Git Product home page Git Product logo

gentlsa's People

Contributors

bradkollmyer avatar ekollof avatar

Stargazers

avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar

Watchers

avatar avatar avatar

Forkers

bradkollmyer jult

gentlsa's Issues

Cloudflare cleanup old records

It would be great if there was a cleanup option which removes all dane records from cloudflare before the new one is set.

If you use this as lets encrypt hook it generates a new dane record for every new certificate.

As lets encrypt is only valid for max 90 days this results in 4 records per year which will never be cleared.

It's not a problem as dane takes all records into account and succeeds if one is valid, but you will end up with many records over time.

DANE rollover scheme?

Great tool! Happy user. Would be even greater if you'd add a rollover-scheme to the cloudflare.

Such a scheme will be proven useful when there is a need to update your mail server certificate(s). It can prevent that DANE becomes invalid during the transition period which could endanger mail deliverability at your domain. A rollover scheme could but does not need to be 'active' all the time.

We recommend you to apply one of the following two schemes with double DANE TLSA records:

1 - Current + Next ("3 1 1" + "3 1 1"): Publish two "DANE-EE(3) SPKI(1) SHA2-256(1)" records, one for the current and one for the next TLS certificate of your mail server.
2 - Current + Issuer CA ("3 1 1" + "2 1 1"): Publish a "DANE-EE(3) SPKI(1) SHA2-256(1)" record for the current TLS certificate of your mail server, and also a "DANE-TA(2) SPKI(1) SHA2-256(1)" record for the current root or intermediate certificate of the (not necessarily public) certificate authority

I think you could pull it off using option 2, using current root or intermediate certs.
If I find the time I will look at the script and add this.. shouldn't be too hard.

--hostname <shorthost> ?

What do you mean with shorthost here?
Most servers I know use shortname to be without dots in them (official debian spec, for example).
I would assume DANE requires the FQDN, not the subdomain "mail" or "my" or something..
/etc/hostname is "mail" or "my" in my case, hostname -f is the FQDN, for which the cert exists.

Also, for cloudflare, you have < > brackets in your config example;
<cloudflare login (e-mail)>
are they needed, or do they just portray an entry?

socket.gaierror: [Errno -5] No address associated with hostname

Can't seem to resolve to itself. This is on a debian 12 server with Python 3.11.2
DNS is fully functional (I can ping and resolve everywhere, and localhost is 127.0.0.1 in /etc/hosts etcetera), so I'm not able to solve this issue. Seems a python version issue.

Traceback (most recent call last):
  File "/root/gentlsa/gentlsa.py", line 276, in <module>
    sys.exit(main())
             ^^^^^^
  File "/root/gentlsa/gentlsa.py", line 221, in main
    certobj = getsmtpcert(connhost, port)
              ^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/root/gentlsa/gentlsa.py", line 52, in getsmtpcert
    serv = smtplib.SMTP(addr, port=port)
           ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/usr/lib/python3.11/smtplib.py", line 255, in __init__
    (code, msg) = self.connect(host, port)
                  ^^^^^^^^^^^^^^^^^^^^^^^^
  File "/usr/lib/python3.11/smtplib.py", line 341, in connect
    self.sock = self._get_socket(host, port, self.timeout)
                ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/usr/lib/python3.11/smtplib.py", line 312, in _get_socket
    return socket.create_connection((host, port), timeout,
           ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/usr/lib/python3.11/socket.py", line 827, in create_connection
    for res in getaddrinfo(host, port, 0, SOCK_STREAM):
               ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/usr/lib/python3.11/socket.py", line 962, in getaddrinfo
    for res in _socket.getaddrinfo(host, port, family, type, proto, flags):
               ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
socket.gaierror: [Errno -5] No address associated with hostname
Traceback (most recent call last):
  File "/root/gentlsa/gentlsa.py", line 276, in <module>
    sys.exit(main())
             ^^^^^^
  File "/root/gentlsa/gentlsa.py", line 221, in main
    certobj = getsmtpcert(connhost, port)
              ^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/root/gentlsa/gentlsa.py", line 52, in getsmtpcert
    serv = smtplib.SMTP(addr, port=port)
           ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/usr/lib/python3.11/smtplib.py", line 255, in __init__
    (code, msg) = self.connect(host, port)
                  ^^^^^^^^^^^^^^^^^^^^^^^^
  File "/usr/lib/python3.11/smtplib.py", line 341, in connect
    self.sock = self._get_socket(host, port, self.timeout)
                ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/usr/lib/python3.11/smtplib.py", line 312, in _get_socket
    return socket.create_connection((host, port), timeout,
           ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/usr/lib/python3.11/socket.py", line 827, in create_connection
    for res in getaddrinfo(host, port, 0, SOCK_STREAM):
               ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/usr/lib/python3.11/socket.py", line 962, in getaddrinfo
    for res in _socket.getaddrinfo(host, port, family, type, proto, flags):
               ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
socket.gaierror: [Errno -5] No address associated with hostname
Exception: Connection error: [Errno -5] No address associated with hostname
>>> Certificate Information:
Traceback (most recent call last):
  File "/root/gentlsa/gentlsa.py", line 276, in <module>
    sys.exit(main())
             ^^^^^^
  File "/root/gentlsa/gentlsa.py", line 222, in main
    printcertinfo(certobj, hostname, port, args['--info'])
  File "/root/gentlsa/gentlsa.py", line 96, in printcertinfo
    print(f"Serial : {certobj.get_serial_number():x}")
                      ^^^^^^^^^^^^^^^^^^^^^^^^^
AttributeError: 'NoneType' object has no attribute 'get_serial_number'

Anyone ideas? Am I missing a python module? I installed all mentioned in the requirements file.

M2Crypto not working on Windows?

So I've tried this both on the latest and an older 2.7 release of Python but both version end up with M2Crypto not being able to work and therefor the tool not working.

I've tried with using command prompt, powershell, gitbash, Ubuntu terminal, pretty much any terminal where I could run python with but all gave errors, compatibility error, copying error or something else.

As this image below:

error

Is there something I can do against this to actually make it work on Windows, or is this something that should be run on the server or a linux machine?

In general when I did got something running I also got always the following error:

[sandhi1q@www99 .dane]$ python gentlsa.py generate rafaeldejongh.com 443
  File "gentlsa.py", line 45
    print(f"Exception: Connection error: {ex}")
                                             ^
SyntaxError: invalid syntax

Thanks in advance for further information.

[Feature Request] Local mode?

Instead of letting gentlsa.py connect to every possible service/server to get the certificate hash, how about specifiying a local path to the certificate? This makes sense, if a certbot is running on the local machine (gentlsa.py is probably often used as hook in conjunction with a certbot).

From a security point of view, it's good to avoid unnecessary network connections. Also, outbound network connections could be a possible reason for failure, in case the target/service cannot be reached for some reason.

Thank you :)

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    ๐Ÿ–– Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. ๐Ÿ“Š๐Ÿ“ˆ๐ŸŽ‰

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google โค๏ธ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.