cryptdomainmgr - automating cert, tlsa, dkim and many more · basics ssl certifcate tlsa caa dnssec...
TRANSCRIPT
![Page 1: cryptdomainmgr - automating Cert, TLSA, DKIM and many more · Basics SSL Certifcate TLSA CAA DNSSEC DANE { all steps MX SPF DKIM additional DNS records ... I locks certi cate to domain/DNS](https://reader033.vdocument.in/reader033/viewer/2022050105/5f4381682e0f92452a351229/html5/thumbnails/1.jpg)
EH19
cryptdomainmgrautomating Cert, TLSA, DKIM and many more
Stefan Helmert
https://www.entroserv.de/de/offene-software/cryptdomainmgr
20.04.2019
![Page 2: cryptdomainmgr - automating Cert, TLSA, DKIM and many more · Basics SSL Certifcate TLSA CAA DNSSEC DANE { all steps MX SPF DKIM additional DNS records ... I locks certi cate to domain/DNS](https://reader033.vdocument.in/reader033/viewer/2022050105/5f4381682e0f92452a351229/html5/thumbnails/2.jpg)
EH19
Content
Motivationfinenot so fine
BasicsSSL CertifcateTLSACAADNSSECDANE – all stepsMXSPFDKIMadditional DNS recordsDKIM – overview
Cryptdomainmgr
dataflowautorenew processstructure
Usageupdate cycleDNS credentialCertificatesDKIMDomain
Implementationcryptdomainmgrmodulessimpleloggerplusdnsuptools
Discussion
![Page 3: cryptdomainmgr - automating Cert, TLSA, DKIM and many more · Basics SSL Certifcate TLSA CAA DNSSEC DANE { all steps MX SPF DKIM additional DNS records ... I locks certi cate to domain/DNS](https://reader033.vdocument.in/reader033/viewer/2022050105/5f4381682e0f92452a351229/html5/thumbnails/3.jpg)
EH19
Motivation
→ let’s make a web app ←I DNS
I Webpage
I E-Mail
I Mailinglist
I and the s for security
![Page 4: cryptdomainmgr - automating Cert, TLSA, DKIM and many more · Basics SSL Certifcate TLSA CAA DNSSEC DANE { all steps MX SPF DKIM additional DNS records ... I locks certi cate to domain/DNS](https://reader033.vdocument.in/reader033/viewer/2022050105/5f4381682e0f92452a351229/html5/thumbnails/4.jpg)
EH19
DeMotivation→ let’s make a web app ←
I DNSI SOAI DNSSEC
I WebpageI HTTPSI CertificateI HSTSI SRVI TLSA
I E-MailI SpamI DKIMI SPFI ADSPI DMARCI SRV
I MailinglistI SRSI ARC
![Page 5: cryptdomainmgr - automating Cert, TLSA, DKIM and many more · Basics SSL Certifcate TLSA CAA DNSSEC DANE { all steps MX SPF DKIM additional DNS records ... I locks certi cate to domain/DNS](https://reader033.vdocument.in/reader033/viewer/2022050105/5f4381682e0f92452a351229/html5/thumbnails/5.jpg)
EH19
DeMotivationfine
![Page 6: cryptdomainmgr - automating Cert, TLSA, DKIM and many more · Basics SSL Certifcate TLSA CAA DNSSEC DANE { all steps MX SPF DKIM additional DNS records ... I locks certi cate to domain/DNS](https://reader033.vdocument.in/reader033/viewer/2022050105/5f4381682e0f92452a351229/html5/thumbnails/6.jpg)
EH19
DeMotivationnot so fine
![Page 7: cryptdomainmgr - automating Cert, TLSA, DKIM and many more · Basics SSL Certifcate TLSA CAA DNSSEC DANE { all steps MX SPF DKIM additional DNS records ... I locks certi cate to domain/DNS](https://reader033.vdocument.in/reader033/viewer/2022050105/5f4381682e0f92452a351229/html5/thumbnails/7.jpg)
EH19
BasicsSSL Certifcate
XY
I authentication (phishing)
I integrity (man in the middle)
I privacy (spy)
→ certbot renew
![Page 8: cryptdomainmgr - automating Cert, TLSA, DKIM and many more · Basics SSL Certifcate TLSA CAA DNSSEC DANE { all steps MX SPF DKIM additional DNS records ... I locks certi cate to domain/DNS](https://reader033.vdocument.in/reader033/viewer/2022050105/5f4381682e0f92452a351229/html5/thumbnails/8.jpg)
EH19
BasicsTLSA
DANE – DNS-based Authentication of Named Entities
TLSA – Transport Layer Security Authentication
I locks certificate to domain/DNS (fraudulent CA, stolen cert)
→ to do
![Page 9: cryptdomainmgr - automating Cert, TLSA, DKIM and many more · Basics SSL Certifcate TLSA CAA DNSSEC DANE { all steps MX SPF DKIM additional DNS records ... I locks certi cate to domain/DNS](https://reader033.vdocument.in/reader033/viewer/2022050105/5f4381682e0f92452a351229/html5/thumbnails/9.jpg)
EH19
BasicsCAA
www.example
CAA Let‘s Encryptonly
CAA – Certification Authority Authorization
I specifies allowed CA
I checked by CA
![Page 10: cryptdomainmgr - automating Cert, TLSA, DKIM and many more · Basics SSL Certifcate TLSA CAA DNSSEC DANE { all steps MX SPF DKIM additional DNS records ... I locks certi cate to domain/DNS](https://reader033.vdocument.in/reader033/viewer/2022050105/5f4381682e0f92452a351229/html5/thumbnails/10.jpg)
EH19
BasicsDNSSEC
DNSSEC
Domain Name System Security Extensions
I authenticate domain owner
I integrity (DNS cache poisoning)
I proof of nonexistence
→ done by domain provider
![Page 11: cryptdomainmgr - automating Cert, TLSA, DKIM and many more · Basics SSL Certifcate TLSA CAA DNSSEC DANE { all steps MX SPF DKIM additional DNS records ... I locks certi cate to domain/DNS](https://reader033.vdocument.in/reader033/viewer/2022050105/5f4381682e0f92452a351229/html5/thumbnails/11.jpg)
EH19
BasicsDANE – all steps
DNSCALet‘s Encrypt
CAALet‘s Encrypt
CAA == “Let‘s Encrypt“ ?
WebServer
newCert
TLSA-recgen
TLSAWebpage(HTTPS)
Client
DNSSECTLSA == Cert DNSSEC OK?
Server
![Page 12: cryptdomainmgr - automating Cert, TLSA, DKIM and many more · Basics SSL Certifcate TLSA CAA DNSSEC DANE { all steps MX SPF DKIM additional DNS records ... I locks certi cate to domain/DNS](https://reader033.vdocument.in/reader033/viewer/2022050105/5f4381682e0f92452a351229/html5/thumbnails/12.jpg)
EH19
BasicsMX
Mail eXchange
I abstraction: email domain, email server domain
I multiple email servers
![Page 13: cryptdomainmgr - automating Cert, TLSA, DKIM and many more · Basics SSL Certifcate TLSA CAA DNSSEC DANE { all steps MX SPF DKIM additional DNS records ... I locks certi cate to domain/DNS](https://reader033.vdocument.in/reader033/viewer/2022050105/5f4381682e0f92452a351229/html5/thumbnails/13.jpg)
EH19
BasicsSPF
MX backwards
I faked sender?
![Page 14: cryptdomainmgr - automating Cert, TLSA, DKIM and many more · Basics SSL Certifcate TLSA CAA DNSSEC DANE { all steps MX SPF DKIM additional DNS records ... I locks certi cate to domain/DNS](https://reader033.vdocument.in/reader033/viewer/2022050105/5f4381682e0f92452a351229/html5/thumbnails/14.jpg)
EH19
BasicsSPF
SPF – Sender Policy Framework
I MX alled to send
I no one else allowed
![Page 15: cryptdomainmgr - automating Cert, TLSA, DKIM and many more · Basics SSL Certifcate TLSA CAA DNSSEC DANE { all steps MX SPF DKIM additional DNS records ... I locks certi cate to domain/DNS](https://reader033.vdocument.in/reader033/viewer/2022050105/5f4381682e0f92452a351229/html5/thumbnails/15.jpg)
EH19
BasicsDKIM
DomainKeys Identified Mail
I authenticate MTA (fake/spam server)
I integrity (man in the middle)
→ to do
![Page 16: cryptdomainmgr - automating Cert, TLSA, DKIM and many more · Basics SSL Certifcate TLSA CAA DNSSEC DANE { all steps MX SPF DKIM additional DNS records ... I locks certi cate to domain/DNS](https://reader033.vdocument.in/reader033/viewer/2022050105/5f4381682e0f92452a351229/html5/thumbnails/16.jpg)
EH19
Basicsadditional DNS records
SPF – Sender Policy Framework
I which server is allowed to send email
ADSP – Author Domain Signing Practices
I defines, if email must be DKIM signed
DMARC – Domain-based Message Authentication,Reporting and Conformance
I successor of SPF and ADSP
I overrides SPF and ADSP
I additional parameters: report email
SRV – Service
I announces services
![Page 17: cryptdomainmgr - automating Cert, TLSA, DKIM and many more · Basics SSL Certifcate TLSA CAA DNSSEC DANE { all steps MX SPF DKIM additional DNS records ... I locks certi cate to domain/DNS](https://reader033.vdocument.in/reader033/viewer/2022050105/5f4381682e0f92452a351229/html5/thumbnails/17.jpg)
EH19
BasicsDKIM – overview
DNS
DKIM
MailServer
MTAPostfix
MailClient
MUAThunderbird
Signerrspamd
key
MailServerCheckerrspamd
MDADovecot
MailClient
MUAThunderbird
signature == key ?
DMARC
activates
MTAPostfix
![Page 18: cryptdomainmgr - automating Cert, TLSA, DKIM and many more · Basics SSL Certifcate TLSA CAA DNSSEC DANE { all steps MX SPF DKIM additional DNS records ... I locks certi cate to domain/DNS](https://reader033.vdocument.in/reader033/viewer/2022050105/5f4381682e0f92452a351229/html5/thumbnails/18.jpg)
EH19
Cryptdomainmgrdataflow
Infrastructure as Code!
DNS-Server Web-/Mailserver CA
Cryptdomainmgr
Configuration
Certifi
cate
Cert, DKIMUpdate Records
![Page 19: cryptdomainmgr - automating Cert, TLSA, DKIM and many more · Basics SSL Certifcate TLSA CAA DNSSEC DANE { all steps MX SPF DKIM additional DNS records ... I locks certi cate to domain/DNS](https://reader033.vdocument.in/reader033/viewer/2022050105/5f4381682e0f92452a351229/html5/thumbnails/19.jpg)
EH19
Cryptdomainmgrautorenew process
I prepareI generate certificateI calculate TLSA from certificateI add TLSA RRI generate key pair for DKIMI calculate DKIMI add DKIM RR
I rolloverI use new certificateI use new DKIM key
I cleanupI remove old TLSA RRI remove old DKIM RRI delete old certificatesI delete old DKIM keys
![Page 20: cryptdomainmgr - automating Cert, TLSA, DKIM and many more · Basics SSL Certifcate TLSA CAA DNSSEC DANE { all steps MX SPF DKIM additional DNS records ... I locks certi cate to domain/DNS](https://reader033.vdocument.in/reader033/viewer/2022050105/5f4381682e0f92452a351229/html5/thumbnails/20.jpg)
EH19
Cryptdomainmgrstructure
cryptdomainmgr
main .py
init .py
modules
...
cdmcore.py
cdmstatehandler.py
cdmconfighandler.py
![Page 21: cryptdomainmgr - automating Cert, TLSA, DKIM and many more · Basics SSL Certifcate TLSA CAA DNSSEC DANE { all steps MX SPF DKIM additional DNS records ... I locks certi cate to domain/DNS](https://reader033.vdocument.in/reader033/viewer/2022050105/5f4381682e0f92452a351229/html5/thumbnails/21.jpg)
EH19
Cryptdomainmgrstructure
cryptdomainmgr
...
modules
common
cdm
cert
dkim
domain
service
dhparam
![Page 22: cryptdomainmgr - automating Cert, TLSA, DKIM and many more · Basics SSL Certifcate TLSA CAA DNSSEC DANE { all steps MX SPF DKIM additional DNS records ... I locks certi cate to domain/DNS](https://reader033.vdocument.in/reader033/viewer/2022050105/5f4381682e0f92452a351229/html5/thumbnails/22.jpg)
EH19
Cryptdomainmgrstructure
cryptdomainmgr
...
modules
...
domain
init .py
main.py
confighandler.py
handlerdnsuptools.py
![Page 23: cryptdomainmgr - automating Cert, TLSA, DKIM and many more · Basics SSL Certifcate TLSA CAA DNSSEC DANE { all steps MX SPF DKIM additional DNS records ... I locks certi cate to domain/DNS](https://reader033.vdocument.in/reader033/viewer/2022050105/5f4381682e0f92452a351229/html5/thumbnails/23.jpg)
EH19
Usage
www.entroserv.de/de/offene-software/cryptdomainmgr
![Page 24: cryptdomainmgr - automating Cert, TLSA, DKIM and many more · Basics SSL Certifcate TLSA CAA DNSSEC DANE { all steps MX SPF DKIM additional DNS records ... I locks certi cate to domain/DNS](https://reader033.vdocument.in/reader033/viewer/2022050105/5f4381682e0f92452a351229/html5/thumbnails/24.jpg)
EH19
Usageupdate cycle
update – set static entries: a, aaaa, srv, dmarc, spf, adsp
$ python -m cryptdomainmgr --update cred.cnf exmpl.cnf
prepare, rollover, cleanup cycle – renew cryptographicmaterial: certificate, TLSA, DKIM
$ python -m cryptdomainmgr cred.cnf exmpl.cnf
explicit cycle
$ python -m cryptdomainmgr --prepare cred.cnf exmpl.cnf
$ python -m cryptdomainmgr --rollover cred.cnf exmpl.cnf
$ python -m cryptdomainmgr --cleanup cred.cnf exmpl.cnf
![Page 25: cryptdomainmgr - automating Cert, TLSA, DKIM and many more · Basics SSL Certifcate TLSA CAA DNSSEC DANE { all steps MX SPF DKIM additional DNS records ... I locks certi cate to domain/DNS](https://reader033.vdocument.in/reader033/viewer/2022050105/5f4381682e0f92452a351229/html5/thumbnails/25.jpg)
EH19
UsageDNS credential
$ cat cred.cnf
[domain]
user = myusername
passwd = mypassword
![Page 26: cryptdomainmgr - automating Cert, TLSA, DKIM and many more · Basics SSL Certifcate TLSA CAA DNSSEC DANE { all steps MX SPF DKIM additional DNS records ... I locks certi cate to domain/DNS](https://reader033.vdocument.in/reader033/viewer/2022050105/5f4381682e0f92452a351229/html5/thumbnails/26.jpg)
EH19
UsageCertificates
$ cat exmpl.cnf
[cert]
handler = dehydrated
email = [email protected]
keysize = 4096
[cert:maincert]
destination = /etc/ssl
extraflags = --staging, -x
certname = fullchain.pem
I multiple domains using maincert → SAN certificate
![Page 27: cryptdomainmgr - automating Cert, TLSA, DKIM and many more · Basics SSL Certifcate TLSA CAA DNSSEC DANE { all steps MX SPF DKIM additional DNS records ... I locks certi cate to domain/DNS](https://reader033.vdocument.in/reader033/viewer/2022050105/5f4381682e0f92452a351229/html5/thumbnails/27.jpg)
EH19
UsageDKIM
$ cat exmpl.cnf
[dkim]
handler = rspamd
[dkim:maindkim]
signingConfTemplateFile
= /etc/cryptdomainmgr/dkim_signing_template.conf
signingConfDestinationFile
= /etc/rspamd/local.d/dkim_signing.conf
![Page 28: cryptdomainmgr - automating Cert, TLSA, DKIM and many more · Basics SSL Certifcate TLSA CAA DNSSEC DANE { all steps MX SPF DKIM additional DNS records ... I locks certi cate to domain/DNS](https://reader033.vdocument.in/reader033/viewer/2022050105/5f4381682e0f92452a351229/html5/thumbnails/28.jpg)
EH19
UsageDomain
$ cat exmpl.cnf
[domain]
user = myusername
handler = dnsuptools/inwx
[domain:domain.example]
soa.hostmaster = [email protected]
soa.refresh = 7200
[domain:sub.domain.example]
ip4 = auto, 192.168.0.1
ip6+ = auto, 0ffc::0030
mx = mail20.domain.example:20, mail30.domain.example:30
mx.40 = mail40.domain.example, mail50.domain.example:50
mx.10+= mail10.domain.example
![Page 29: cryptdomainmgr - automating Cert, TLSA, DKIM and many more · Basics SSL Certifcate TLSA CAA DNSSEC DANE { all steps MX SPF DKIM additional DNS records ... I locks certi cate to domain/DNS](https://reader033.vdocument.in/reader033/viewer/2022050105/5f4381682e0f92452a351229/html5/thumbnails/29.jpg)
EH19
UsageDomain
set A record
$ cat exmpl.cnf
[domain:sub.domain.example]
ip4 = auto, 192.168.0.1
means:
I add external ip and 192.168.0.1 to sub.domain.example
I delete all other A records of sub.domain.example
![Page 30: cryptdomainmgr - automating Cert, TLSA, DKIM and many more · Basics SSL Certifcate TLSA CAA DNSSEC DANE { all steps MX SPF DKIM additional DNS records ... I locks certi cate to domain/DNS](https://reader033.vdocument.in/reader033/viewer/2022050105/5f4381682e0f92452a351229/html5/thumbnails/30.jpg)
EH19
UsageDomain
add A record
$ cat exmpl.cnf
[domain:sub.domain.example]
ip4+ = auto, 192.168.0.1
means:
I add external ip and 192.168.0.1 to sub.domain.example
I delete all other A records of sub.domain.example
![Page 31: cryptdomainmgr - automating Cert, TLSA, DKIM and many more · Basics SSL Certifcate TLSA CAA DNSSEC DANE { all steps MX SPF DKIM additional DNS records ... I locks certi cate to domain/DNS](https://reader033.vdocument.in/reader033/viewer/2022050105/5f4381682e0f92452a351229/html5/thumbnails/31.jpg)
EH19
UsageDomain
set MX record
$ cat exmpl.cnf
[domain:sub.domain.example]
mx = mail20.domain.example:20, mail30.domain.example:30
means:I add MX records
I mail20.domain.example with prio 20I mail30.domain.example with prio 30
I delete all other MX records from sub.domain.example
![Page 32: cryptdomainmgr - automating Cert, TLSA, DKIM and many more · Basics SSL Certifcate TLSA CAA DNSSEC DANE { all steps MX SPF DKIM additional DNS records ... I locks certi cate to domain/DNS](https://reader033.vdocument.in/reader033/viewer/2022050105/5f4381682e0f92452a351229/html5/thumbnails/32.jpg)
EH19
UsageDomain
set MX record
$ cat exmpl.cnf
[domain:sub.domain.example]
mx.40 = mail40.domain.example, mail50.domain.example:50
means:I add MX records
I mail40.domain.example with prio 40I mail50.domain.example with prio 50
I delete all other MX records with prio 40 fromsub.domain.example
![Page 33: cryptdomainmgr - automating Cert, TLSA, DKIM and many more · Basics SSL Certifcate TLSA CAA DNSSEC DANE { all steps MX SPF DKIM additional DNS records ... I locks certi cate to domain/DNS](https://reader033.vdocument.in/reader033/viewer/2022050105/5f4381682e0f92452a351229/html5/thumbnails/33.jpg)
EH19
UsageDomain
set SRV record
$ cat exmpl.cnf
[domain:sub.domain.example]
srv.service.proto.port.weight.prio
= sub.domain.example:PRIO:WEIGHT:PORT:PROTO:SERVICE
![Page 34: cryptdomainmgr - automating Cert, TLSA, DKIM and many more · Basics SSL Certifcate TLSA CAA DNSSEC DANE { all steps MX SPF DKIM additional DNS records ... I locks certi cate to domain/DNS](https://reader033.vdocument.in/reader033/viewer/2022050105/5f4381682e0f92452a351229/html5/thumbnails/34.jpg)
EH19
UsageDomain
set DMARC entries
$ cat exmpl.cnf
[domain:sub.domain.example]
dmarc.p = quarantine
dmarc.rua = mailto:[email protected]
dmarc.ruf = mailto:[email protected]
I changes the entries p, rua, ruf of the DMARC record
I entries adkim, aspf, pct do not change
I”atomic“ operation
I only one DMARC record allowed!
![Page 35: cryptdomainmgr - automating Cert, TLSA, DKIM and many more · Basics SSL Certifcate TLSA CAA DNSSEC DANE { all steps MX SPF DKIM additional DNS records ... I locks certi cate to domain/DNS](https://reader033.vdocument.in/reader033/viewer/2022050105/5f4381682e0f92452a351229/html5/thumbnails/35.jpg)
EH19
UsageDomain
set DMARC record
$ cat exmpl.cnf
[domain:sub.domain.example]
dmarc =
dmarc.p = quarantine
dmarc.rua = mailto:[email protected]
dmarc.ruf = mailto:[email protected]
I changes the entries p, rua, ruf of the DMARC record
I remove all other entries of this record
I atomic operation
I at most one DMARC record allowed!
![Page 36: cryptdomainmgr - automating Cert, TLSA, DKIM and many more · Basics SSL Certifcate TLSA CAA DNSSEC DANE { all steps MX SPF DKIM additional DNS records ... I locks certi cate to domain/DNS](https://reader033.vdocument.in/reader033/viewer/2022050105/5f4381682e0f92452a351229/html5/thumbnails/36.jpg)
EH19
UsageDomain
set SOA entries
$ cat exmpl.cnf
[domain:domain.example]
soa.hostmaster = [email protected]
soa.refresh = 7200
I changes the entries hostmaster, refresh of the SOA record
I primns, serial, retry, expire, ncttl not changed
I atomic operation
I exact one SOA record in top level allowed!
![Page 37: cryptdomainmgr - automating Cert, TLSA, DKIM and many more · Basics SSL Certifcate TLSA CAA DNSSEC DANE { all steps MX SPF DKIM additional DNS records ... I locks certi cate to domain/DNS](https://reader033.vdocument.in/reader033/viewer/2022050105/5f4381682e0f92452a351229/html5/thumbnails/37.jpg)
EH19
UsageDomain
set SPF flags
$ cat exmpl.cnf
[domain:domain.example]
spf = -mx, a, ?all, +aaaa
I add given flags to SPF record
I remove all other flags from SPF record
I atomic operation
I at most one SPF record is allowed!
![Page 38: cryptdomainmgr - automating Cert, TLSA, DKIM and many more · Basics SSL Certifcate TLSA CAA DNSSEC DANE { all steps MX SPF DKIM additional DNS records ... I locks certi cate to domain/DNS](https://reader033.vdocument.in/reader033/viewer/2022050105/5f4381682e0f92452a351229/html5/thumbnails/38.jpg)
EH19
UsageDomain
set ADSP and CAA records
$ cat exmpl.cnf
[domain:domain.example]
adsp = all
caa = 0 issue letsdecrypt.org,
128 issuewild examplecert.example
I atomic update ADSP record
I add the CAA records
I remove all other CAA records
configured by cert handler:
[domain:domain.example]
caa = auto
![Page 39: cryptdomainmgr - automating Cert, TLSA, DKIM and many more · Basics SSL Certifcate TLSA CAA DNSSEC DANE { all steps MX SPF DKIM additional DNS records ... I locks certi cate to domain/DNS](https://reader033.vdocument.in/reader033/viewer/2022050105/5f4381682e0f92452a351229/html5/thumbnails/39.jpg)
EH19
UsageDomain
combine stuff – TLSA and DKIM
$ cat exmpl.cnf
[domain:sub.domain.example]
tlsa.tcp.443 = auto:3:0:1, auto:2:0:1
cert = maincert
dkim = maindkim
prepare cycle
I add TLSA and DKIM records
rollover cycle
I no DNS changes
I apply certificates and keys on server
cleanup cycle
I add TLSA and DKIM records (again)
I remove all other TLSA and DKIM records
![Page 40: cryptdomainmgr - automating Cert, TLSA, DKIM and many more · Basics SSL Certifcate TLSA CAA DNSSEC DANE { all steps MX SPF DKIM additional DNS records ... I locks certi cate to domain/DNS](https://reader033.vdocument.in/reader033/viewer/2022050105/5f4381682e0f92452a351229/html5/thumbnails/40.jpg)
EH19
Implementationcryptdomainmgr
main .py command line interface
cdmcore.py core, brings everything together
cdmconfighandler.py reads/interpretes config (ini) files
cdmstatehandler.py manages dependencies, data transport, nextrun phase
modules/ plugins handling/interfacing dns update, certificaterenewal, dkim renewal, service reload
external packages:
simpleloggerplus logging abstraction, password → *****
dnsuptools domrobot interface abstraction, TLSA, DKIMcalculation
![Page 41: cryptdomainmgr - automating Cert, TLSA, DKIM and many more · Basics SSL Certifcate TLSA CAA DNSSEC DANE { all steps MX SPF DKIM additional DNS records ... I locks certi cate to domain/DNS](https://reader033.vdocument.in/reader033/viewer/2022050105/5f4381682e0f92452a351229/html5/thumbnails/41.jpg)
EH19
Implementationcryptdomainmgr
Reactive: Domain update depends on TLSA record calculatedbased on new certificate.
Certificate Update
Update Domain Update Domain
modules/cert
modules/domain
TL
SA
![Page 42: cryptdomainmgr - automating Cert, TLSA, DKIM and many more · Basics SSL Certifcate TLSA CAA DNSSEC DANE { all steps MX SPF DKIM additional DNS records ... I locks certi cate to domain/DNS](https://reader033.vdocument.in/reader033/viewer/2022050105/5f4381682e0f92452a351229/html5/thumbnails/42.jpg)
EH19
Implementationmodules
modules/cert/main.py interface to handler, some helpers
modules/cert/handlerdehydrated.py interface todehydrated tocreate certificate
modules/cert/confighandler.py interpretes corrspondig parts of theconfig file
external package:
dehydrated handles acme api for letsencrypt
![Page 43: cryptdomainmgr - automating Cert, TLSA, DKIM and many more · Basics SSL Certifcate TLSA CAA DNSSEC DANE { all steps MX SPF DKIM additional DNS records ... I locks certi cate to domain/DNS](https://reader033.vdocument.in/reader033/viewer/2022050105/5f4381682e0f92452a351229/html5/thumbnails/43.jpg)
EH19
Implementationsimpleloggerplus
simpleloggerplus.py core, produces output
deepops.py deep dict/list operations, password → *****
![Page 44: cryptdomainmgr - automating Cert, TLSA, DKIM and many more · Basics SSL Certifcate TLSA CAA DNSSEC DANE { all steps MX SPF DKIM additional DNS records ... I locks certi cate to domain/DNS](https://reader033.vdocument.in/reader033/viewer/2022050105/5f4381682e0f92452a351229/html5/thumbnails/44.jpg)
EH19
Implementationdnsuptools
dnsuptools.py core, high level, record change & query methods
dnsupdate.py interface to wrapper, low level
inwxwrapper.py interface to internetworx api, lowest level
dkimrecgen.py reads/interpretes dkim key file
tlsarecgen.py reads/interpretes certificate file
dnshelpers.py one helper function
external packages:
simpleloggerplus see simpleloggerplus 3
inwxclient domrobot client
![Page 45: cryptdomainmgr - automating Cert, TLSA, DKIM and many more · Basics SSL Certifcate TLSA CAA DNSSEC DANE { all steps MX SPF DKIM additional DNS records ... I locks certi cate to domain/DNS](https://reader033.vdocument.in/reader033/viewer/2022050105/5f4381682e0f92452a351229/html5/thumbnails/45.jpg)
EH19
Discussion
???