91 lines
2.3 KiB
Markdown
91 lines
2.3 KiB
Markdown
# prolo-tlsa
|
|
|
|
Generate TLSA records from Let's Encrypt certificates and optionally publish to DNS via Prolocation API.
|
|
|
|
## Description
|
|
|
|
This Python package generates TLSA records for DNS-based Authentication of Named Entities (DANE) using X.509 certificates from Let's Encrypt. It employs OpenSSL to compute the SHA-256 hash of the Subject Public Key Info (SPKI) in DER format.
|
|
|
|
Optionally, it can publish the generated TLSA records directly to the Prolocation DNS API.
|
|
|
|
The package is designed for sysadmins and developers managing secure TLS connections with DANE.
|
|
|
|
## Features
|
|
|
|
- Generate TLSA records for end-entity (usage 3) and issuer (usage 2) certificates.
|
|
- Support for custom port and protocol (default: 25/tcp for SMTP).
|
|
- Automatic DNS zone detection, preferring the deepest sub-zone.
|
|
- Safe publishing: removes existing TLSA records before adding new ones.
|
|
- CLI interface with logging.
|
|
|
|
## Installation
|
|
|
|
### From Source
|
|
|
|
Clone the repository and install:
|
|
|
|
```bash
|
|
git clone https://git.fabianvk.nl/faab/prolo-tlsa.git
|
|
cd prolo-tlsa
|
|
pip install .
|
|
```
|
|
|
|
### Dependencies
|
|
|
|
- Python >= 3.8
|
|
- `requests` (automatically installed)
|
|
- OpenSSL (for certificate processing)
|
|
|
|
## Usage
|
|
|
|
### Command Line
|
|
|
|
Generate TLSA records for a hostname:
|
|
|
|
```bash
|
|
prolo-tlsa example.com
|
|
```
|
|
|
|
Output will be the TLSA record values (e.g., `3 1 1 abc123...`).
|
|
|
|
To publish to DNS (requires API key):
|
|
|
|
```bash
|
|
export PROLOCATION_API_KEY="your-api-key"
|
|
prolo-tlsa example.com --publish --port 443 --protocol tcp
|
|
```
|
|
|
|
### Options
|
|
|
|
- `hostname`: The hostname to generate records for.
|
|
- `--publish`: Publish records to Prolocation DNS API.
|
|
- `--port`: Port number for TLSA record (default: 25).
|
|
- `--protocol`: Protocol for TLSA record (default: tcp).
|
|
|
|
### Python Module
|
|
|
|
Import and use programmatically:
|
|
|
|
```python
|
|
from prolo_tlsa import generate_tlsa_for_cert, get_api_key, publish_tlsa_records
|
|
|
|
# Example: generate for a cert file
|
|
tlsa = generate_tlsa_for_cert(Path("/path/to/cert.pem"), usage=3)
|
|
```
|
|
|
|
## Assumptions
|
|
|
|
- Certificates located at `/etc/letsencrypt/live/<hostname>/cert.pem` and `/etc/letsencrypt/live/<hostname>/chain.pem`.
|
|
- For publishing: Set `PROLOCATION_API_KEY` environment variable.
|
|
|
|
## License
|
|
|
|
MIT License
|
|
|
|
## Contributing
|
|
|
|
Issues and pull requests welcome at: https://git.fabianvk.nl/faab/prolo-tlsa
|
|
|
|
## Author
|
|
|
|
Fabian van Keulen <f@bianvk.nl> |