Did all the good DANE TLSA record checkers all go away? All the ones I can find are caching results, either the report, or the DNS queries, so they are near useless for fixing/debugging your records.
Conversation
Replying to
internet.nl should work properly without caching being an issue and tests a lot more DANE. It's really good.
2
1
2
Replying to
Thanks.
Their results are a little bit critical though. Just because my secondary doesn't have IPv6 it says: Too bad! Your website is not reachable for visitors using a modern internet address (IPv6), or improvement is possible.
Same with HTTPS.
2
And why oh why do checkers not tell or link to his to generate/fix your TLSA record?
1
Replying to
I just generate them locally.
ECDSA:
openssl ec -in /etc/letsencrypt/live/domain.com/privkey.pem -outform der -pubout | openssl dgst -sha256 -hex
RSA:
openssl rsa -in /etc/letsencrypt/live/mail.grapheneos.org/privkey.pem -outform der -pubout | openssl dgst -sha256 -hex
2
Ok, the command you gave me matches the results I am using already. This is for a TLSA 3 1 1 record, correct?
1
Replying to
Yeah, for pinning the public key of the leaf certificate. If you add multiple records, it trusts multiple keys, so that's what you do for rotation without downtime.
Replying to
Then the Dane checker is broken because that's what I used and it's saying that it's invalid. Hmm, I'll d/l the presented cert from the browser and check that.
1
Yeah, looks like that command gives incorrect results, where this site: huque.com/bin/gen_tlsa seems to have given correct results.
This could be because the public key is a P-384 key instead of an rsa key.
ASN1 OID: secp384r1
NIST CURVE: P-384
1
Show replies

