Date Tags tls / tlsa

Right, so a checklist is needed for a website theese days..

  • DNS
  • DNSSEC, which is close to being simple with a bind server

  • HTTP

  • HTTPS

  • TLS Certificate from Let's Encrypt

A sucessfull validation gives me 5 files:

README
cert.pem
chain.pem
fullchain.pem
privkey.pem

The privkey.pem being the private key, together with the fullchain.pem, that is chain.pemand cert.pem combined, is used to make the webserve do https, for the project there's a pages page where you can fill out key and certificate on something like https://gitlab.example.com/UserName/ProjectName/pages, fill out the domain, paste the private key and the fullchain and you've got a working HTTPS.

For generating the TLSA, in what I'm hoping will be the least cumbersome version, you chose a 3 1 1, and of course the traditional, port 443, tcp transport and the domain bit. The trick here is to find out what to paste in the PEM field, that would be the content of cert.pem which is your websites certificate without the full chain. That returns a DNS record that can be added to a bind style domain file without change.

It's going to look something like.

_443._tcp.projectname.pages.example.com. IN TLSA 3 1 1 87abd.....76187b

Then it's just a matter of waiting for nameservers to do all their signing, reloading, refreshing, and that's probably as verified as you can make your website.

From what I know, TLSA verification isn't all that easy to find, haven't really noticed anything native in Google Chrome or Mozilla Firefix, so I'm using a dnssec/tlsa validator addon to actually see it.


Comments

comments powered by Disqus