Letsencrypt & TLSA - automation

Mike Cardwell dane at lists.grepular.com
Mon Feb 20 08:25:05 CET 2017

How do you intend to deal with the DNS caching issues? I.e, that you
need to renew the SSL cert and then publish it in the DNS for at least
one TTL before actually putting the cert in to production.


* on the Sun, Feb 19, 2017 at 01:20:52PM -0500, John Allen wrote:

> Attached is a bash script that I am developing to automate the generation of
> TLSA records from Letsencrypt certificates.
> the script is called from the certbot renew hook, it can also be run stand
> alone - Certbot_TLSAgen path-to-certificate "space separated list of domains
> included in cert"
> It seems to work, but would some kind sole take a look and where I have or
> are about to screw up.
> Any suggestions as to how to get the output into my DNS (Bind9) preferably
> without using nsupdate. I am not keen on nsupdate as it makes a mess of the
> zone files, which I use as documentation for my DNS.
> Has anybody heard of a electronic "one time pad" system.

Mike Cardwell  https://www.grepular.com
OpenPGP Key    DF70 D8E5 FBD6 8519 9257  C44C 0DA6 8B1E 1801 A332
XMPP OTR Key   8924 B06A 7917 AAF3 DBB1  BF1B 295C 3C78 3EF1 46B4
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 598 bytes
Desc: Digital signature
URL: <https://mail.sys4.de/pipermail/dane-users/attachments/20170220/f2416b5d/attachment.asc>

More information about the dane-users mailing list