Letsencrypt & TLSA - automation
ietf-dane at dukhovni.org
Sun Feb 19 20:23:52 CET 2017
> On Feb 19, 2017, at 2:02 PM, Damien Goutte-Gattat <dgouttegattat at incenp.org> wrote:
> `m4_esyscmd(openssl x509 -in $1 -pubkey -noout | \
> openssl rsa -pubin -outform DER | \
> openssl dgst -sha256 -binary | \
> openssl enc -base64)')
> _443._tcp.example.com. IN TLSA 3 1 1 SPKI_DGST(/path/to/web/cert)
> _25._tcp.mail.example.com. IN TLSA 3 1 1 SPKI_DGST(/path/to/mail/cert)
Are you sure that base64 works in this context??? The presentation
format for TLSA records is hex encoded. I use:
hexdump -ve '/1 "%02X"'
where you're using "openssl enc -base64"
> (The manual for GNU M4 contains a warning that M4 can be "fairly addictive" and that its users tend to use it everywhere; I'm afraid that's true.)
Long ago I too was an m4 addict, but then I kicked the habit... :-)
That said, this implementation looks sensible.
More information about the dane-users