Letsencrypt renew-hook

Viktor Dukhovni ietf-dane at dukhovni.org
Wed Apr 26 19:01:37 CEST 2017


> On Apr 26, 2017, at 12:29 PM, john <john at klam.ca> wrote:
> 
> Is an automatic TLSA update system worth doing?

Portability across multiple deployment architectures may be difficult,
so a tool for the public is difficult.  It is certainly worth doing for
your own private deployment.

> Linux servers, need SRV records in order to determine the port and host for each TLSA record.

For SMTP the port is always 25, and the hostnames come from the MX records,
and you already need the hostnames for the certificate.

For XMPP, indeed the hostnames and ports may come from the appropriate SRV
records.  Once again, you'll need the hostnames to obtain the requisite
certificates, with our without TLSA records in the picture.

Of course the hostnames could be in a separate configuration file, and be
used to manage all of the underlying configurations:

	* Generate the SRV and MX records
	* Configure certbot
	* Automate TLSA record creation

all from a single primary source managed by the administrator.

-- 
	Viktor.



More information about the dane-users mailing list