# prolo-tlsa

Generate TLSA records from Let's Encrypt certificates and optionally publish to DNS via Prolocation API.

## Description

This Python package generates TLSA records for DNS-based Authentication of Named Entities (DANE) using X.509 certificates from Let's Encrypt. It employs OpenSSL to compute the SHA-256 hash of the Subject Public Key Info (SPKI) in DER format.

Optionally, it can publish the generated TLSA records directly to the Prolocation DNS API.

The package is designed for sysadmins and developers managing secure TLS connections with DANE.

## Features

- Generate TLSA records for end-entity (usage 3) and issuer (usage 2) certificates.
- Support for custom port and protocol (default: 25/tcp for SMTP).
- Automatic DNS zone detection, preferring the deepest sub-zone.
- Safe publishing: removes existing TLSA records before adding new ones.
- CLI interface with logging.

## Installation

### From Source

Clone the repository and install:

```bash
git clone https://git.fabianvk.nl/faab/prolo-tlsa.git
cd prolo-tlsa
pip install .
```

### Dependencies

- Python >= 3.8
- `requests` (automatically installed)
- OpenSSL (for certificate processing)

## Usage

### Command Line

Generate TLSA records for a hostname:

```bash
prolo-tlsa example.com
```

Output will be the TLSA record values (e.g., `3 1 1 abc123...`).

To publish to DNS (requires API key):

```bash
export PROLOCATION_API_KEY="your-api-key"
prolo-tlsa example.com --publish --port 443 --protocol tcp
```

### Options

- `hostname`: The hostname to generate records for.
- `--publish`: Publish records to Prolocation DNS API.
- `--port`: Port number for TLSA record (default: 25).
- `--protocol`: Protocol for TLSA record (default: tcp).

### Python Module

Import and use programmatically:

```python
from prolo_tlsa import generate_tlsa_for_cert, get_api_key, publish_tlsa_records

# Example: generate for a cert file
tlsa = generate_tlsa_for_cert(Path("/path/to/cert.pem"), usage=3)
```

## Assumptions

- Certificates located at `/etc/letsencrypt/live/<hostname>/cert.pem` and `/etc/letsencrypt/live/<hostname>/chain.pem`.
- For publishing: Set `PROLOCATION_API_KEY` environment variable.

## License

MIT License

## Contributing

Issues and pull requests welcome at: https://git.fabianvk.nl/faab/prolo-tlsa

## Author

Fabian van Keulen <f@bianvk.nl>