Crypto Domain Manager
Automate all your cryptographic needs!
- Zero downtime
- Automatic certificate renewal
- Spam protection
- Updated DNS records
Configure once and always stay up to date.
- Renew letsencrypt certicates
- Derive all kinds of data from the signature
- Ensure everything is secure
External Service APIs
- DKIM signatures:
- Reload systemd services:
Managed DNS Records
- TLSA - for DNS based authentication of named entities DANE
- DKIM - domain keys for email signatures and spam detection
- CAA - specify the CA
- DMARC, SPF, ADSP - configure secure DNS
No downtime strategy
Updating keys, certifcates and other needs 3 steps to prevent gaps in availabillity:
- Prepare: Create certificates, keys etc. and publish corresponding records to DNS.
- Rollover: Apply new certificates and keys, because now negative cache TTL on DNS is reached.
- Cleanup: Delete all no more needed stuff from disk and DNS.
Needed Plugins and Dependencies
- dnsuptools: to interface with DNS API -- updating DNS entries
- dehydrated: to get new certificate (included with cryptdomainmgr)
- rspamd: to create (and use) DKIM keys
These libraries are needed for pycurl used by dnsuptools for automatic ip retrieving:
apt install -y libcurl4-openssl-dev libssl-dev
This comman is used by dehydrated to communicate with letsencrypt for certificate renewal:
apt install -y curl
For DKIM we need rspamd:
apt install -y lsb-release wget # optional CODENAME=`lsb_release -c -s` wget -O- https://rspamd.com/apt-stable/gpg.key | apt-key add - echo "deb [arch=amd64] http://rspamd.com/apt-stable/ $CODENAME main" > /etc/apt/sources.list.d/rspamd.list echo "deb-src [arch=amd64] http://rspamd.com/apt-stable/ $CODENAME main" >> /etc/apt/sources.list.d/rspamd.list apt update apt install -y rspamd
Now install the cryptdomainmgr. This pulls all need dependencies.
python2 -m pip install cryptdomainmgr
Feel free to try python3, but inwx client doesn't support it.
python3 -m pip install cryptdomainmgr
We need help here!
For now please look at:
- German project description and tutorial: https://www.entroserv.de/offene-software/cryptdomainmgr
- Slides: https://github.com/TheTesla/cryptdomainmgr-talk
- Look at the configfiles examples
- Multiple Configfiles with priority allowed
- Specify content of config file content as argument
- improve documentation
- automated tests
- nsupdate for DNS updates
Long term goals:
- ARC key renewal
- WPIA integration
- DNSSEC key renewal
- TXT record (may collide with SPF and other TXT based records)
- multi server support for one domain: TLSA delete by timeout
- constrain minimum renewal/phase time interval
- validations - ensure signatures are used correctly
- run as service
- PowerDNS support
If you like the project feel free to give me a star. Please let us know if you use this project.
All kind of contributions are welcome.