From 60e04aeeaa060bb500255b6d41591133cc18e6d6 Mon Sep 17 00:00:00 2001 From: srvrco Date: Fri, 13 Jan 2017 13:57:18 +0000 Subject: [PATCH] added drill, dig or host as alternatives to nslookup --- getssl | 101 ++++++++++++++++++++++++++++++++++++++++++++++++++++----- 1 file changed, 92 insertions(+), 9 deletions(-) diff --git a/getssl b/getssl index 66954b2..959e4f8 100755 --- a/getssl +++ b/getssl @@ -176,10 +176,11 @@ # 2017-01-02 Added option to limit amount of old versions to keep (2.01) # 2017-01-03 Created check_config function to list all obvious config issues (2.02) # 2017-01-10 force renew if FORCE_RENEWAL file exists (2.03) +# 2017-01-12 added drill, dig or host as alternatives to nslookup (2.04) # ---------------------------------------------------------------------------------------- PROGNAME=${0##*/} -VERSION="2.03" +VERSION="2.04" # defaults ACCOUNT_KEY_LENGTH=4096 @@ -369,7 +370,21 @@ check_config() { # check the config files for all obvious errors config_errors=true fi # check domain exist - if [[ "$(nslookup -query=AAAA "${d}"|grep -c "^${d}.*has AAAA address")" -ge 1 ]]; then + if [[ "$DNS_CHECK_FUNC" == "drill" ]] || [[ "$DNS_CHECK_FUNC" == "dig" ]]; then + if [[ "$($DNS_CHECK_FUNC "${d}" SOA|grep -c "^${d}")" -ge 1 ]]; then + debug "found IP for ${d}" + else + info "${DOMAIN}: DNS lookup failed for ${d}" + config_errors=true + fi + elif [[ "$DNS_CHECK_FUNC" == "host" ]]; then + if [[ "$($DNS_CHECK_FUNC "${d}" |grep -c "^${d}")" -ge 1 ]]; then + debug "found IP for ${d}" + else + info "${DOMAIN}: DNS lookup failed for ${d}" + config_errors=true + fi + elif [[ "$(nslookup -query=AAAA "${d}"|grep -c "^${d}.*has AAAA address")" -ge 1 ]]; then debug "found IPv6 record for ${d}" elif [[ "$(nslookup "${d}"| grep -c ^Name)" -ge 1 ]]; then debug "found IPv4 record for ${d}" @@ -377,7 +392,7 @@ check_config() { # check the config files for all obvious errors info "${DOMAIN}: DNS lookup failed for $d" config_errors=true fi - fi # end http-01 check + fi # end using http-01 challenge ((dn++)) done @@ -675,7 +690,53 @@ get_auth_dns() { # get the authoritative dns server for a domain (sets primary_n return fi - res=$(nslookup -debug=1 -type=soa -type=ns "$1" ${gad_s}) + if [[ "$DNS_CHECK_FUNC" == "drill" ]] || [[ "$DNS_CHECK_FUNC" == "dig" ]]; then + if [[ -z "$gad_s" ]]; then #checking for CNAMEs + res=$($DNS_CHECK_FUNC CNAME "$gad_d"| grep "^$gad_d") + else + res=$($DNS_CHECK_FUNC CNAME "$gad_d" "@$gad_s"| grep "^$gad_d") + fi + if [[ ! -z "$res" ]]; then # domain is a CNAME so get main domain + gad_d=$(echo "$res"| awk '{print $5}' |sed 's/\.$//g') + fi + if [[ -z "$gad_s" ]]; then #checking for CNAMEs + res=$($DNS_CHECK_FUNC NS "$gad_d"| grep "^$gad_d") + else + res=$($DNS_CHECK_FUNC NS "$gad_d" "@$gad_s"| grep "^$gad_d") + fi + if [[ -z "$res" ]]; then + error_exit "couldn't find primary DNS server - please set AUTH_DNS_SERVER in config" + else + all_auth_dns_servers=$(echo "$res" | awk '$4 ~ "NS" {print $5}' | sed 's/\.$//g'|tr '\n' ' ') + fi + if [[ $CHECK_ALL_AUTH_DNS == "true" ]]; then + primary_ns="$all_auth_dns_servers" + else + primary_ns=$(echo "$all_auth_dns_servers" | awk '{print $1}') + fi + return + fi + + if [[ "$DNS_CHECK_FUNC" == "host" ]]; then + if [[ -z "$gad_s" ]]; then + res=$($DNS_CHECK_FUNC -t NS "$gad_d"| grep "name server") + else + res=$($DNS_CHECK_FUNC -t NS "$gad_d" "$gad_s"| grep "name server") + fi + if [[ -z "$res" ]]; then + error_exit "couldn't find primary DNS server - please set AUTH_DNS_SERVER in config" + else + all_auth_dns_servers=$(echo "$res" | awk '{print $4}' | sed 's/\.$//g'|tr '\n' ' ') + fi + if [[ $CHECK_ALL_AUTH_DNS == "true" ]]; then + primary_ns="$all_auth_dns_servers" + else + primary_ns=$(echo "$all_auth_dns_servers" | awk '{print $1}') + fi + return + fi + + res=$(nslookup -debug=1 -type=soa -type=ns "$gad_d" ${gad_s}) if [[ "$(echo "$res" | grep -c "Non-authoritative")" -gt 0 ]]; then # this is a Non-authoritative server, need to check for an authoritative one. @@ -975,10 +1036,25 @@ revoke_certificate() { # revoke a certificate } requires() { # check if required function is available - result=$(which "$1" 2>/dev/null) - debug "checking for required $1 ... $result" - if [[ -z "$result" ]]; then - error_exit "This script requires $1 installed" + if [[ "$#" -gt 1 ]]; then # if more than 1 value, check list + for i in "$@"; do + if [[ "$i" == "${!#}" ]]; then # if on last variable then exit as not found + error_exit "this script requires one of: ${*:1:$(($#-1))}" + fi + res=$(which "$i" 2>/dev/null) + debug "checking for $i ... $res" + if [[ ! -z "$res" ]]; then # if function found, then set variable to function and return + debug "function $i found at $res - setting ${!#} to $i" + eval "${!#}=\$i" + return + fi + done + else # only one value, so check it. + result=$(which "$1" 2>/dev/null) + debug "checking for required $1 ... $result" + if [[ -z "$result" ]]; then + error_exit "This script requires $1 installed" + fi fi } @@ -1338,13 +1414,14 @@ get_os requires which requires openssl requires curl -requires nslookup +requires nslookup drill dig host DNS_CHECK_FUNC requires awk requires tr requires date requires grep requires sed requires sort +requires mktemp # Check if upgrades are available (unless they have specified -U to ignore Upgrade checks) if [[ $_UPGRADE_CHECK -eq 1 ]]; then @@ -1868,6 +1945,12 @@ if [[ $VALIDATE_VIA_DNS == "true" ]]; then check_result=$(nslookup -type=txt "_acme-challenge.${d}" "${ns}" \ | grep ^_acme -A2\ | grep '"'|awk -F'"' '{ print $2}') + elif [[ "$DNS_CHECK_FUNC" == "drill" ]] || [[ "$DNS_CHECK_FUNC" == "dig" ]]; then + check_result=$($DNS_CHECK_FUNC TXT "_acme-challenge.${d}" "@${ns}" \ + | grep ^_acme|awk -F'"' '{ print $2}') + elif [[ "$DNS_CHECK_FUNC" == "host" ]]; then + check_result=$($DNS_CHECK_FUNC -t TXT "_acme-challenge.${d}" "${ns}" \ + | grep ^_acme|awk -F'"' '{ print $2}') else check_result=$(nslookup -type=txt "_acme-challenge.${d}" "${ns}" \ | grep ^_acme|awk -F'"' '{ print $2}')