Right, so a checklist is needed for a website theese days..
DNSSEC, which is close to being simple with a bind server
- TLS Certificate from Let's Encrypt
A sucessfull validation gives me 5 files:
README cert.pem chain.pem fullchain.pem privkey.pem
privkey.pem being the private key, together with the
cert.pem combined, is used to make the webserve do
https, for the project there's a pages page where you can fill out key and
certificate on something like
https://gitlab.example.com/UserName/ProjectName/pages, fill out the domain,
paste the private key and the fullchain and you've got a working HTTPS.
For generating the TLSA, in what I'm hoping will be the least cumbersome
version, you chose a
3 1 1, and of course the traditional, port 443, tcp
transport and the domain bit. The trick here is to find out what to paste in
the PEM field, that would be the content of
cert.pem which is your websites
certificate without the full chain. That returns a DNS record that can be added
to a bind style domain file without change.
It's going to look something like.
_443._tcp.projectname.pages.example.com. IN TLSA 3 1 1 87abd.....76187b
Then it's just a matter of waiting for nameservers to do all their signing, reloading, refreshing, and that's probably as verified as you can make your website.
From what I know, TLSA verification isn't all that easy to find, haven't really noticed anything native in Google Chrome or Mozilla Firefix, so I'm using a dnssec/tlsa validator addon to actually see it.