- GoTLSAFlare
- Description
- Generate Cloudflare API Token
- Installation via Homebrew (MacOS/Linux - x86_64/arm64)
- Download and Run Binary
- Build and Run Binary
- Example Usage
- Practical Usage
- Create TLSA Record, DANE-EE (3 1 1) and DANE-TA (2 0 1)
- Create TLSA Record, DANE-TA (2 0 1) only
- Create TLSA Record, DANE-EE (3 1 1) only (default)
- Create TLSA Record with SHA2-512 matching type
- Create TLSA Record with SHA2-512 matching type for both DANE-EE and DANE-TA
- LetsEncrypt Certbot renewal hook
- LetsEncrypt Certbot renewal hook with rolling update
- Random Notes
Go binary for updating TLSA DANE record on cloudflare from x509 Certificate
- Visit https://dash.cloudflare.com/profile/api-tokens
- Create Token
- "Edit Zone DNS" Template
- "Zone Resources" Include > Specific Zone > example.com
brew install stenstromen/tap/gotlsaflare- For MacOS and Linux: Checkout and download the latest binary from Releases page
- For Windows: Build the binary yourself.
go build
./gotlsaflare# Set Cloudflare API TOKEN
export TOKEN="# Cloudflare API TOKEN"
# Create TLSA Record, DANE-EE (3 1 1)
./gotlsaflare create --url example.com --subdomain email --tcp25 --cert path/to/certificate.pem
# Update TLSA Record, DANE-EE (3 1 1)
./gotlsaflare update --url example.com --subdomain email --tcp25 --cert path/to/certificate.pem
# Create TLSA Record, DANE-TA (2 0 1) only
./gotlsaflare create --url example.com --subdomain email --tcp25 --dane-ta --no-dane-ee --cert path/to/fullchain.pem
# Create TLSA Record, both DANE-EE (3 1 1) and DANE-TA (2 0 1)
./gotlsaflare create --url example.com --subdomain email --tcp25 --dane-ta --cert path/to/fullchain.pem
# Create TLSA Record, DANE-EE (3 1 1) only (default)
./gotlsaflare create --url example.com --subdomain email --tcp25 --no-dane-ta --cert path/to/certificate.pem
# Update TLSA Record, both DANE-EE (3 1 1) and DANE-TA (2 0 1)
./gotlsaflare update --url example.com --subdomain email --tcp25 --dane-ta --cert path/to/fullchain.pem
# Update TLSA Record, both DANE-EE (3 1 1) and DANE-TA (2 0 1) with rolling update (keeps old record for TTL seconds, then deletes it)
./gotlsaflare update --url example.com --subdomain email --tcp25 --dane-ta --cert path/to/fullchain.pem --rollover
# Update TLSA Record, both DANE-EE (3 1 1) and DANE-TA (2 0 1) with custom TCP port
./gotlsaflare update --url example.com --subdomain www --tcp-port 443 --dane-ta --cert path/to/fullchain.pem
# Create TLSA Record with explicit selector (overrides defaults)
./gotlsaflare create --url example.com --subdomain email --tcp25 --cert path/to/certificate.pem --selector 0
# Create TLSA Record with explicit selector for both DANE-EE and DANE-TA (overrides defaults)
./gotlsaflare create --url example.com --subdomain email --tcp25 --dane-ta --cert path/to/certificate.pem --selector 0
# Create TLSA Record with SHA2-512 matching type (default is SHA2-256)
./gotlsaflare create --url example.com --subdomain email --tcp25 --cert path/to/certificate.pem --matching-type 2
# Create TLSA Record with SHA2-512 matching type for both DANE-EE and DANE-TA
./gotlsaflare create --url example.com --subdomain email --tcp25 --dane-ta --cert path/to/certificate.pem --matching-type 2Usage of ./gotlsaflare
Go binary for updating TLSA DANE record on Cloudflare from x509 Certificate.
Usage:
gotlsaflare [command]
Available Commands:
completion Generate the autocompletion script for the specified shell
create Create TLSA DNS Record
help Help about any command
update Update TLSA DNS Record
Flags:
-h, --help help for gotlsaflare
Use "gotlsaflare [command] --help" for more information about a command.export TOKEN="# Cloudflare API TOKEN"
gotlsaflare create --url example.com --subdomain email --tcp25 --dane-ta --cert path/to/fullchain.pemexport TOKEN="# Cloudflare API TOKEN"
gotlsaflare create --url example.com --subdomain email --tcp25 --dane-ta --no-dane-ee --cert path/to/fullchain.pemexport TOKEN="# Cloudflare API TOKEN"
gotlsaflare create --url example.com --subdomain email --tcp25 --cert path/to/certificate.pemexport TOKEN="# Cloudflare API TOKEN"
gotlsaflare create --url example.com --subdomain email --tcp25 --cert path/to/certificate.pem --matching-type 2export TOKEN="# Cloudflare API TOKEN"
gotlsaflare create --url example.com --subdomain email --tcp25 --dane-ta --cert path/to/fullchain.pem --matching-type 2# Update TLSA Record, DANE-EE (3 1 1)
echo "TOKEN='Cloudflare API TOKEN' gotlsaflare update --url example.com --subdomain email --tcp25 --cert path/to/fullchain.pem" >> /etc/letsencrypt/renewal-hooks/post/update-tlsa.sh
# Restart Postfix service
echo 'systemctl restart postfix.service' >> /etc/letsencrypt/renewal-hooks/post/update-tlsa.sh
# Make script executable
chmod +x /etc/letsencrypt/renewal-hooks/post/update-tlsa.sh
# Restart Certbot service
systemctl restart certbot.service# Update TLSA Record, DANE-EE (3 1 1) with rolling update
echo "TOKEN='Cloudflare API TOKEN' gotlsaflare update --url example.com --subdomain email --tcp25 --dane-ta --cert path/to/fullchain.pem --rollover" >> /etc/letsencrypt/renewal-hooks/post/update-tlsa.sh
# Restart Postfix service
echo 'systemctl restart postfix.service' >> /etc/letsencrypt/renewal-hooks/post/update-tlsa.sh
# Make script executable
chmod +x /etc/letsencrypt/renewal-hooks/post/update-tlsa.sh
# Restart Certbot service
systemctl restart certbot.serviceopenssl x509 -noout -pubkey -in fullchain.pem | openssl rsa -pubin -outform DER 2>/dev/null | sha256sumopenssl x509 -noout -pubkey -in fullchain.pem | openssl rsa -pubin -outform DER 2>/dev/null | sha512sumhttps://api.cloudflare.com/client/v4/zones/:identifier/dns_records
{
"type":"TLSA",
"name":"_25._tcp.test",
"data":
{
"usage":3,
"selector":1,
"matching_type":1,
"certificate":"SHA256SUM"
},
"ttl":3600,
"priority":10,
"proxied":false,
"comment":"This is a comment"
}Example with SHA2-512:
{
"type":"TLSA",
"name":"_25._tcp.test",
"data":
{
"usage":3,
"selector":1,
"matching_type":2,
"certificate":"SHA512SUM"
},
"ttl":3600,
"priority":10,
"proxied":false,
"comment":"This is a comment"
}