Software managing certificate, dkim and domain updates automagically.
Project description
Crypto Domain Manager
Automate all your cryptographic needs!
Goals
- Zero downtime
- Automatic certificate renewal
- Spam protection
- Updated DNS records
Configure once and always stay up to date.
Use cases
- Renew letsencrypt certicates
- Derive all kinds of data from the signature
- Ensure everything is secure
External Service APIs
- Domain Certificate: letsencrypt.org
- DNS Record Updates: inwx.de
Linux Services
- DKIM signatures:
- rspamd
- Reload systemd services:
- apache2
- postfix
- dovecot
- rspamd
- traefik in Docker
Managed DNS Records
- TLSA - for DNS based authentication of named entities DANE
- DKIM - domain keys for email signatures and spam detection
- CAA - specify the CA
- DMARC, SPF, ADSP - configure secure DNS
No downtime strategy
Updating keys, certifcates and other needs 3 steps to prevent gaps in availabillity:
- Prepare: Create certificates, keys etc. and publish corresponding records to DNS.
- Rollover: Apply new certificates and keys, because now negative cache TTL on DNS is reached.
- Cleanup: Delete all no more needed stuff from disk and DNS.
Needed Plugins and Dependencies
- dnsuptools: to interface with DNS API -- updating DNS entries
- dehydrated: to get new certificate (included with cryptdomainmgr)
- rspamd: to create (and use) DKIM keys
Installation
These libraries are needed for pycurl used by dnsuptools for automatic ip retrieving:
apt install -y libcurl4-openssl-dev libssl-dev
This comman is used by dehydrated to communicate with letsencrypt for certificate renewal:
apt install -y curl
For DKIM we need rspamd:
apt install -y lsb-release wget # optional
CODENAME=`lsb_release -c -s`
wget -O- https://rspamd.com/apt-stable/gpg.key | apt-key add -
echo "deb [arch=amd64] http://rspamd.com/apt-stable/ $CODENAME main" > /etc/apt/sources.list.d/rspamd.list
echo "deb-src [arch=amd64] http://rspamd.com/apt-stable/ $CODENAME main" >> /etc/apt/sources.list.d/rspamd.list
apt update
apt install -y rspamd
Now install the cryptdomainmgr. This pulls all need dependencies.
python2 -m pip install cryptdomainmgr
Feel free to try python3, but inwx client doesn't support it.
python3 -m pip install cryptdomainmgr
Documentation
We need help here!
For now please look at:
- German project description and tutorial: https://www.entroserv.de/offene-software/cryptdomainmgr
- Slides: https://github.com/TheTesla/cryptdomainmgr-talk
- Look at the configfiles examples
hints:
- Multiple Configfiles with priority allowed
- Specify content of config file content as argument
Next goals
- improve documentation
- docker support
- website
- automated tests
- nsupdate for DNS updates
Long term goals:
- ARC key renewal
- WPIA integration
- DNSSEC key renewal
- TXT record (may collide with SPF and other TXT based records)
- multi server support for one domain: TLSA delete by timeout
- constrain minimum renewal/phase time interval
- validations - ensure signatures are used correctly
- run as service
- PowerDNS support
Contributions
If you like the project feel free to give me a star. Please let us know if you use this project.
All kind of contributions are welcome.
Release history Release notifications | RSS feed
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
Source Distribution
File details
Details for the file cryptdomainmgr-0.2.4.post16.tar.gz.
File metadata
- Download URL: cryptdomainmgr-0.2.4.post16.tar.gz
- Upload date:
- Size: 62.2 kB
- Tags: Source
- Uploaded using Trusted Publishing? No
- Uploaded via: twine/3.4.1 importlib_metadata/4.5.0 pkginfo/1.7.0 requests/2.25.1 requests-toolbelt/0.9.1 tqdm/4.61.1 CPython/3.8.3
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
f4079a226faa8802f71ed370bc33eeb47f1b09d3b3e0b7447a8b9815891ea02a
|
|
| MD5 |
57bda8c776993ec91485dcc2db8c6654
|
|
| BLAKE2b-256 |
bf2d70e88dd45aee8730a5fabd3a456f3c1b1b5bf16570145f7da099935204e4
|
