Software managing certificate, dkim and domain updates automagically.
Crypto Domain Manager
Automate all your cryptographic needs!
- Zero downtime
- Automatic certificate renewal
- Spam protection
- Updated DNS records
Configure once and always stay up to date.
- Renew letsencrypt certicates
- Derive all kinds of data from the signature
- Ensure everything is secure
External Service APIs
- DKIM signatures:
- Reload systemd services:
Managed DNS Records
- TLSA - for DNS based authentication of named entities DANE
- DKIM - domain keys for email signatures and spam detection
- CAA - specify the CA
- DMARC, SPF, ADSP - configure secure DNS
No downtime strategy
Updating keys, certifcates and other needs 3 steps to prevent gaps in availabillity:
- Prepare: Create certificates, keys etc. and publish corresponding records to DNS.
- Rollover: Apply new certificates and keys, because now negative cache TTL on DNS is reached.
- Cleanup: Delete all no more needed stuff from disk and DNS.
Needed Plugins and Dependencies
- dnsuptools: to interface with DNS API -- updating DNS entries
- dehydrated: to get new certificate (included with cryptdomainmgr)
- rspamd: to create (and use) DKIM keys
These libraries are needed for pycurl used by dnsuptools for automatic ip retrieving:
apt install -y libcurl4-openssl-dev libssl-dev
This comman is used by dehydrated to communicate with letsencrypt for certificate renewal:
apt install -y curl
For DKIM we need rspamd:
apt install -y lsb-release wget # optional CODENAME=`lsb_release -c -s` wget -O- https://rspamd.com/apt-stable/gpg.key | apt-key add - echo "deb [arch=amd64] http://rspamd.com/apt-stable/ $CODENAME main" > /etc/apt/sources.list.d/rspamd.list echo "deb-src [arch=amd64] http://rspamd.com/apt-stable/ $CODENAME main" >> /etc/apt/sources.list.d/rspamd.list apt update apt install -y rspamd
Now install the cryptdomainmgr. This pulls all need dependencies.
python2 -m pip install cryptdomainmgr
Feel free to try python3, but inwx client doesn't support it.
python3 -m pip install cryptdomainmgr
We need help here!
For now please look at:
- German project description and tutorial: https://www.entroserv.de/offene-software/cryptdomainmgr
- Slides: https://github.com/TheTesla/cryptdomainmgr-talk
- Look at the configfiles examples
- Multiple Configfiles with priority allowed
- Specify content of config file content as argument
- improve documentation
- automated tests
- nsupdate for DNS updates
Long term goals:
- ARC key renewal
- WPIA integration
- DNSSEC key renewal
- TXT record (may collide with SPF and other TXT based records)
- multi server support for one domain: TLSA delete by timeout
- constrain minimum renewal/phase time interval
- validations - ensure signatures are used correctly
- run as service
- PowerDNS support
If you like the project feel free to give me a star. Please let us know if you use this project.
All kind of contributions are welcome.
Release history Release notifications
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
|Filename, size & hash SHA256 hash help||File type||Python version||Upload date|
|cryptdomainmgr-0.0.28-py3-none-any.whl (56.2 kB) Copy SHA256 hash SHA256||Wheel||py3|
|cryptdomainmgr-0.0.28.tar.gz (39.9 kB) Copy SHA256 hash SHA256||Source||None|