Add support for letsencrypt CAA

brutexploiter · Jun 25, 2024 · 6e1e499 · 6e1e499
1 parent f011ba2
commit 6e1e499
Show file tree

Hide file tree

Showing 2 changed files with 32 additions and 5 deletions.
diff --git a/dnshook.sh b/dnshook.sh
@@ -1,14 +1,41 @@
 #!/bin/bash
 
-# Zonefile must be used because certbot tries to start multiple DNS-resolvers for wildcards.
-echo "_acme-challenge.$CERTBOT_DOMAIN. 10 IN TXT \"$CERTBOT_VALIDATION\"" >> /tmp/collab.zonefile
+MYPRIVATEIP=$1
+MYPUBLICIP=$(curl -s http://checkip.amazonaws.com/)
+
+# Ensure CERTBOT_DOMAIN and CERTBOT_VALIDATION are set
+if [[ -z "$CERTBOT_DOMAIN" || -z "$CERTBOT_VALIDATION" ]]; then
+  echo "CERTBOT_DOMAIN and CERTBOT_VALIDATION must be set"
+  exit 1
+fi
+
+# Create the DNS zone file
+cat <<EOF > /tmp/collab.zonefile
+\$TTL 10
+@ IN SOA ns1.$CERTBOT_DOMAIN. hostmaster.$CERTBOT_DOMAIN. (
+    2024062501 ; serial
+    3600       ; refresh (1 hour)
+    1800       ; retry (30 minutes)
+    1209600    ; expire (2 weeks)
+    3600       ; minimum (1 hour)
+)
+
+@ IN NS ns1.$CERTBOT_DOMAIN.
+@ IN A $MYPUBLICIP
+
+_acme-challenge.$CERTBOT_DOMAIN. 10 IN TXT "$CERTBOT_VALIDATION"
+
+$CERTBOT_DOMAIN. 10 IN CAA 0 issue "letsencrypt.org"
+EOF
+
+# Kill any existing dnslib.fixedresolver processes
 pkill -f dnslib.fixedresolver &>/dev/null
 
 # Echo burp service status for CERTBOT_AUTH_OUTPUT so that cleanup can start Burp service if it was started before.
 echo "$(systemctl show -p ActiveState --value burpcollaborator)"
 service burpcollaborator stop &>/dev/null
 
-python3 -m dnslib.fixedresolver -a $1 --zonefile /tmp/collab.zonefile &>/dev/null &disown
+python3 -m dnslib.fixedresolver -a $MYPRIVATEIP --zonefile /tmp/collab.zonefile &>/dev/null &
 
 # Sleep to avoid DNS propagation issues.
 sleep 15
diff --git a/install.sh b/install.sh
@@ -105,12 +105,12 @@ read -p "Press enter to continue"
 certbot certonly --manual-auth-hook "/usr/local/collaborator/dnshook.sh $MYPRIVATEIP" -m $EMAIL --manual-cleanup-hook /usr/local/collaborator/cleanup.sh \
     -d "*.$DOMAIN" \
     --server https://acme-v02.api.letsencrypt.org/directory \
-    --manual --agree-tos --no-eff-email --manual-public-ip-logging-ok --preferred-challenges dns-01
+    --manual --agree-tos --no-eff-email --preferred-challenges dns-01
 
 certbot certonly --manual-auth-hook "/usr/local/collaborator/dnshook.sh $MYPRIVATEIP" -m $EMAIL --manual-cleanup-hook /usr/local/collaborator/cleanup.sh \
     -d "$DOMAIN, *.$DOMAIN" \
     --server https://acme-v02.api.letsencrypt.org/directory \
-    --manual --agree-tos --no-eff-email --manual-public-ip-logging-ok --preferred-challenges dns-01 \
+    --manual --agree-tos --no-eff-email --preferred-challenges dns-01 \
     --expand
 
 CERT_PATH=/etc/letsencrypt/live/$DOMAIN