patrickkasie
Verified User
Dear DirectAdmin forum,
I have been following the guide of https://docs.directadmin.com/other-...y-add-tlsa-records-with-let-s-encrypt-updates in order to try and install DANE/TLSA
We don't have DNS handled by DirectAdmin and instead have it run by our own nameservers.
I have no idea where to begin with the specific situation we're at with adding DANE/TLSA. This is what I've done so far:
Done the above steps of following "How to automatically add TLSA records with Let's Encrypt updates".
After generating a certificate for patrickkas.nl as the example domainname on the server where the domain is located at:
Afterwards, I went to another server and used the following command with the result:
Next is adding it to our DNS zone that's not managed by DA, using the following values:
Finally, let's check if we can dig it:
Seems to be in order.
Now let's use internet.nl to verify if the outside world also views this correctly:
Error: the fingerprint is incorrect. (In Dutch)
So what did I do wrong?
I have been following the guide of https://docs.directadmin.com/other-...y-add-tlsa-records-with-let-s-encrypt-updates in order to try and install DANE/TLSA
We don't have DNS handled by DirectAdmin and instead have it run by our own nameservers.
I have no idea where to begin with the specific situation we're at with adding DANE/TLSA. This is what I've done so far:
Done the above steps of following "How to automatically add TLSA records with Let's Encrypt updates".
After generating a certificate for patrickkas.nl as the example domainname on the server where the domain is located at:
Code:
# cd /etc/ssl/certs/
# /usr/local/directadmin/scripts/custom/set_tlsa.sh patrickkas.nl
# openssl x509 -in /etc/ssl/certs/lets-encrypt-x3-cross-signed.pem -noout -pubkey | openssl pkey -pubin -outform DER | openssl dgst -sha256
Afterwards, I went to another server and used the following command with the result:
Code:
# openssl s_client -connect patrickkas.nl:443 -servername patrickkas.nl | openssl x509 -noout -pubkey | openssl pkey -pubin -outform DER | openssl dgst -sha256
depth=2 C = US, O = Internet Security Research Group, CN = ISRG Root X1
verify return:1
depth=1 C = US, O = Let's Encrypt, CN = E5
verify return:1
depth=0 CN = vps18.jk.nl
verify return:1
(stdin)= bd5d7378706f29c18fa9b30f15408540bd2b8c3c908637c20c84a4d660bcce8c
Next is adding it to our DNS zone that's not managed by DA, using the following values:
Code:
_443._tcp.patrickkas.nl. 300 IN TLSA 2 0 1 bd5d7378706f29c18fa9b30f15408540bd2b8c3c908637c20c84a4d660bcce8c
Finally, let's check if we can dig it:
Code:
[FONT=Calibri]# dig +dnssec _443._tcp.patrickkas.nl TLSA
; <<>> DiG 9.11.36-RedHat-9.11.36-14.el8_10 <<>> +dnssec _443._tcp.patrickkas.nl TLSA
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 10452
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 1232
;; QUESTION SECTION:
;_443._tcp.patrickkas.nl. IN TLSA
;; ANSWER SECTION:
_443._tcp.patrickkas.nl. 300 IN TLSA 2 0 1 BD5D7378706F29C18FA9B30F15408540BD2B8C3C908637C20C84A4D6 60BCCE8C
_443._tcp.patrickkas.nl. 300 IN RRSIG TLSA 13 4 300 20240829000000 20240808000000 41457 patrickkas.nl. Wlwo7xYqvGPYdVpqgBcE3k2l6WExRfXBiwfj0JKh8dBjIRh8jJ0XsShx 7vf3JGjCSYW1gOwezaKVJRaD7nf8hw==
;; Query time: 6 msec
;; SERVER: 195.8.195.8#53(195.8.195.8)
;; WHEN: Mon Aug 19 14:53:31 CEST 2024
;; MSG SIZE rcvd: 208[/FONT]
Seems to be in order.
Now let's use internet.nl to verify if the outside world also views this correctly:
Error: the fingerprint is incorrect. (In Dutch)
So what did I do wrong?