Did all the good DANE TLSA record checkers all go away? All the ones I can find are caching results, either the report, or the DNS queries, so they are near useless for fixing/debugging your records.
Conversation
Replying to
internet.nl should work properly without caching being an issue and tests a lot more DANE. It's really good.
2
1
2
Replying to
Thanks.
Their results are a little bit critical though. Just because my secondary doesn't have IPv6 it says: Too bad! Your website is not reachable for visitors using a modern internet address (IPv6), or improvement is possible.
Same with HTTPS.
2
And why oh why do checkers not tell or link to his to generate/fix your TLSA record?
1
Replying to
I just generate them locally.
ECDSA:
openssl ec -in /etc/letsencrypt/live/domain.com/privkey.pem -outform der -pubout | openssl dgst -sha256 -hex
RSA:
openssl rsa -in /etc/letsencrypt/live/mail.grapheneos.org/privkey.pem -outform der -pubout | openssl dgst -sha256 -hex
And make sure your Let's Encrypt automation reuses the key for renewal like `reuse_key = True` for certbot.
I just do key rotation by hand when I replace the dedicated server / VPS instances. Get new certificate, add new record, wait for TTL, switch and then remove the old one.
1
Ok, the command you gave me matches the results I am using already. This is for a TLSA 3 1 1 record, correct?
1
Show replies