Closed sirrkitt closed 4 months ago
williamdes
commented
4 months ago @mdecimus is it possible to have the option where it uses the CA and not the cert signature ? Or is it the one that was implemented. Because managing the rotation without the automation each 90 days is a nightmare.
mdecimus
commented
4 months ago Do you mean displaying the TLSA entries for trust anchors (type 2)? If you mean using the SubjectPublicKeyInfo rather than the entire certificate, both selectors are provided.
williamdes
commented
4 months ago Yes type 2
yannikbloscheck
commented
4 months ago An alternative could also be to have an option to keep using the same the private key for each Let's Encrypt certificate renewal. Then 3-1-1 should also work without having to change the record every 90 days.
williamdes
commented
4 months ago Since there Is already DNS access it should be relatively easy to manage this value automatically
yannikbloscheck
commented
4 months ago Since there Is already DNS access it should be relatively easy to manage this value automatically
Only if you use the DNS update feature like for DNS-01 though. For example I can't use it, because that isn't supported by my provider. Even if it was supported and I could theoretically automate it, I probably wouldn't, because for me giving any tool direct access to manipulate my DNS records is just another possible security risk I would like to avoid.
I agree though that it would be a good addition for people, who already use the DNS update feature anyway, to also have their TSLA record managed that way.
mdecimus
commented
4 months ago Done:
marcoxyz123
commented
4 months ago Hello mdecimus,
We should only use 2 1 1 & 3 1 1 or by choice 2 1 2 & 3 1 2 (if sha512 is necessary) with letsencrypt.
If the certificate gets renewed only the 3 1 1 entry needs to be updated in DNS. Delete all other entrys and check with:
https://www.huque.com/bin/danecheck (give port 25, smtp, DANE-EE )
Best regards, Marco
mdecimus
commented
4 months ago Hi Marco,
The webadmin will include all options, but you can decide which ones to add to your DNS server.
marcoxyz123
commented
3 months ago Hi Marco,
The webadmin will include all options, but you can decide which ones to add to your DNS server.
Maybe for the "Not So" expert admins it could be marked green which are recommended or minimal required ;-).
mdecimus
commented
3 months ago This will be added to the documentation. But once dynamic DNS updates are implemented I was thinking about hiding all the extra TLSA records under a "Show All" checkbox or something.
marcoxyz123
commented
3 months ago This will be added to the documentation. But once dynamic DNS updates are implemented I was thinking about hiding all the extra TLSA records under a "Show All" checkbox or something.
That makes sense, I saw you changed the bug to enhancment for the technical domains #463.
LG Marco
Which feature or improvement would you like to request?
I recently discovered this project—cf-tlsa-acmesh written in Go that works with acme.sh to generate TLSA keys (and rollover keys). This would make it a lot simpler to rollout DANE for many servers.
I think this would be possible to lump together with stalwartlabs/mail-server#368 when/if there is ever support for automatically managing DNS records.
Is your feature request related to a problem?
I'm having a problem with...
Code of Conduct