Closed H4R0 closed 1 year ago
jult
commented
1 year ago Huh? If you use the cloudflare api, gentlsa simply replaces the existing TLSA record(s). So this is completely irrelevant.. The only issue is the intermediate time after a cert is updated and DNS is fully propagated. For that you need a rollover record, as stated in my earlier issue posted here..
H4R0
commented
1 year ago Did some debugging, the reason it did not replace the TLSA record was due to a layer 8 problem 🚀
I had repeated the full FQDN on the hostname part e.g. --hostname mx.example.com but it should simply be --hostname mx
This resulted in the TLSA record correctly being added but instead of replacing existing records it would always try to add the same record and either fail or create duplicates on certificate change.
It would be great if there was a cleanup option which removes all dane records from cloudflare before the new one is set.
If you use this as lets encrypt hook it generates a new dane record for every new certificate.
As lets encrypt is only valid for max 90 days this results in 4 records per year which will never be cleared.
It's not a problem as dane takes all records into account and succeeds if one is valid, but you will end up with many records over time.