search

desec-io / certbot-dns-desec

Let's Encrypt Certificates for Domains Hosted at deSEC
Other
25 stars 4 forks source link

Feature request: TLSA records #16

Open yan-foto opened 2 years ago

yan-foto commented 2 years ago

I was wondering if it's possible to also update TLSA records after a certificate is fetched?

nils-wisiol commented 2 years ago

Currently, TLSA updates need to be done manually after obtaining the certificate. Over at desec-io/desec-stack#513, there is some effort to auto-generate TLSA records from certificates. If this ever becomes available through the deSEC API, we would still have to figure out if the certbot plugin interface provides functions that are called after successfully obtaining a certificate.

We need to proceed with caution, though, as record updates need to be carefully coordinated with the actual certificate switch at the web server. I believe https://github.com/raforg/danectl implements an appropriate workflow for this.

yan-foto commented 2 years ago

That's a very good point. I had the impression that certbot provides some post-fetch hooks for the plugins: doesn't the nginx plugin update config files after certs are issued?

I'll give it a look as soon as I get some free time!