tlsa binary fails with certificate error

Hoggins! fuckspam at
Sun May 13 10:55:53 CEST 2018

Hello list,

Not sure this is the right place to post, maybe I'd better mail the
maintainer of the package, but you might have encountered the same issue.

I've always published TLSA records for my domains/subdomains, and using
an automated (Cron) job to do this, invoking the tlsa script (provided
by the hash-slinger package on my Fedora machines).

Now for about a few weeks now, the tlsa script fails, complaining with
the following error message:

    Could not verify local certificate: no start line.
    Traceback (most recent call last):
      File "/usr/bin/tlsa", line 889, in <module>
        genRecords(, args.protocol, args.port, chain,
    args.output, args.usage, args.selector, args.mtype)
    NameError: name 'chain' is not defined

I'm using LetsEncrypt for my certificates, and I can't see what changed
recently. I'm running the tlsa script against a concatenated
(intermediate + domain certificate) PEM file, and it has always worked
just fine.

During my investigations, I found that an "openssl verify" will fail on
the file, saying "unable to get local issuer certificate". I have no way
to tell if this has always failed, or if this is new behavior.

I'd be glad to hear if you have any thoughts about my issue.



-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 195 bytes
Desc: OpenPGP digital signature
URL: <>

More information about the dane-users mailing list