I have been trying to find out how to “Generate TLSA Record” for 443 according to this website manual
it is possible via https://www.huque.com/bin/gen_tlsa
But, in my /home/user-data/ssl/ i see:
-rw------- 1 root root 3449 Oct 5 2017 2nddomain.co.uk-20180103-9116b93c.pem
-rw------- 1 root root 3437 Sep 29 2017 3rddomain.cz-20171227-688a4728.pem
-rw------- 1 root root 3437 Oct 9 2017 5thdomain.uk-20180107-08f8ecbb.pem
-rw------- 1 root root 3462 Oct 8 2017 6thdomain.me.uk-20180106-5cd58bb3.pem
-rw------- 1 root root 3486 Sep 28 2017 box.domain.name-20171227-9b83b29b.pem
-rw------- 1 root root 3795 Dec 14 2017 box.domain.name-20180314-21457a93.pem
-rw------- 1 root root 3795 Feb 28 03:05 box.domain.name-20180529-15f6ad51.pem
-rw------- 1 root root 4148 May 16 03:01 box.domain.name-20180814-a8ae6470.pem
-rw-r–r-- 1 root root 993 Sep 28 2017 box.domain.name-selfsigned-20170928.pem
-rw------- 1 root root 3453 Mar 28 11:42 7thdomain.wiki-20180626-90ca47fb.pem
-rw------- 1 root root 3807 Jun 13 03:01 7thdomain.wiki-20180911-09c9eef5.pem
-rw-r–r-- 1 root root 424 Sep 28 2017 dh2048.pem
drwxr-xr-x 3 root root 6 Sep 28 2017 lets_encrypt/
-rw------- 1 root root 3462 Sep 29 2017 8thdomain.club-20171227-8d5b6b65.pem
-rw------- 1 root root 3462 Oct 9 2017 9thdomain.club-20180107-7bc1d594.pem
-rw------- 1 root root 3457 Oct 8 2017 10thdomain.eu-20180106-dbb23d2f.pem
-rw------- 1 root root 3457 Sep 28 2017 11thdomain.uk-20171227-e050e62d.pem
lrwxrwxrwx 1 root root 57 May 16 03:01 ssl_certificate.pem -> /home/user-data/ssl/box.domain.name-20180814-a8ae6470.pem
-rw------- 1 root root 1675 Sep 28 2017 ssl_private_key.pem
so for example when I use the certificat from 3rddomain.cz-20171227-688a4728.pem
to generate TLSA Record it shows expired cert for that domain name …
Since I have read somewhere here that @JoshData is rewriting the cert script, could we have TLSA Records automatically generated for all domains instead only for “box.domain.name”, see below?
_25._tcp.box.domain.name TLSA 3 1 1 1a1cca2b952284703c4cfb8f4960c9a49c7443aa1cca4dd0bdad40801aa85a39
Recommended when DNSSEC is enabled. Advertises to mail servers connecting to the box that mandatory encryption should be used.
_443._tcp.box.domain.name TLSA 3 1 1 1a1cca2b952284703c4cfb8f4960c9a49c7443aa1cca4dd0bdad40801aa85a39
Optional. When DNSSEC is enabled, provides out-of-band HTTPS certificate validation for a few web clients that support it.