Automatically add TLSA records with letsencrypt updates

Enter Your Query:
Use '%' for wildcards and quotes for "exact phrases"

Top Level » DNS » DNSSEC

Automatically add TLSA records with letsencrypt updatesLast Modified: Feb 5, 2020, 11:02 pm


This guide is incomplete.  The smtp checks are still failing.
If you must use it, do it for 443 only, comment out the _25._tcp lines for now.

This guide assumes you've already got DNSSEC up and running on your domain.

The first step is to setup a script that will actually generate and add the records to your zone.
Create the script here (not directly called by DA):


with code



if [ "${DOMAIN}" = "" ] || [ ! -d /etc/virtual/$DOMAIN ]; then
       echo "$DOMAIN is not a valid domain";
       exit 1;

wget -O $F$F
V=`openssl x509 -in $F -outform DER | openssl dgst -sha256 -hex | awk '{print "2 0 1", $NF}'`

echo "Value is: $V"

#clear the old le-ca
echo "action=dns&do=delete&domain=${DOMAIN}&type=CNAME&name=_443._tcp&value=*" >> ${TQ}.cb;
echo "action=dns&do=delete&domain=${DOMAIN}&type=CNAME&name=_25._tcp.mail&value=*" >> ${TQ}.cb;
echo "action=dns&do=delete&domain=${DOMAIN}&type=TLSA&name=le-ca&value=*" >> ${TQ}.cb; ${DTQ} --custombuild

#add the new one
echo "action=dns&do=add&domain=${DOMAIN}&type=TLSA&name=le-ca&value=$V" >> ${TQ}

echo "action=dns&do=add&domain=${DOMAIN}&type=CNAME&name=_443._tcp&value=le-ca" >> ${TQ}
echo "action=dns&do=add&domain=${DOMAIN}&type=CNAME&name=_25._tcp.mail&value=le-ca" >> ${TQ}

echo 'action=named&value=reload' >> ${TQ}

exit 0;

and ensure the script is chmod to 755.

Next, create this custom script to call it, triggered by any LE update:


with the following code:

/usr/local/directadmin/scripts/custom/ $domain
exit 0;

and ensure this script is chmod to 755.

This will set the TLSA on *all* domains that are using LetEncrypt, so be sure they're *all* using DNSSEC before setting this up.

© 2018 JBMC Software, Suite 173  3-11 Bellerose Drive, St Albert, AB  T8N 1P7  Canada.  Mon-Fri 9AM-5PM MST