Hi,
to share with you this documentation - She explains "acme. sh" to create and update the linked Let's Encrypt plus certificates, create your DNS, update the Resource Records by nsupdate.
I have included 2 personal scripts - It is mainly this information that I wish to share.
1 - "acme-certif-date_verification.bash" which allows you to check the dates of the certificates (local among others) ;
2 - "acme-certif-frontend.bash" which allows you to send/update TLS certificates on front ends, clusters, servers.
I just modified the "acme-certif-date_verification.bash" script so that it "nsupdates" the DANE RRset TLSA field on the port -> "_443._tcp.vhost.domain.tld" <- so only for HTTPS.
You need to create an "other" script for the DANE TLSA fields on the protocol ports "smtp(s) and imap(s), "pop(s), LMTP(s) and LDAP(s)" for the mail servers. I'm sure you understand![:)]( "Smile")
Certificats SSL/TLS Let's Encrypt DNS authoritaire / nsupdate - This can be used to stay up to date and secure.
Return example :
I would have to improve the query for the "wilcard 2 www" line of the "acme-certif-date_verification.bash" script but hey, it's already there, it works.
Romain.
to share with you this documentation - She explains "acme. sh" to create and update the linked Let's Encrypt plus certificates, create your DNS, update the Resource Records by nsupdate.
I have included 2 personal scripts - It is mainly this information that I wish to share.
1 - "acme-certif-date_verification.bash" which allows you to check the dates of the certificates (local among others) ;
2 - "acme-certif-frontend.bash" which allows you to send/update TLS certificates on front ends, clusters, servers.
I just modified the "acme-certif-date_verification.bash" script so that it "nsupdates" the DANE RRset TLSA field on the port -> "_443._tcp.vhost.domain.tld" <- so only for HTTPS.
You need to create an "other" script for the DANE TLSA fields on the protocol ports "smtp(s) and imap(s), "pop(s), LMTP(s) and LDAP(s)" for the mail servers. I'm sure you understand
Certificats SSL/TLS Let's Encrypt DNS authoritaire / nsupdate - This can be used to stay up to date and secure.
Return example :
Code:
root@web:~ # /root/acme-certif-date_verification.bash#-----------------------------------Domain : lab3w.fr#----------Certificats SSL expiration date : samedi 23 septembre 2023, 23:51:07 (UTC+0200)Certificats SSL expiration days : 46Subject Alt Names : \ +-> DNS:*.lab3w.com +-> DNS:*.lab3w.fr +-> DNS:lab3w.com +-> DNS:lab3w.frCertificat Signature check : \ +- ECFFB8AEA0FF53484F21294E4F69C39CF34F4D7390CAAC66B8C8B0A50657EA50 -> Certificat signature +- ECFFB8AEA0FF53484F21294E4F69C39CF34F4D7390CAAC66B8C8B0A50657EA50 -> Signature on DNS RR TLSA \ +--> DNS RR TLSA (DANE) on Cerfificat Signature - OK#-----------------------------------Domain : zw3b.fr#----------Certificats SSL expiration date : vendredi 22 septembre 2023, 23:23:36 (UTC+0200)Certificats SSL expiration days : 45Subject Alt Names : \ +-> DNS:api.zw3b.fr +-> DNS:howto.zw3b.fr +-> DNS:mailing.zw3b.fr +-> DNS:radio.zw3b.fr +-> DNS:www.zw3b.fr +-> DNS:zw3b.frCertificat Signature check : \ +- C1A68D384582BC4A88EC7DB3492678B1B6A6E088036FD90306F4F47AF5B7332D -> Certificat signature +- C1A68D384582BC4A88EC7DB3492678B1B6A6E088036FD90306F4F47AF5B7332D -> Signature on DNS RR TLSA \ +--> DNS RR TLSA (DANE) on Cerfificat Signature - OK#-----------------------------------Domain : zw3b.tv#----------Certificats SSL expiration date : vendredi 22 septembre 2023, 23:24:59 (UTC+0200)Certificats SSL expiration days : 45Subject Alt Names : \ +-> DNS:www.zw3b.tv +-> DNS:zw3b.tvCertificat Signature check : \ +- 742D5E938E928F0E7F9A87811E0CFE1BE399005E2B2CAC1BBB42971E656C25A3 -> Certificat signature +- 742D5E938E928F0E7F9A87811E0CFE1BE399005E2B2CAC1BBB42971E656C25A3 -> Signature on DNS RR TLSA \ +--> DNS RR TLSA (DANE) on Cerfificat Signature - OK#-----------------------------------Domain : zw3b.site#----------Certificats SSL expiration date : vendredi 20 octobre 2023, 23:33:51 (UTC+0200)Certificats SSL expiration days : 73Subject Alt Names : \ +-> DNS:*.zw3b.site +-> DNS:zw3b.siteCertificat Signature check : \ +- C894DD1ACD81BF4613E69927FB0F7539018165182BA2C4B5587D33A8C9D1E411 -> Certificat signature +- C894DD1ACD81BF4613E69927FB0F7539018165182BA2C4B5587D33A8C9D1E411 -> Signature on DNS RR TLSA \ +--> DNS RR TLSA (DANE) on Cerfificat Signature - OK#-----------------------------------Domain : zw3b.net#----------Certificats SSL expiration date : vendredi 22 septembre 2023, 23:24:08 (UTC+0200)Certificats SSL expiration days : 45Subject Alt Names : \ +-> DNS:www.zw3b.net +-> DNS:zw3b.netCertificat Signature check : \ +- 992DB6977A23A379BA0378335C26E0855CAA4DEF20D9BC986EE947C6FA9719C9 -> Certificat signature +- 992DB6977A23A379BA0378335C26E0855CAA4DEF20D9BC986EE947C6FA9719C9 -> Signature on DNS RR TLSA \ +--> DNS RR TLSA (DANE) on Cerfificat Signature - OK#-----------------------------------Domain : zw3b.blog#----------Certificats SSL expiration date : samedi 23 septembre 2023, 23:51:42 (UTC+0200)Certificats SSL expiration days : 46Subject Alt Names : \ +-> DNS:*.zw3b.blog +-> DNS:zw3b.blogCertificat Signature check : \ +- 13B178DBE595C90AF7B461C115B5B2E323AC6403CACB2BA1F62345669DF47F25 -> Certificat signature +- 13B178DBE595C90AF7B461C115B5B2E323AC6403CACB2BA1F62345669DF47F25 -> Signature on DNS RR TLSA \ +--> DNS RR TLSA (DANE) on Cerfificat Signature - OK#-----------------------------------Domain : zw3b.eu#----------Certificats SSL expiration date : mercredi 25 octobre 2023, 23:15:21 (UTC+0200)Certificats SSL expiration days : 28Subject Alt Names : \ +-> DNS:*.zw3b.eu +-> DNS:zw3b.euCertificat Signature check : \ +- 76B2ABF86AD5D7002B03BAE2C7474E42E6ECA5DC4625BCABFBF9577165784274 -> Certificat signature +- 122DB6977A23A379BA0378335C26E0855CAA4DEF20D9BC986EE947C6FA9719D7 -> Signature on DNS RR TLSA \ +--> DNS RR TLSA (DANE) on Cerfificat Signature - NO OK \ +--> Update your DNS RR TLSA (DANE) with "nsupdate" command | | ; example | server dns.ipv10.net | zone zw3b.eu | update del _443._tcp.www.zw3b.eu. 3600 TLSA | update add _443._tcp.www.zw3b.eu. 3600 IN TLSA 3 0 1 76B2ABF86AD5D7002B03BAE2C7474E42E6ECA5DC4625BCABFBF9577165784274 | update del _443._tcp.zw3b.eu. 3600 TLSA | update add _443._tcp.zw3b.eu. 3600 IN TLSA 3 0 1 76B2ABF86AD5D7002B03BAE2C7474E42E6ECA5DC4625BCABFBF9577165784274 | send +------------------------------------#-----------------------------------Domain : ipv10.net#----------Certificats SSL expiration date : samedi 23 septembre 2023, 23:49:51 (UTC+0200)Certificats SSL expiration days : 46Subject Alt Names : \ +-> DNS:*.ipv01.net +-> DNS:*.ipv10.net +-> DNS:ipv01.net +-> DNS:ipv10.netCertificat Signature check : \ +- 924CACB8AB876888A3F07BDC9B6B6C39235502161991EECE5EC945174E91E07C -> Certificat signature \ +--> NO DNS RR TLSA (DANE) on Cerfificat Signature.#-----------------------------------Romain.
Statistics: Posted by LAB3W.ORJ — Thu Dec 14, 2023 9:52 pm