Skip to content

Instantly share code, notes, and snippets.

@rithvikvibhu

rithvikvibhu/index.md

Created March 3, 2024 06:47
Show Gist options
  • Star 0 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save rithvikvibhu/05193479661bad2c44b0d48c1eab2287 to your computer and use it in GitHub Desktop.
Save rithvikvibhu/05193479661bad2c44b0d48c1eab2287 to your computer and use it in GitHub Desktop.
Download ZIP
Securing websites with Stateless DANE using certbot
Raw
index.md

Securing websites with Stateless DANE using certbot

Caddy is the recommended and easiest way to set this up (guide here), but HTools ACME works with any client including certbot.

Assuming nginx here, but any target certbot supports will work.

Website Setup

Get a regular web server running as usual. simple nginx config:

server {
  listen 80;
  listen [::]:80;
  root /var/www/demo.lazydane;
  index index.html;
  server_name demo.lazydane;
  location / {
    try_files $uri $uri/ =404;
  }
}

Install Certbot

see https://certbot.eff.org/ for more options.

sudo snap install --classic certbot
sudo ln -s /snap/bin/certbot /usr/bin/certbot

Get Certificate

Set up certificates with certbot (only difference is --server and --reuse-key):

sudo certbot --nginx --server https://acme.htools.work/directory --reuse-key -d demo.lazydane

Certbot doesn’t yet have an easy option to change renewal time (track certbot/certbot#9261 for that). Until that’s implemented, the only way is to manually edit the config file.

Edit /etc/letsencrypt/renewal/demo.lazydane.conf with your favorite text editor to uncomment and change from 30 days to 1 day:

# renew_before_expiry = 30 days

(changes to)

renew_before_expiry = 1 day

Set TLSA record

The final step is to set the TLSA record, just like a regular DANE website.

To find the record to be set, visit https://acme.htools.work/tlsa and enter your domain name:

image

Set this record at your DNS host (PowerDNS, Varo, Namebase, etc.)

Visiting https://demo.lazydane/ should load without warnings (if you are browsing securely with Fingertip).

As of this point, the website is just secured with regular DANE.

Where’s Stateless?

Since the certificate needs to include DNSSEC proofs of the TLSA record, they will only be added after the TLSA record is set.

Now that we’ve set the TLSA record, the next time certbot renews the certificate, it will get a Stateless DANE certificate.

We could simply wait for ~1.5 days and it would automatically take effect, but let’s force certbot to renew the certificate now to skip the wait (replace your domain name) by adding --force-renewal:

sudo certbot --nginx --server https://acme.htools.work/directory --reuse-key --force-renewal -d demo.lazydane
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment