starred/dehydrated
1
0
Fork 0
mirror of https://github.com/dehydrated-io/dehydrated.git synced 2026-01-11 22:30:44 +01:00
Code Issues 79 Packages Projects Releases 10 Wiki Activity

Does dehydrated support TLSA record generation? #391

New Issue
Closed
opened 2025-12-29 01:24:21 +01:00 by adam · 4 comments
adam commented 2025-12-29 01:24:21 +01:00
Owner
Copy Link

Originally created by @andreasschulze on GitHub (Dec 12, 2018).

When using ACME to issue certificates for Mailservers, one may want to publish TLSA-Records too.
The general timeline would be:

  • generate a new private key + req
  • issue new cert
  • calculate the TLSA-Record data (TLSA Mode 3 3 1)
  • put these data into DNS
  • make sure, the published TLSA Record data are globally visible
  • wait at least the TLSA Record's TTL so old data will expired
  • deploy the new cert

Is there a suggested way to implement a similar behaviour with the current version (0.6.2) ?

Originally created by @andreasschulze on GitHub (Dec 12, 2018). When using ACME to issue certificates for Mailservers, one may want to publish TLSA-Records too. The general timeline would be: - generate a new private key + req - issue new cert - calculate the TLSA-Record data (TLSA Mode 3 3 1) - put these data into DNS - make sure, the published TLSA Record data are globally visible - wait at least the TLSA Record's TTL so old data will expired - deploy the new cert Is there a suggested way to implement a similar behaviour with the current version (0.6.2) ?
adam closed this issue 2025-12-29 01:24:21 +01:00
adam commented 2025-12-29 01:24:21 +01:00
Author
Owner
Copy Link

@txr13 commented on GitHub (Dec 12, 2018):

Seems this would be better implemented in a hook script’s deploy_cert function.

@txr13 commented on GitHub (Dec 12, 2018): Seems this would be better implemented in a hook script’s deploy_cert function.
adam commented 2025-12-29 01:24:22 +01:00
Author
Owner
Copy Link

@jobe1986 commented on GitHub (Dec 12, 2018):

The following site gives a little useful info on using openssl commands to generate the values for TLSA records (for the public key only) but that alone should give you hints on what to do for the full certs too:
https://blog.tyk.nu/blog/generating-tlsa-records-with-openssl/

@jobe1986 commented on GitHub (Dec 12, 2018): The following site gives a little useful info on using openssl commands to generate the values for TLSA records (for the public key only) but that alone should give you hints on what to do for the full certs too: https://blog.tyk.nu/blog/generating-tlsa-records-with-openssl/
adam commented 2025-12-29 01:24:23 +01:00
Author
Owner
Copy Link

@esclear commented on GitHub (Dec 16, 2018):

You might want to take a look at DHANE.

@esclear commented on GitHub (Dec 16, 2018): You might want to take a look at [DHANE](https://github.com/alainwolf/DHANE).
adam commented 2025-12-29 01:24:23 +01:00
Author
Owner
Copy Link

@lukas2511 commented on GitHub (Jan 18, 2019):

I also think this doesn't belong directly into dehydrated, but rather into an external hook-script. Thanks for the idea anyway.

@lukas2511 commented on GitHub (Jan 18, 2019): I also think this doesn't belong directly into dehydrated, but rather into an external hook-script. Thanks for the idea anyway.
Sign in to join this conversation.
No Branch/Tag Specified
Branches Tags
Labels
Clear labels
Complicated
bug
enhancement
help wanted
pull-request
Mirrored from GitHub Pull Request
 suggestions wanted
testing
No Label
Milestone
No items
No Milestone
Projects
Clear projects
No project
Assignees
Clear assignees
adam
No Assignees
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: starred/dehydrated#391
Delete Branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?