Letsencrypt renew-hook

john john at klam.ca
Wed Apr 26 18:29:35 CEST 2017

I have been working on a renew-hook for letsencrypt/certbot.

The idea was that it would generate new TLSA records when the 
certificates were updated, automatically install them and automatically 
remove the old ones after a suitable delay.

While I was putting it together I made some assumptions about the 
environment that TLSA records would be found in, in particular the DNS 
configuration. It seems I am probably wrong.

Is an automatic TLSA update system worth doing? Are the prerequisites 
that I think might make it work too onerous.  Eg. Linux servers, need 
SRV records in order to determine the port and host for each TLSA record.

John A

More information about the dane-users mailing list