Feature request: TLSA records #16
Comments
|
Currently, TLSA updates need to be done manually after obtaining the certificate. Over at desec-io/desec-stack#513, there is some effort to auto-generate TLSA records from certificates. If this ever becomes available through the deSEC API, we would still have to figure out if the certbot plugin interface provides functions that are called after successfully obtaining a certificate. We need to proceed with caution, though, as record updates need to be carefully coordinated with the actual certificate switch at the web server. I believe https://github.com/raforg/danectl implements an appropriate workflow for this. |
nils-wisiol
added
enhancement
|
That's a very good point. I had the impression that certbot provides some post-fetch hooks for the plugins: doesn't the nginx plugin update config files after certs are issued? I'll give it a look as soon as I get some free time! |
I was wondering if it's possible to also update
TLSArecords after a certificate is fetched?The text was updated successfully, but these errors were encountered: