faab/prolo-tlsa
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
5c3c4c911b061f4d2ded8c25e530754b60bb23c0
prolo-tlsa/README.md

2.3 KiB
Raw Blame History

prolo-tlsa

Generate TLSA records from Let's Encrypt certificates and optionally publish to DNS via Prolocation API.

Description

This Python package generates TLSA records for DNS-based Authentication of Named Entities (DANE) using X.509 certificates from Let's Encrypt. It employs OpenSSL to compute the SHA-256 hash of the Subject Public Key Info (SPKI) in DER format.

Optionally, it can publish the generated TLSA records directly to the Prolocation DNS API.

The package is designed for sysadmins and developers managing secure TLS connections with DANE.

Features

  • Generate TLSA records for end-entity (usage 3) and issuer (usage 2) certificates.
  • Support for custom port and protocol (default: 25/tcp for SMTP).
  • Automatic DNS zone detection, preferring the deepest sub-zone.
  • Safe publishing: removes existing TLSA records before adding new ones.
  • CLI interface with logging.

Installation

From Source

Clone the repository and install:

git clone https://git.fabianvk.nl/faab/prolo-tlsa.git
cd prolo-tlsa
pip install .

Dependencies

  • Python >= 3.8
  • requests (automatically installed)
  • OpenSSL (for certificate processing)

Usage

Command Line

Generate TLSA records for a hostname:

prolo-tlsa example.com

Output will be the TLSA record values (e.g., 3 1 1 abc123...).

To publish to DNS (requires API key):

export PROLOCATION_API_KEY="your-api-key"
prolo-tlsa example.com --publish --port 443 --protocol tcp

Options

  • hostname: The hostname to generate records for.
  • --publish: Publish records to Prolocation DNS API.
  • --port: Port number for TLSA record (default: 25).
  • --protocol: Protocol for TLSA record (default: tcp).

Python Module

Import and use programmatically:

from prolo_tlsa import generate_tlsa_for_cert, get_api_key, publish_tlsa_records

# Example: generate for a cert file
tlsa = generate_tlsa_for_cert(Path("/path/to/cert.pem"), usage=3)

Assumptions

  • Certificates located at /etc/letsencrypt/live/<hostname>/cert.pem and /etc/letsencrypt/live/<hostname>/chain.pem.
  • For publishing: Set PROLOCATION_API_KEY environment variable.

License

MIT License

Contributing

Issues and pull requests welcome at: https://git.fabianvk.nl/faab/prolo-tlsa

Author

Fabian van Keulen f@bianvk.nl