DNS TLSA RR record (for HTTPS)

box · June 24, 2018, 5:30pm

I have been trying to find out how to “Generate TLSA Record” for 443 according to this website manual

it is possible via https://www.huque.com/bin/gen_tlsa

But, in -rw------- 1 root -rw------- 1 root -rw------- 1 root -rw------- 1 root -rw------- 1 root -rw------- 1 root -rw------- 1 root -rw------- 1 root -rw-r–r-- 1 root -rw------- 1 root -rw------- 1 root -rw-r–r-- 1 root drwxr-xr-x 3 root -rw------- 1 root -rw------- 1 root -rw------- 1 root -rw------- 1 root lrwxrwxrwx 1 root -rw------- 1 root my /home/user-data/ssl/ i see:
root 3449 Oct 5 2017 2nddomain.co.uk-20180103-9116b93c.pem
root 3437 Sep 29 2017 3rddomain.cz-20171227-688a4728.pem
root 3437 Oct 9 2017 5thdomain.uk-20180107-08f8ecbb.pem
root 3462 Oct 8 2017 6thdomain.me.uk-20180106-5cd58bb3.pem
root 3486 Sep 28 2017 box.domain.name-20171227-9b83b29b.pem
root 3795 Dec 14 2017 box.domain.name-20180314-21457a93.pem
root 3795 Feb 28 03:05 box.domain.name-20180529-15f6ad51.pem
root 4148 May 16 03:01 box.domain.name-20180814-a8ae6470.pem
root 993 Sep 28 2017 box.domain.name-selfsigned-20170928.pem
root 3453 Mar 28 11:42 7thdomain.wiki-20180626-90ca47fb.pem
root 3807 Jun 13 03:01 7thdomain.wiki-20180911-09c9eef5.pem
root 424 Sep 28 2017 dh2048.pem
root 6 Sep 28 2017 lets_encrypt/
root 3462 Sep 29 2017 8thdomain.club-20171227-8d5b6b65.pem
root 3462 Oct 9 2017 9thdomain.club-20180107-7bc1d594.pem
root 3457 Oct 8 2017 10thdomain.eu-20180106-dbb23d2f.pem
root 3457 Sep 28 2017 11thdomain.uk-20171227-e050e62d.pem
root 57 May 16 03:01 ssl_certificate.pem -> /home/user-data/ssl/box.domain.name-20180814-a8ae6470.pem
root 1675 Sep 28 2017 ssl_private_key.pem

so for example when I use the certificat from 3rddomain.cz-20171227-688a4728.pem
to generate TLSA Record it shows expired cert for that domain name …

Since I have read somewhere here that @JoshData is rewriting the cert script, could we have TLSA Records automatically generated for all domains instead only for “box.domain.name”, see below?

_25._tcp.box.domain.name TLSA 3 1 1 1a1cca2b952284703c4cfb8f4960c9a49c7443aa1cca4dd0bdad40801aa85a39
Recommended when DNSSEC is enabled. Advertises to mail servers connecting to the box that mandatory encryption should be used.

_443._tcp.box.domain.name TLSA 3 1 1 1a1cca2b952284703c4cfb8f4960c9a49c7443aa1cca4dd0bdad40801aa85a39
Optional. When DNSSEC is enabled, provides out-of-band HTTPS certificate validation for a few web clients that support it.

system · August 24, 2018, 5:30pm

This topic was automatically closed after 61 days. New replies are no longer allowed.