}' "$API_URL" > /dev/null
|
||||
|
||||
echo "Logout abgeschlossen."
|
||||
exit 0
|
||||
fi
|
||||
else
|
||||
echo "Kein bestehender TLSA-Record gefunden. Ein neuer wird erstellt."
|
||||
RECORD_ID=""
|
||||
fi
|
||||
|
||||
# Neuer oder aktualisierter TLSA-Record erstellen
|
||||
DNS_UPDATE_PAYLOAD='{
|
||||
"action": "updateDnsRecords",
|
||||
"param": {
|
||||
"customernumber": "'"$CUSTOMER_NUMBER"'",
|
||||
"apikey": "'"$API_KEY"'",
|
||||
"apisessionid": "'"$SESSION_ID"'",
|
||||
"domainname": "'"$DOMAIN"'",
|
||||
"dnsrecordset": {
|
||||
"dnsrecords": [
|
||||
{
|
||||
"id": "'"$RECORD_ID"'",
|
||||
"hostname": "_25._tcp.mail",
|
||||
"type": "TLSA",
|
||||
"destination": "3 1 1 '"$TLSA_HASH"'",
|
||||
"state": "yes"
|
||||
}
|
||||
]
|
||||
}
|
||||
}
|
||||
}'
|
||||
|
||||
# DNS-Record aktualisieren
|
||||
UPDATE_RESPONSE=$(curl -s -X POST -H "Content-Type: application/json" \
|
||||
-d "$DNS_UPDATE_PAYLOAD" "$API_URL")
|
||||
|
||||
UPDATE_STATUS=$(echo "$UPDATE_RESPONSE" | jq -r '.status')
|
||||
|
||||
if [[ "$UPDATE_STATUS" == "success" ]]; then
|
||||
echo "TLSA-Record erfolgreich aktualisiert."
|
||||
else
|
||||
echo "Fehler beim Aktualisieren des TLSA-Records!"
|
||||
echo "$UPDATE_RESPONSE"
|
||||
fi
|
||||
|
||||
# Logout
|
||||
curl -s -X POST -H "Content-Type: application/json" \
|
||||
-d '{
|
||||
"action": "logout",
|
||||
"param": {
|
||||
"customernumber": "'"$CUSTOMER_NUMBER"'",
|
||||
"apikey": "'"$API_KEY"'",
|
||||
"apisessionid": "'"$SESSION_ID"'"
|
||||
}
|
||||
}' "$API_URL" > /dev/null
|
||||
|
||||
echo "Logout abgeschlossen."
|
||||
|
||||
```
|
||||
Reference in New Issue
Block a user